One of the more unexpected moments in my visit last December to SAP’s headquarters in Walldorf didn’t happen during a briefing or product demo or discussion of the latest and greatest strategy: It came during a personal conversation about cybersecurity. The precipitating event was the recent revelation that the US intelligence services had hacked the cell phone of German Chancellor Angela Merkel. And this heated discussion — the first of several outraged conversations during that trip — centered on the fact that, as one of Germany’s staunchest allies, the US had acted unethically in listening in on Merkel’s private conversations.
Four months later, the Obama administration released an 85-page report, Big Data, Seizing Opportunities, Preserving Values, that was intended in part to define how the US should deal with the privacy issues that emerged from the Merkel hacking. In it was a concept — industry and government should develop a “responsible-use framework” that could govern how big data is used — that yanked me right back to my conversations about Chancellor Merkel’s cell phone.
The Meaning of “Responsible Use”
As I worked my way through the sometimes mind-numbing prose of the Big Data report, it dawned on me that “responsible use” was something that SAP could take a major leadership role in promoting. This initiative could be one that puts SAP on the world stage as more than just a technology company, and helps push its cloud initiative forward as an example to the world of how business can lead societal change.
The main issue is the distinction between the prevalent internet privacy framework of today — what the report refers to as a “notice-and-consent framework” — and responsible use. Notice and consent is effectively what you do every time you click on the “accept” button next to a user agreement: You have been notified, and have given your consent, to whatever the vendor or service provider will do with your data. This acceptance is the first step in a chain of implied consent that allows data aggregators and brokers to take your data and pretty much do whatever they please, based on the assumption that your initial consent has effectively given carte blanche to any commercial use of your data, without any requirement to seek additional consent or approval.
What the Big Data report states is that this framework is insufficient to protect individuals’ privacy and civil rights simply because individuals are “not well equipped to understand or contest consent notices” — in other words, everyone just clicks “accept” and moves on, giving a consent that is neither informed nor necessarily in the best interests of the individual.
Responsible use, on the other hand, shifts responsibility to the “entities that collect, maintain, and use data.” This, in turn, “holds data collectors and users accountable for how they manage the data and any harm it causes,” rather than just limit their responsibility to having collected an admittedly ill-informed consent.
SAP and Responsible Use
SAP is technically one of those entities that are responsible and accountable for how they manage this data. It’s important to note that the majority of its cloud business today would likely live outside of the purview of either the notice-and-consent or responsible-use frameworks — its enterprise service agreements preclude SAP from sharing its customers’ data at all, and in many ways these agreements already hold SAP responsible for how it manages its customers’ data.
SAP should seize on the notion of responsible use as a foundational element of its cloud strategy.
But SAP has serious aspirations to play a role in consumer apps and services. As its cloud and mobile business grows, the issue of what happens to the data created and used within those apps and services — whether run by SAP or by its customers and partners — falls under the recommendations proposed by the Big Data report.
SAP should seize the notion of responsible use as a foundational element of its cloud strategy, and then publicize as much as possible the idea that when it comes to enabling consumer apps and services, SAP will be a staunch proponent of this new framework. Needless to say, along the way there are many political (and possibly competitive) points to be scored.
I don’t imagine making this pledge would involve a major change in how SAP does business. As an enterprise service provider, SAP is already exceeding the spirit of responsible use with its enterprise customers. And the consumer side of its business is nascent enough that it’s hard to envision how this concept would interrupt an important revenue stream or business opportunity.
This isn’t the case when it comes to more than a few companies that SAP is or will be competing with. The most obvious example is Google, which has a framework that takes notice and consent into the realm of “irresponsible use.” Google’s business model is all about monetizing every byte it can scrape out of its customers’ data. While Google isn’t a serious competitor of SAP today, it’s hard to imagine a future in which the two companies’ business strategies don’t converge. (The potential contrast between the two vendors promises to be significant. As this column went to press, the European Court of Justice ruled against an important aspect of Google’s privacy regime.)
But the biggest boost would be in the positive publicity that endorsing responsible use would generate for SAP. It could potentially give SAP a seat at the table about an issue that is only going to get bigger in Washington, Berlin, Brussels, and virtually every other world capital.
A Leadership Role in Privacy Protection
It’s doubtful that responsible use — whether adopted by SAP or not — will fix Chancellor Merkel’s hacking problem. But geopolitics is often driven as much by symbols as it is by concrete action. The Big Data report has a point — the world desperately needs to rethink how data is used and managed in order to ensure that privacy and civil rights aren’t sacrificed for economic expediency. SAP is in a great position to take a stand on the issue that will have deep symbolic significance in all the right places, and in all the right ways.