Privacy professionals must answer mission-critical questions daily. Is it OK to share data with this strategic third party? Can we deploy this new marketing feature? Can we place this function in the cloud? Can we deploy this new monitoring tool into our workforce environment? Are we required to delete this data, and if so, what does this mean? Do we need to notify regulators and individuals of this event?
Over the years, I've observed that highly successful privacy professionals focus on applying privacy law in three dimensions: (1) understanding the meaning of the privacy law by its own terms; (2) assessing the likelihood and severity of the risk associated with the privacy law; and (3) taking into account other competing, non-privacy compliance obligations.
Dimension 1: Understanding the meaning of the privacy law by its own terms
This is the dimension that virtually everyone understands and applies, although it's not particularly easy. Privacy laws are changing and developing rapidly. Legislatures are often trying to play catch up with technology, as well as articulate new concepts that are difficult to understand and apply in the digital age across different business models. What is a "sale" under the California Consumer Privacy Act? What does it mean to be "offering goods or services" in a way that brings a non-EU company within the territorial scope of the EU General Data Protection Regulation? When does a company qualify as a "network operator" that needs to comply with the privacy and security provisions of the China Cybersecurity Law? Understanding the meaning of the privacy law will always remain a challenge.
Dimension 2: Assessing the likelihood and severity of the risk associated with privacy law
This is the dimension that many but not all apply in practice. It refers to broader enterprise risk management principles and focuses on the questions of what is the likelihood that any noncompliance with the privacy law may mature into a consequence? And, what is the anticipated severity of that consequence?
For example, on the question of what is a "sale" under CCPA, the regulatory definition is broad, and many interpret it to cover third-party ad trackers used for advertising and retargeting on a company's website. If a company does not post a "do not sell" link and take other steps to comply with the sale provisions, what is the likelihood that this could mature into action by the California attorney general or other consequence?
The answer may depend on the industry vertical of the company and other circumstances, including steps taken to bring the trackers outside the scope of a "sale," but it's also important to consider that it is relatively easy for the attorney general or others to surf to the company website, apply a diagnostic tool and see in a matter of seconds what third party ad trackers are being deployed. In terms of potential severity, the company would need to consider the potential civil penalty for up to $2,500 per violation or $7,500 for each intentional violation of CCPA, as well as other consequences including adverse publicity, injunctive relief and the like.
Taking a broader look globally, severity analysis can be particularly challenging to assess under non-U.S. privacy laws, such as the significant potential penalty under the GDPR of up to 4% of annual worldwide turnover, and the consequence under CCL that noncompliance could result in suspension or revocation of business license.
In practice, a privacy professional may find that applying this type of likelihood and severity risk analysis can be a career-saving move, especially on privacy issues that have attracted senior management attention. It changes the conversation from where the privacy professional could be perceived as either a roadblock or a rubber stamp (neither of which is good) but instead as more of a trusted advisor. It also reminds senior management that they, and not the privacy professional, own the ultimate decision on whether to accept any privacy risk.
Dimension 3: Taking account of other competing, non-privacy compliance obligations
This is the dimension where the most highly effective privacy professionals shine. They recognize privacy laws can compete with or even directly conflict with other compliance responsibilities and that a question from the business along the lines of "just tell me we do this in compliance with the law" can actually be a trick question. This is because privacy laws directly limit the collection, use, disclosure and processing of personal data about consumers, employees and other individuals, while other non-privacy areas of compliance may actually require the collection, use, disclosure and processing of such personal data to demonstrate compliance.
This dynamic has played out in various contexts over the years. For example, back in the 2000s, the Sarbanes-Oxley Act established a requirement for U.S. public companies to establish an anonymous and confidential mechanism to report concerns about accounting and financial concerns via a hotline. For many months, the global business community wrestled with the apparent conflict that the duty to maintain a hotline under SOX conflicted with the EU privacy requirements under the then-applicable EC Data Protection Directive.
Ultimately, the hotline/privacy conflict was substantially resolved through guidance from EU data protection authorities as to how to implement a hotline in a way that takes account of then-applicable data protection rules (note new interpretations are emerging under the GDPR framework). Often, these types of privacy conflicts are not so neatly "solved" through regulatory guidance (and even, in this case, companies are still needing to deal with local variations in guidance and some open questions), but in any event, there is typically a period of uncertainty before a resolution is presented from a DPA perspective.
More recently, companies are facing potential conflicts with privacy laws on employment issues about returning to work. Health and safety requirements typically point to obligations for employers to do temperature checks, ask questions about health and exposures, and possibly (subject to questions of reliability) do more invasive medical exams to diagnose whether the employees have COVID-19 and/or determine whether the employees have antibodies. Privacy laws often point in the opposite direction and make it difficult to perform such tests and collect such information. The conflict is compounded because, in many jurisdictions, different regulators have responsibility for different areas of law. For instance, at one stage, Belgium's Data Protection Authority had the view that temperature checks were not permitted, whereas the Belgian labor authority considered them to be necessary to protect the workforce.
These types of potential privacy conflicts emerge in many compliance areas, such as in the context of internal investigations, litigation/e-discovery, trade compliance, law enforcement and regulatory disclosures, and the like. Although it is not necessary to become the expert in all compliance areas, the privacy professional needs to work collaboratively with the professionals in the other areas to understand the broad contours of how the various compliance obligations intersect and help drive toward solutions that balance these competing concerns.
At the end of the day, a highly effective privacy practitioner applies privacy law across all three dimensions discussed above. Senior management ultimately will be responsible to balance competing interests and make decisions about privacy risks, but a privacy professional who has addressed the issues across all three dimensions will be a trusted advisor that maximizes value to the organization.
Photo by Kevin Ku on Unsplash