This post is sure to be controversial and raise hackles among some readers. It is not meant to disparage lawyers or even privacy professionals but rather identify a gap between them.
Many legal professionals enter the privacy profession, not as a result of personal interest in the topic, but rather through career paths that had them addressing organizational compliance with laws categorized as “privacy” or “data protection.” This isn’t a bad thing. Organizations need to comply with the complex and often contradictory laws under which they operate, and they need professionals to help them do so. And this certainly isn’t meant to belittle anyone who, upon seeing that market opportunity, pursued the profession with vigor. Unfortunately, for many it’s only “the paycheck that binds” them to the profession.
First off, one must acknowledge that privacy law is not privacy.
Privacy is much more expansive and encompassing a topic; it is about the boundary between an individual and others in society. The law does not and cannot address every instance of social interaction to define the appropriate terms of each boundary. Determination of the nature and scope of a boundary involves a complex interplay of factors: social and cultural norms, relationships, subjective beliefs, technology, and context. This is a burgeoning realization. Omer Tene recently discussed this in Privacy Perspectives as it relates to big data, when he wrote, “the law isn’t enough for balancing big data benefits against privacy and civil liberties risks.”
The law can play a role. As a snapshot of social norms and drawing upon cultural, geographic, and in some cases, contextual principles, laws can help define and specify a boundary. The law is positioned to reduce the variations in subjective beliefs between individuals and those with whom they interact. By example, HIPAA in the U.S. enacted the long-standing norm of confidentiality in the context of health care. The law clarifies, for those in the U.S., who are within its scope and what the appropriate dimensions of the relationship are between the patient and those providing health care to that patient. It provides a common framework and clarity for the participants to eliminate ambiguity or unrequited expectations.
That role, though, is limited. While the law provides clarity in some situations, it cannot be specific or detailed enough to address every instance, permutation, or nuance of context; it cannot evolve fast enough to keep up with changing social mores and technological innovation; and, if history is a guide, it cannot remain untainted or unbiased enough to properly balance competing interests.
Further, clarity in the law does not create equity. Organizations (be they commercial, governmental, or others) have an inherent power advantage over individuals. Asymmetric information, bargaining strength and rational ignorance all serve to tip the scales away from the individual. As Bruce Schneier states in his book Data and Goliath, using “data pits group-interest against self-interest, the core tension humanity has been struggling with since we came into existence.”
The law can provide a floor by which exploitation of the imbalance is not permitted, but it doesn’t achieve a balance of interests. Even standard privacy principles – such as notice, choice, consent, transparency, and even proportionality – are insufficient mechanisms to balance interests. Individuals not only don’t know, but in many circumstances, they can’t know the full extent of the risks of their disclosures or actions. They simply don’t have the time to fully investigate all possible ramifications of their decisions and make rational choices.
Personal decisions also ignore social changes. Those decisions may support what may ultimately return to affect the individual in unforeseen ways. Plus, individuals don’t have the negotiation power to enact change. Consent is often illusory. If every market player holds the same position, a consumer’s only choice is to exit the market. Hermitization is not a very palatable option for most. Even if individuals are fully informed of the risks, cognitive biases prevent rational decision-making when rewards are immediate but consequences are delayed.
Given the limited ability of the law to bring parity to parties involved, the lawyer’s role is equally constrained. A lawyer is to be a zealous advocate for their client’s interest. When an organization asks its attorney, “Is this legal?” the resulting response of “Yes,” “No,” or “It depends” is irrelevant. The problem lies in the question, for it forgoes all analysis beyond the bounds of the law.
In my discussions with many legal privacy professionals, they seem to be narrowly focused on the role of and compliance with the law. They become shackled by it, limiting their ability to see beyond it and understand the need to achieve a balance of interests. My introduction of privacy issues and concerns outside the bounds of a regulatory requirement are met with blank stares or derisive commentary. This is not to say it is reflective of all lawyers in the profession, and perhaps, I’m stereotyping unnecessarily. However, I’m not the first to express this concern. To wit:
[quote]As in-house counsel, the client is the employer. Yet privacy professionals are the voice of the public. The potential for conflict is reduced when the law speaks clearly to the issue, but becomes muddy when the “right thing” is not statutorily driven. Does one’s duty to the company carry more weight than one’s duty to a data subject? Does one have a duty to a data subject if the law is silent?[/quote]
A privacy professional’s investigation should not be limited to the constraints in law. They are tasked with being a zealous advocate for the proper balance between individuals and organizations. They need to be the person who has access to the totality of information, can mediate the positions of all stakeholders, and spend the time to understand the risks, benefits, rewards, and behaviors of the parties. They can perform the dispassionate analysis. They can be the “One who will bring balance to the Force.” (Gratuitous Star Wars reference included at no charge.)
For several years, Illana Westerman has been promoting the notion of privacy as trust. Essentially, trust is the belief by individuals that the organization they patronize doesn’t abuse the power differential it has to its advantage. Organizational leaders must make a conscious choice to aspire to this relationship equity.
And it’s privacy professionals who should be there to facilitate that choice.
photo credit: 3D Scales of Justice via photopin (license)