Facebook and Privacy

Stephen DeadmanFacebookGlobal Deputy Chief Privacy Officer

Enhancing Privacy Through New Business Models to Unlock the Social and Economic Value of Personal Data

YOURSTORY GOESHERE

Why I am.Background.

Lawyer.

Formerly Vodafone CPO, etc

Been at FB for 2 years now1

GDPR is one of my big priorities

I spend a fair bit of time talking with regulators and other companies naturally theres now a lot of focus on implementation.

Companies are starting to work through compliance plans

Regulators are still trying to create guidance on the GDPR. Its huge.

The same applies to FB. We already have an extensive programme.

We are in a probably unusual position in the degree of attention privacy gets within the company. [say more about what we have

Programme teamXFNPrivacy engineering100s of privacy professionals

But I want to step back from questions of compliance, and reflect upon the way personal data is changing within the economy.

Im conscious that Im speaking at a CDO conference not a legal conference, and this is why I chose this angle.

Success?

We could forsee a future in which:

- Regulators feel that companies, large and small, understand the GDPR and are complying-Consumer trust is rising and confidence around data is improving-Companies are able to operate and innovate, and have a clear and predicable set of rules to comply with-Sensational headlines are a thing of the past fines and sanctions are used sparingly

I would call tat success.

That is what I believe the EC has intended to be the result.

Failure?

But this is by no means assured. Another version of the future is this:-Regulators feel that companies are paying lip-service to the rules, and hiding behind their lawyers. Small companies in particular are largely unaware of the GDPR, let alone how to comply with it-Consumer trust continues to decline; people feel they are continuing to lose control-Companies are fearful of unpredictable regulators and opaque rules and standards, and innovation is chilled, as Europe becomes a high risk territory to launch new services-Sensational headlines continue to stoke generalised discontentSLIDE: FAILURE: I would call this failure.

So, were at a critical juncture.

Both of these versions of the future are entirely possible. Which one becomes the reality has little to do with the actual rules set out in the GDPR. Those rules are perfectly capable of delivering either of these futures. Success (or failure) is dependent on a range of other factors. I want to talk about those other factors.

Toward sustainable growth

Initial report:set context and questions for debate (Oct 2015)

Available at:https://goo.gl/w86TJl

Interim report:themes emerging from European roundtables (Dec 2015)

Available at:https://goo.gl/5gDdzP

Final report:from all 21 roundtables (Jun 2016)

Available at:https://goo.gl/DO79mA

To bring out those other factors, I want to refer to a research programme I initiated when I joined FB.

This programme was focused not on the law or how companies can comply with it, but on understanding the factors that will help to ensure we achieve the first of the two scenarios I painted, not the second.

A New Paradigm for Personal Data:Five Shifts to Drive Trust and Growth

Report, called A New Paradigm for Personal Data - Five Shifts to drive trust and growth.

The Paradigm Shift that the report refers to is referring to a shift from a trade-off environment, to a sustainable growth where innovation with personal data is not just compatible, but increasing supports and enhances the individuals empowerment and control.The 5 shifts- themes which emerged suggesting change of mindset.

These are shifts that are happening, and that need to continue and /or accelerate.

Im going to talk about 3 of these shifts this morning

From compliance to sustainable customer relationships

First shift is the shift from compliance to sustainable customer relationships.

The report highlighted how traditional thinking about data from a legal and compliance perspective has left us in a deadlock.

When CEOs hand issues of data protection to GCs, the natural reaction is to look for the least disruptive solution to the status quo. The result is that companoes apperar to DPAs like they are paying lip service to the issue. Hence, why we have a situation where little tangible progress often appears to be made.

But we have seen a change. This conference and others like it are important signals of that change.

Eevry business s a digital business, and recognises the value of data as an asset for growth and transformation.

This necessitates a different attitude in companies find a different locus for the thinking about these issues (CDO?)

Regulation needs to recognize how to encourage this shift not through prescription

To give some examples of how this manifests itself at FB, I want to talk a bit about Ad preferences.

In a simpler sense, we are treat the controls we give to our users. We do this because we need to create confidence its a business / trust issue more than a compliance issue

Likewise, our PbD process was developed within our Marketing Function, and is now run by a dedicated programmes team

I dont want to suggest that everything is perfcect at FB its not and we have work to dfo, but there are some aspects of the programme which I believe are world class and PbD is one of them.

