When I started to work on privacy technologies at IBM Research almost 15 years ago, virtually no-one was talking about privacy or the rights of data subjects with regard to their data. There were a few academic conferences out there focused (at least partially) on privacy, but it was a very niche domain with little interest outside of the small community working on it directly.
Even within IBM, who at the time had many tools for software and data management as well as several security solutions, it was difficult to convince various stakeholders of the importance and relevance of privacy technology, which was mostly focused on domain-specific regulations such as HIPAA[1].
Then came the game changer. In April 2016 the European General Data Protection Regulation, well known today as the GDPR[2], was adopted by the European Union Council and Parliament, to become applicable in all of the EU in May 2018. At the time, Europe was considered a trail-blazer, even overly strict in its approach to data subjects rights’ when it pertains to their privacy. Many rose up and went as far as accusing it of undermining the business model of the data economy and destroying the internet as we know it.
The countdown to May 25th 2018 in the data industry was somewhat reminiscent of the “bug 2000” scare, many fearing the implications; on one hand, the unpreparedness of many companies, especially SMEs, to this huge change, and on the other hand how it would affect the online services and applications we have all come to rely on. However, it seems that those fears were unfounded. Somehow the world went on. And today, many more countries and states are enacting similar laws and regulations: the California Consumer Protection Act (CCPA)[3], and its superseding California Privacy Rights Act (CPRA)[4], the Brazilian General Law for the Protection of Personal Data (LGPD)[5] and Canada’s Consumer Privacy Protection Act (CPPA)[6], just to name a few.
Looking at the state of privacy research today, it has gone from a niche, marginal topic to one of the most published topics in the Security space. In the world’s leading academic security conference, the IEEE Symposium on Security and Privacy, privacy-related technologies and mechanisms was the 5th most common topic of submitted papers this year, and around 13% of accepted papers. And this trend is apparent in virtually all security conferences.
Virtually all medium-large companies employ a full time Privacy Officer or Data Protection Officer (DPO), some with even whole teams at their disposal, along with many new job titles that appeared on the market, such as Privacy architects, Privacy analysts, Privacy managers and Privacy engineers.
A plurality of start-ups and small companies started to appear, like mushrooms after the rain, all claiming to provide some aspect of privacy or GDPR compliance. Moreover, even the big tech companies, including Google, Facebook, Microsoft and IBM are all now researching and developing privacy related solutions, both for internal use as well as for products, services and open source tools to be used by the larger community.
For example, Google has deployed differential privacy into many of its existing tools and applications, including Chrome, Maps and Assistant. They have also published several differential privacy open source libraries, including Differential Privacy (https://github.com/google/differential-privacy/) and TensorFlow Privacy (https://github.com/tensorflow/privacy). Microsoft, jointly with Harvard University, developed and released an open source differential privacy platform (https://github.com/opendifferentialprivacy), and IBM has released several tools and solutions for privacy and data protection in the Hybrid Cloud (https://www.ibm.com/security/privacy).
Within IBM, many teams with dozens of people across diverse geographies and business units are researching and developing privacy technology every day. Privacy has become relevant not only to health or finance data, but to many various sectors, domains and use cases. And in the data rich and driven era we are living in today, it is has become a corner stone in any data processing project that relates to individuals.
In our upcoming posts we will share more details about specific use cases and solutions to different aspects of data (and AI) privacy. Stay tuned!
Abigail Goldsteen, IBM Research – Haifa, October 2021.
[1] https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
[2] https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
[3] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
[4] https://www.caprivacy.org/annotated-cpra-text-with-ccpa-changes/
[6] https://www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c11.html