Today is Data Privacy Day. Please clap.
This is an actual holiday of sorts, recognized as such in 2007 by the Council of Europe to mark the anniversary of the 1981 opening of Europe’s Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data — the grandfather of such strict European privacy rules as the General Data Protection Regulation.
In the United States, Data Privacy Day has yet to win more official acknowledgment than a few congressional resolutions. It mainly serves as an opportunity for tech companies to publish blog posts about their commitment to helping customers understand their privacy choices.
But in a parallel universe, today might feature different headlines. Consider the following possibilities.
• A major wireless carrier would announce that it would retain your cell-site location information for only a year and would let you download that information for your own use. In reality, it squirrels away this data for undisclosed years — and until last year’s Carpenter v. U.S. ruling by the Supreme Court, law enforcement investigators could view that data without a warrant.
That would show basic respect for the foundational principle of data minimization, vs. today’s data-maximization practices that often amount to “keep the information until you run out of server space.”
• An update to one of Facebook’s apps would request fewer data permissions than the last version. Mobile-app permissions constantly freak out users, and with good reason: Many of them bear only a thin relation to the app’s mission or cover tasks that a smartphone operating system already handles.
I nominate the Facebook Android app’s calendar permission, because Facebook has neglected to add the elementary feature of exporting a Facebook event into your Google calendar so you can see it on other devices. Granting that permission — which you can revoke if you already did — lets the app read your calendar but won’t help you manage your agenda any better. Why even ask for that system permission if not to add such a basic function? The rationale for that access is wafer-thin.
• Apple would back up its outspoken pro-privacy stance by announcing a version its iMessages app for Android. This release, perhaps available for a small annual fee, would let Android users benefit from the same end-to-end encryption of their text messages that iPhone users get — and because iPhone users would no longer have their texts to Android-using friends sent in the clear, their privacy would improve, too. A version for Windows would help even more.
Possible downside: even more gross poop-animoji animations going around.
• Amazon would let you turn off ad retargeting — a feature that populates ads across the rest of the Internet with pictures of things you looked for, thereby relentlessly reminding you of that one idle product search for the rest of the day and maybe also ruining plans to surprise a loved one with a gift — once across your account, not once per browser, as is the case in its current ad-preferences interface. (Amazon chief executive Jeffrey P. Bezos owns The Washington Post.)
• Google would add a tracking-prevention option to its Chrome browser to match what’s in Safari and Firefox. Letting users undercut one of Google’s key advertising tools may sound crazy, but its browser-security chief, Parisa Tabriz, tweeted last year that she didn’t want to leave their privacy challenge unmet. Google could leave tracking prevention off by default, as long as the relevant privacy setting isn’t thrown down a user-interface mine shaft.
Besides, the value of behavioral advertising may be a tad overrated. When Google chief executive Sundar Pichai testified before the House Judiciary Committee in December, he said “just the keywords you type” provide most of its search-advertising data. Earlier this month, Digiday’s Jessica Davies reported that the New York Times' ad revenue increased in Europe after it dropped behavioral targeting there.
• A reasonably large tech company that must comply with Europe’s GDPR would issue a report outlining how much it spent to comply with that extensive bundle of rules — because it’s hard to have an informed debate about privacy laws without knowing more about the cost of regulations as well as their benefits.
Unfortunately, you’re not reading this on Earth 2, and we don’t live in that privacy-sensitive marketplace. So you shouldn’t be surprised if we “celebrate” the faux-liday of Data Privacy Day by learning about yet another data breach.
Maybe it’ll be an epic-scale incident involving hundreds of millions of people, a few million passports included. Perhaps it will be a more mundane breach that exposes only names, email addresses and encrypted passwords that you please please please didn’t use elsewhere. Or it could be a boutique breach that compromises only credit cards that you can easily replace.
The one thing it won’t be is a surprise. Because unlike Data Privacy Day, data breaches happen a lot more than once a year.