The key ingredient is that the locus of responsibility has already shifted away from legal and compliance

From restrictive to enabling

The second shift I want to highlight relates to the way regulators regulate.

Regulation. We need to encourage truly smart regulation, which in turn encourages innovation - by being flexible and responsive to new technologies.

There is a lot of interest and debate happening right now about how tej GDPR is going to force DPAs to think differently about how tjey regulate.

Not only have their responsibilities have expanded hugely, lets just reflecdt upon the sclae of the task before them.

Data is everywhere. Every business from the mega corporation to the local plumber is processing data.

DPA have become the de facto regulators of the entire digital econom, which necessarily depends on data flows.

So, arguably, there has never existed a regulatory framework of such scale in terms of how many people it relates to, and the expectations on DPAs for how they are going to ensure the success of this framework.

This is a massive challenge. And, just like the title of our report, it will require a paradigm shift in the way Regulators regulate.

Our report identifies the need for Smart Regulation. I could spend a lot of time talking about Smart Regulation, but I think one of the central elements of Smart Regulation is that Regulators utilise forces, motives and incentives that exist or are emerging to achieve their ends.

Im going to talk about a couple of critical factors here that should shape they way Smart Regulators regulate.

Role of the individual

A key insight - Individual choice and self-determination must be at the centre of the debate about how to regulate data.

personal data is valuable to companies.personal data is increasingly valuable to society.But personal data my personal data - is of most value to me.

The key point is this - individual agency is becoming a powerful ingredient in unlocking value and building trust with innovative new services.

Over the last 15 years, technology has enabled people to do things they couldnt previously do. Now, for the first time in human history, anyone can access these tools and use data to manage their lives.

We have a choice about how we respond to this change.

This is too important a factor for Regulators to ignore. Active engaged consumers are now playing an active role in the economy. They are forcing changes in the market, and the market is reacting and responding.

Examples:

End-to-end encryption on WA.Browsers Apple, MSFT, MozillaThe growth of the privacy industrial complex THIS IS ABOUT RESTRICTING AND CONSTRAINING DATA

13

Creative HubINTRODUCING

But there is a development that is far more exciting than the privacy industrial complex.

We have been working with many startups and enterpreneurs around the world who have recognised that the empowered consumer presents an opportunity to serve them in ways that opens up value from personal data in enitely new ways, but where the central proposition is piuting peple in control.

Sheryl came to Paris a few weeks ago to announce our partnership at Station F.

Station F is Europes and Worlds biggest start up hub. It will host over a 1000 start ups. Founded by Xavier Neil, one of Frances most successful enterpreneurs.

FB taking it first physical space.

What is unique is our focus on personal data driven startups and focus on helping these emerging business models develop and succeed14

Startup GarageA dedicated mentor at FacebookOne-on-one office hoursWeekly workshopsFacebook will not be taking equity in the startupsFacebook is not providing the startups with any special access to Facebook dataAn innovative programmeAn incubator with a difference

80 desks15 startups6 monthsMulti-million Euro commitment over 3 yearsResources and facilities to support growth

Our programee is desgined aroudn their needs.15

From good intentions to good outcomes

The third shift I want to talk about is the shift from good intention to good outcomes.

We need solutions that work.

One of the biggest failures of DP legislation is that no one feels any better or safer as a result

TO CUSTOMIZE WITH A NEW PICTUREDelete the current picture, if there is one.On the Insert tab, click the Pictures button.Navigate to the image you want to use and select Insert. Resize the picture to fit the slide, as needed. Hold the Shift key and click and drag a corner.On the Home tab, click the Arrange button, then Send to Back so the photo is behind the text.Click the Reset button to reapply the Layout

The second initiative addresses the second step identified in the report to build TTC.

The problem lawyers ands regulators trying to build UX.

Weve seen so much evolution of the UI

,We use a completely different set of skills to solve human interacvtion issues. Think of how we design cars.

We need to draw upon these skills and bring them to the way people interact with their data.

TO CUSTOMIZE WITH A NEW PICTUREDelete the current picture, if there is one.On the Insert tab, click the Pictures button.Navigate to the image you want to use and select Insert. Resize the picture to fit the slide, as needed. Hold the Shift key and click and drag a corner.On the Home tab, click the Arrange button, then Send to Back so the photo is behind the text.Click the Reset button to reapply the Layout

The event in Berlin in March is a pilot.

Our ambition is to grow the concept as an independent initative that can scale and can provide solutions and insights at scale for the benefit of the entire industry.

Thank you

20