![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Successive revolutions in information technology raise new challenges, risks, and opportunities for consumer privacy protection. Perhaps the most basic question is how these new technologies are changing the actual practices of companies in processing personal information. After all, emerging technologies can make legal regulations obsolete or out-of-date. The consequences can be ineffective regulation and a waste of corporate resources without meaningful protections for consumer privacy.
To understand the impact of new technologies on company practices and legal regulations, I researched how six leading North American companies manage their global use of personal information. This work was sponsored by the Privacy Projects, a new nonprofit organization devoted to empirical research into privacy issues.
My whitepaper, Managing Global Data Privacy, looks at companies that are developing pharmaceuticals, providing marketing, selling financial services, and offering a range of Internet-based software, technology, and online services. These companies collect and process personal information about clinical health research, customer services, consumer surveys, mortgage renewals, e-mail accounts, and global job applicants.
The resulting case studies identify three dramatic changes from the world of yesterday. The first change shown is that the scale of global data flows in the private sector has increased massively. In the recent past, an international exchange of personal information was a rare event that the law tended to regulate on a case-by-case basis. But personal information now flows around the world 24/7. The volume is staggering—one company in the study created more than five million data points in 2008. This figure represents 72 new data points every minute.
Second, the nature of this constant flow of global data is dynamic and occurs across borders. In the past, companies finalized international data transfers in advance. Personal data were sent at a single moment from one central location to another. Today, companies draw on "the cloud" to put computer resources and services on the Internet. As a result, the processing of personal data increasingly takes place simultaneously throughout a global network.
Third, the oversight of data flows at these leading companies has been professionalized with a significant investment of business resources. This development is highly promising. In the past, many corporations avoided privacy and security issues and devoted a low level of resources to them. Companies now are creating collaborative processes for privacy and security, which involve chief security officers, chief privacy officers, legal counsel, and internal management boards.
One regulatory lesson to be drawn from these studies is to question the value of the approach in certain European countries that require registrations for any data processing operation involving the personal information of citizens. Even a minor change in the location of a single server, or an alteration of a single process will require costly modifications to existing registrations in different European countries. Yet, in the age of dynamic and massive data flows carried out on “the cloud,” such changes can frequently occur. Moreover, it is far from clear that the benefit for individual privacy, if any, is equal to the cost of making companies file detailed, national-specific reports on each database that contains personal information.
