Privacy Perspectives | How your legal background may work against you Related reading: Healthcare privacy plans need to account for medical device security

rss_feed
APF17_WebBanner_300x250-COPY
iapp-privacycore
PrivacyTraining_ad300x250.Promo1-01

This post is sure to be controversial and raise hackles among some readers. It is not meant to disparage lawyers or even privacy professionals but rather identify a gap between them.

Many legal professionals enter the privacy profession, not as a result of personal interest in the topic, but rather through career paths that had them addressing organizational compliance with laws categorized as “privacy” or “data protection.” This isn’t a bad thing. Organizations need to comply with the complex and often contradictory laws under which they operate, and they need professionals to help them do so. And this certainly isn’t meant to belittle anyone who, upon seeing that market opportunity, pursued the profession with vigor. Unfortunately, for many it’s only “the paycheck that binds” them to the profession.

First off, one must acknowledge that privacy law is not privacy.

Privacy is much more expansive and encompassing a topic; it is about the boundary between an individual and others in society. The law does not and cannot address every instance of social interaction to define the appropriate terms of each boundary. Determination of the nature and scope of a boundary involves a complex interplay of factors: social and cultural norms, relationships, subjective beliefs, technology, and context. This is a burgeoning realization. Omer Tene recently discussed this in Privacy Perspectives as it relates to big data, when he wrote, “the law isn’t enough for balancing big data benefits against privacy and civil liberties risks.”

The law can play a role. As a snapshot of social norms and drawing upon cultural, geographic, and in some cases, contextual principles, laws can help define and specify a boundary. The law is positioned to reduce the variations in subjective beliefs between individuals and those with whom they interact. By example, HIPAA in the U.S. enacted the long-standing norm of confidentiality in the context of health care. The law clarifies, for those in the U.S., who are within its scope and what the appropriate dimensions of the relationship are between the patient and those providing health care to that patient. It provides a common framework and clarity for the participants to eliminate ambiguity or unrequited expectations.

That role, though, is limited. While the law provides clarity in some situations, it cannot be specific or detailed enough to address every instance, permutation, or nuance of context; it cannot evolve fast enough to keep up with changing social mores and technological innovation; and, if history is a guide, it cannot remain untainted or unbiased enough to properly balance competing interests.

Further, clarity in the law does not create equity. Organizations (be they commercial, governmental, or others) have an inherent power advantage over individuals. Asymmetric information, bargaining strength and rational ignorance all serve to tip the scales away from the individual. As Bruce Schneier states in his book Data and Goliath, using “data pits group-interest against self-interest, the core tension humanity has been struggling with since we came into existence.”

The law can provide a floor by which exploitation of the imbalance is not permitted, but it doesn’t achieve a balance of interests. Even standard privacy principles – such as notice, choice, consent, transparency, and even proportionality – are insufficient mechanisms to balance interests. Individuals not only don’t know, but in many circumstances, they can’t know the full extent of the risks of their disclosures or actions. They simply don’t have the time to fully investigate all possible ramifications of their decisions and make rational choices.

Personal decisions also ignore social changes. Those decisions may support what may ultimately return to affect the individual in unforeseen ways. Plus, individuals don’t have the negotiation power to enact change. Consent is often illusory. If every market player holds the same position, a consumer’s only choice is to exit the market. Hermitization is not a very palatable option for most. Even if individuals are fully informed of the risks, cognitive biases prevent rational decision-making when rewards are immediate but consequences are delayed.

Given the limited ability of the law to bring parity to parties involved, the lawyer’s role is equally constrained. A lawyer is to be a zealous advocate for their client’s interest. When an organization asks its attorney, “Is this legal?” the resulting response of “Yes,” “No,” or “It depends” is irrelevant. The problem lies in the question, for it forgoes all analysis beyond the bounds of the law.

In my discussions with many legal privacy professionals, they seem to be narrowly focused on the role of and compliance with the law. They become shackled by it, limiting their ability to see beyond it and understand the need to achieve a balance of interests. My introduction of privacy issues and concerns outside the bounds of a regulatory requirement are met with blank stares or derisive commentary. This is not to say it is reflective of all lawyers in the profession, and perhaps, I’m stereotyping unnecessarily. However, I’m not the first to express this concern. To wit:

As in-house counsel, the client is the employer. Yet privacy professionals are the voice of the public. The potential for conflict is reduced when the law speaks clearly to the issue, but becomes muddy when the “right thing” is not statutorily driven. Does one’s duty to the company carry more weight than one’s duty to a data subject? Does one have a duty to a data subject if the law is silent?

