As AI, privacy engineering, and quantum computing redefine the data landscape, the complexities of compliance grow more daunting. TWIPLA's Jorge Cuevas sat down with Aaron Weller, Head of Privacy at HP, to hear how businesses can address incidental data risks, simplify privacy practices, and meet the demands of overlapping regulations.

What is shared by and about us from our use of technology can be unsettling. Our activities generate an enormous amount of data that contributes to multiple narratives about our lives, which are then compiled in larger data sets to create advertising for, target content to, and make predictions about us.

The more information companies can accrue, the more nuanced the picture they can create of an individual. One of the largest challenges to privacy from AI is the risk posed by the data we consider non-personal or incidental but can still contribute to an overall profile of a person. As a result, companies that only trigger privacy reviews when personal data elements are present are unknowingly opening themselves and their customers up to increased levels of risk.

AI excels at pattern recognition, which is a risk to deidentified, aggregated, and pseudonymized data. Even encrypted data can be at risk as technology advances. Leading companies are already implementing quantum-resistant encryption techniques to defend against the rise of quantum computing capabilities. Without robust, clearly defined, and regularly updated standards for aggregation, deidentification, and encryption, we run the risk of using data in express contravention of individuals preferences and may violate their rights. We also run the risk of being unable to accurately identify and locate personal data that has been reidentified or inadvertently associated with a person, which makes us unable to respond appropriately to access or accountability requests from individuals, or data authorities.

Incidental data can include data collected or contributed about a data subject unintentionally, by inference, accident, or from indirect sources. There are many data points that relate to an individual that are not direct or immediate identifiers, but that can be combined with known profiles or additional data sets to supply information about a person that they did not deliberately volunteer.

New technologies and tools can also create new avenues to capture incidental data, making previously deidentified data identifiable, or generating new insights from an old data set. In many cases, these new applications of data could not have been predicted by the data subjects at the time, raising questions about the legitimacy of reliance on the consent and collection process to truly reflect users' preferences over time.

Purpose limitation and a consent process that prioritizes respect for persons rights and preferences are key to mitigating these issues. Using information only for the purposes disclosed at the time of collection helps to reduce the risk of incidental information being used for unauthorized purposes and ensures that both the letter and the spirit of consent are being honored.

Information that has been deidentified or encrypted should not be used to contribute to individual profiling, regardless of whether emerging technologies present capabilities to do so. By reducing the risk of reidentification, we reduce the risks of being unable to comply with individual requests or regulatory audits.

With the increasing complexity of data collection methodologies, transparent disclosures about data use and processing are becoming commensurately complex. To ensure that you are communicating these complex concepts in ways that are approachable and understandable, there are three key steps to creating a privacy policy or notice you can follow.

2.1. Be specific

Many regional and sectoral laws require that organizations that process data be transparent in their policies about how data are collected, used, and shared. These transparency requirements can lead to a patchwork collection of policies and processes, which can be both alienating and confounding for users to decode. For example, if you have multiple data collection interfaces, schemas and processes, these processes should be clearly distinguished to avoid confusion. Trying to distill the description of what you collect to the lowest common denominator can lead to over generalized and misleading language.

Not all users will participate in every aspect of an offered service, and these users should be able to easily and quickly determine what interactions with the service will lead to each type of data collection. This will help users make informed decisions about how they interact with the services being provided.

2.2. Be consistent

Your document should be navigable and straightforward, using internal references and hyperlinks to ensure related concepts and disclosures are associated for ease of access. Using consistent language and terms can help keep concepts organized and clear.

Terms should be clearly defined upfront, and definitions should be available for reference in a linked glossary to ensure that each document can be parsed and understood at a foundational level. Using consistent language across the documents reduces confusion and prevents the conflation of related concepts or services. You should also consider the audience(s) for these documents. Communication occurs when the message is received and understood. You want your documents to be communicated, not just made available for review.

2.3. Provide tiered access to documents

Not everything needs to make the front page. Your disclosures can increase in complexity as they increase in specificity. Allowing users to access more information in a thoughtful, stepwise manner will avoid overwhelming users up front and provide a clear and specific method for accessing further information.

Organizing these documents to provide an accessible, comprehensive experience to users seeking information is not just a courtesy, it is a strategic investment in the continued transparency of your processes and, in the value of your brand.