Discussing goals for policymaking, regulation, data protection and Avast's role in the digital privacy landscape
Today, I sat down with Avast’s new Chief Privacy Officer, Shane McNamee, to discuss his role and the changing nature of data protection and privacy.
Avast Blog: Thanks for joining us today, Shane. Welcome to Avast. You’re a few weeks into your tenure here — how’s it going? Tell us a bit about yourself.
Shane McNamee: Hello! Thanks. Yes, I started in October, and a few weeks into the job, I am getting a feel for where I want to go with the role and my vision for Avast’s privacy strategy. I’m a native of Ireland and a lawyer by training. My previous work has been mainly in the public sector and academia, dealing with regulation and policymaking in digital consumer protection as well as privacy and data protection.
Prior to coming to Avast, I worked at the Irish Data Protection Commission (DPC). It’s the regulator tasked with overseeing and enforcing data protection and privacy laws, like the General Data Protection Regulation (GDPR), in Ireland, and indeed for much of Europe when it comes to companies who have their main European establishment in Ireland (there are many of them; it was a busy place to be).
Before that, I worked in regulatory policy in the public sector in Ireland, and in digital consumer protection policy in the German Research Centre for Consumer Law, giving me an insight into some of the reasoning behind and limitations of lawmaking in these areas. Seeing how the legislative sausage is made, so to speak.
AB: How do you think your work in the public sector will impact your work here at Avast?
SM: From my time at the DPC, I hope to bring a regulatory perspective to the many aspects of privacy Avast deals with both internally and externally. I’ve seen the struggles that many companies face when it comes to privacy and data protection. Just look at the never-ending struggle software providers go through to design a privacy policy that is both comprehensive enough to be useful, whilst remaining clear and concise enough to be readable without inducing cluster headaches! I aim to help Avast ensure that we approach privacy in a way that respects and deserves the trust of both our users and employees.
I also hope it will give Avast a better ability to enter into those policy discussions. I’m a strong believer in the idea that you really need to (metaphorically) lock engineers, lawyers, regulators, policymakers, academics, and so on, in a room together and force them to talk if you want to land on an effective approach to privacy (or any regulation of the digital environment). The goal in joining Avast is to be a piece of that collaborative puzzle.
AB: It’s true that it really is a struggle to get this right. How do you balance all of the interests?
SM: I think it’s important to focus on the citizen — the user, the digital consumer — as the north star in any approach to privacy. This kind of approach helps us keep in mind that, to be effective, laws need to be complemented by user-respecting processes and by putting effective tools into the hands of users.
In a world of increasingly expansive and detailed protections for digital consumers, and regulation for digital products and service providers, the work of companies like Avast and the engagement of users themselves will always be key ingredients in ensuring a well-regulated, free, open, and safe digital environment. And I’m a fan of regulation — remember, I used to be a regulator — but I think it’s important to remember that no regulation will be effective in isolation.
Avast and privacy
AB: So, how do you see your role as Chief Privacy Officer in Avast?
SM: I am a consumer privacy advocate at my core, so I want to be the voice of the people who use our services and to represent their privacy interests. I want to support my colleagues across Avast in their work to make sure our own internal processes have privacy in their DNA, to design new products that both protect and enhance the privacy of our users, and to think of new ways to put information and control back into the hands of users.
I want to be the angel (or devil, depending on your perspective) on the shoulder of all Avastians asking questions like: “Could we design this differently?” “Could we achieve the same result with less personal data being processed?” “How would I, as a user, feel about this proposed change?” Or “Is there a way we can phrase this that will be clearer to users?” I want to support our Data Protection Officer (DPO), privacy compliance specialists, and privacy-minded Avastians in a variety of roles, in embedding a user-centric and privacy-by-design approach in everything Avast does.
AB: When most people hear privacy, they don’t really know that that means. When you talk about Avast’s focus, what exactly do you mean by “privacy”?
SM: There is a tendency to treat the words “data protection” and “privacy” interchangeably, but both actually have specific and separate, though related, meanings. In EU law, each is protected as a fundamental right in the EU Charter of Fundamental Rights. For legal academics and data protection nerds, like I am, there are important distinctions in Europe between the rights to privacy and data protection.
That being said, “Chief Data Protection and Privacy Officer” doesn’t exactly roll off the tongue, and having to repeatedly use both terms is likely to cause more confusion than anything, such as confusion between my role and that of our Data Protection Officer (DPO). This is particularly the case given that Avast operates worldwide and terminology can differ greatly depending on legal systems and cultures.
So, for the sake of clarity, we’ll usually use the term “privacy” as an umbrella term to cover both privacy and data protection, as well as any other relevant and related rights, whilst maintaining an approach to both that is rooted in the strong protections for these rights found in EU law, in particular the Charter of Fundamental Rights and the GDPR. Within this umbrella, we’ll include protection of users against intrusion into their personal life or affairs, as well as in relation to the collection, use, or processing of any information which relates to them where they either are identified or even could be identified.
AB: What role does Avast have to play more broadly in the protection of privacy across the digital landscape?
SM: As I mentioned above, during my time as a regulator I saw that legislation alone isn’t enough to empower users, and recognized the importance of the practical implementation and vindication of those rights found in the GDPR. Rights aren’t very helpful if you can’t figure out how to exercise them.
The GDPR itself even acknowledges throughout its text, that technical measures and tools should support the rights and goals enshrined in the law, particularly with respect to keeping data safe and secure, as well as giving users practical ways to exercise their data protection rights.
These practical tools to give users control over their online privacy can range from an antivirus program that ensures your information’s privacy by keeping it out of the hands of bad actors, to a VPN which can help obscure your browsing habits from anyone who might want to surveil them, to products more directly aimed at giving users options to avoid tracking technologies and exercise their data protection and privacy rights such as access or deletion.
Designing these kinds of tools is what Avast does best, and it’s the main role Avast has to play in making privacy impactful and effective in the digital world.