This is a conference talk summary from the OpenMined Privacy Conference 2020

Morgan Mahlock - Investor at In-Q-Tel

Jackson Cummings - Investor at Salesforce Ventures

Austin Arensberg - Director at Okta Ventures

The data privacy and security market is becoming increasingly important for consumers and enterprises alike. According to crunchbase, close to $10 Billion was invested into privacy technology companies in 2019.  

High level Regulatory Landscape

Europe passed the GDPR (General Data Protection Regulation) in May 2018 which governs the transfer of personal data inside and outside the European Union. It has been an important and far reaching regulation. In terms of startup activity, Germany seems to be a hub in the privacy space perhaps due to the many research universities in that country.

The United States of America has no overarching federal data privacy law but it has lots of industry specific protections like HIPAA (Health Insurance Portability and Accountability Act of 1996) for healthcare. The CCPA (California Consumer Privacy Act) enhances consumer privacy rights for residents of California and went into effect in January 2020. Similar to the EU, the USA has a ton of startup activity and is home to key researchers and key research institutions. Harvard University, University of Pennsylvania and a few others are real innovators when it comes to data privacy.

Around the world, there is a lot going on in data protection as countries and consumers become more aware of the importance of data privacy. The Brazilian General Data Protection Law which is very similar to GDPR was passed in August 2018 and focuses on personal data protection. In Canada, there is strong federal legislation in the data privacy space through PIPEDA (Personal Information Protection and Electronic Documents Act) which governs how businesses handle personal information. China’s Cybersecurity Law went into effect in June 2017 and is the baseline for China's present day guidelines.

Privacy Enhancing Technologies (PET)

Many of the startups listed above are working with one or more of these methods to develop their products and their technologies. All of these approaches suit slightly different use cases and have slightly different drawbacks and limitations. The key takeaway here is that there’s often no one good answer when it comes to privacy protection. Sometimes you’ll have to use different tools and different implementations based on what method suits your use case.

One particularly interesting real world use case involved Differential Privacy measures applied to the 2020 Census data in the USA.  Differential privacy mathematically guarantees that individual and household information remains confidential by injecting noise. Differential Privacy allows for disclosure avoidance and prevention of further downstream calculations.

Enterprise Applications

Enterprises now more than ever are paying attention to data privacy. The scope of current regulations is massive, making compliance imperative in order to remain in business. More than one billion people globally (28% of GDP) are now free to exercise their subject rights at no cost to them. This affects both B2C as well as B2B enterprises collecting their sensitive data.

Key trends we are seeing are: that compliance is becoming more important to C-suites, and that data privacy is no longer siloed within the security or IT teams inside these companies. Due to data breaches and fines, the level of importance has escalated to the entire C-suite. We are noticing that every C-level individual including the Chief Marketing Officer and the Chief Product Officer need to understand the ramifications of data privacy and how it affects their organizations. We do recognize that budgets have been constrained in the near term primarily due to the current COVID19 pandemic but in the long term, our view is that budgets relating to data privacy will increase.

Customers are king and remain important for every business. Data breaches negatively impact enterprise-customer relationships. High profile data breach cases like those from equifax and facebook are proving negatively impactful for these companies. They risk losing trust with their end customers, as well as brand appeal.

Fines from these regulations are increasing as well. Since GDPR was issued roughly 24 months ago, $180M in fines have been issued globally. Regulatory bodies are increasingly holding companies accountable, especially those that have not shown an effort to become compliant.

Privacy is going mainstream

Let’s consider the consumer drive that is happening right now and how the sentiment has changed over the last 10 years.

We start with facebook which was built upon the very public sharing of social media. Over time, people wanted to have additional settings to control the flow of their social media to a certain individual or group. Coinciding with the advent of internet enabled mobile devices, were private messaging applications. We start to see WhatsApp rise, which was then acquired by facebook. This indicated a drive towards moving away from a public persona to a closed environment for sharing. Snapchat introduced ephemeral messaging, which means sending messages that can disappear after a certain amount of elapsed time.

Signal, Telegram, and Keybase stem from an encryption technology standpoint and were much more enhanced than other social platforms. Zoom recently acquired Keybase and is symbolic of a large enterprise moving towards consumer tech as a way to innovate and improve its encryption and privacy measures for its user base. Newer companies like Planetary are building social network platforms from the ground up with privacy preservation as a core founding principle.

Future predictions

Morgan predicts the privacy by design paradigm becoming increasingly important and OpenMined plays a huge role in that. Privacy tools are now available through open source and developers continue to build privacy into their products at the start of the development lifecycle.

Jackson mentions that the privacy space is not well defined but is now a part of the enterprise tech stack meaning that this is now a C-level decision. There are compliance imperatives leading to big budgets and big corporate governance associated with this specific space. Take a look at some of our portfolio companies, most of the companies didn't exist 10 years ago. Now these companies are raising a ton of funding and we do feel that this is just the beginning of where data privacy is going. There is a lot of innovation to be had and a lot of corporate budgets looking to push into this space.

Austin notices there is a trend towards valuing privacy in a way that hasn’t been seen in the past. Emerging messaging platforms are using very sophisticated encryption technologies and are useful for communicating sensitive topics. Consumers are thinking about their privacy and security in ways that enterprises have traditionally done. It is really exciting! We shall watch the sophistication of the consumer grow over time.


Why VCs are Interested in Privacy Investing Now  starting at 1:10:40