A privacy professional’s investigation should not be limited to the constraints in law. They are tasked with being a zealous advocate for the proper balance between individuals and organizations. They need to be the person who has access to the totality of information, can mediate the positions of all stakeholders, and spend the time to understand the risks, benefits, rewards, and behaviors of the parties. They can perform the dispassionate analysis. They can be the “One who will bring balance to the Force.” (Gratuitous Star Wars reference included at no charge.)

For several years, Illana Westerman has been promoting the notion of privacy as trust. Essentially, trust is the belief by individuals that the organization they patronize doesn’t abuse the power differential it has to its advantage. Organizational leaders must make a conscious choice to aspire to this relationship equity.

And it’s privacy professionals who should be there to facilitate that choice.

photo credit: 3D Scales of Justice via photopin (license)

11 Comments

If you want to comment on this post, you need to login.

  • comment Yasmin Nissim • Jan 22, 2016
    Excellent article! Extra points for the Star Wars reference. 
    
    On many occasions I've had cause to point out the difference between what I see as being a reactive liability perspective vs. a proactive compliance perspective. The former seeks only to ensure that the most basic of legislated responsibilities are met in order to mitigate external risk. Any developments made over and above these basics are in response to potential legal liability. The driving factor is not to encourage and develop a comprehensive privacy infrastructure to benefit all parties involved, but rather to protect corporate reputation and, of course, the bottom line. This does not allow for a balanced and rounded approach to building sound privacy frameworks. 
    
    The latter, what I call proactive compliance perspective, is one that fosters and builds a comprehensive institutional privacy infrastructure that seeks to provide a more holistic approach to privacy. This approach is one that not only takes into account risk and liability, which is of course important, but seeks to enhance and keep evergreen the role of privacy in that given organization. This is an area of responsibility that needs to constantly be evaluated in order to grow and improve. As you so rightly stated, privacy law is not privacy. Ensuring that a proper balance is maintained between accounting for obligations under privacy law and fulfilling the wider responsibilities associated with privacy as a social construct is, what I feel should be the primary goal of any institution.
  • comment Katherine Licup • Jan 22, 2016
    I think your article is "right on."  It's one of the reasons I was excited to move to the privacy officer role from a privacy attorney role.  I would also add that even for non-lawyers, if the privacy office sits in the compliance function of a regulated institution (as mine does), it can be hard to convince stakeholders that privacy is anything more than doing what needs to be done to comply with regulatory requirements.  A bevy of laws that require technical compliance and that have not been demonstrated to increase customer trust (distributing privacy statements per GLBA or the California Online Privacy Protection Act that few consumers read, or highly complex provisions for using credit information for marketing under FCRA, for example) do not help us make the case for "compliance."  The good news is that even if you have a legal background (which actually is quite helpful if technical compliance is part of the job), if you can demonstrate that sound privacy practices -- both those required by law and those that are just the right thing to do -- can grow the business, you will usually succeed in creating a strong privacy program.
  • comment Roger Edwards • Jan 22, 2016
    In fact, lawyers actually make a proactive compliance approach possible.  After the privacy initiative team comes back from the executive committee meeting having been awarded $1,500,000 to pursue their $3,500,000 privacy initiative it is typically the legal team's ability to estimate and rank a data controller's regulatory risk exposures that allows some movement to begin. Often being faced the overwhelming privacy compliance task while being handed insufficient funds (this never happens) results in "project paralysis" without a logical way to rank key initiatives and when that happens .  .  .   "Who you gonna' call!?  (only a "Ghostbusters" reference can trump a Star Wars reference)
  • comment Paul Rothermel • Jan 22, 2016
    As an attorney, I disagree with the notion that most attorneys look only at strict compliance with law when advising their organizations. On the contrary, I often give consideration to ethics, public relations, best practices and internal consistency (among other things) when giving legal advice. I also feel it is unfair to suggest that only the paycheck attracts lawyers to privacy practice.
    
    This piece makes a good point about ethical considerations vs. pure legal compliance that is mostly lost in the negativity it directs toward attorneys.
  • comment Lydia Payne-Johnson • Jan 23, 2016
    Nice article.  Based on the topic, I hoped you were looking to distinguish between legal interpretation of privacy/data protection requirements and operationalizing those requirements within our respective organizations.  Most Chief Privacy Officers' portfolios are focused on the latter.  CPOs oversight of privacy programs require establishing a risk-based approach to balancing the law and the business.  CPOs who are lawyers that report into Compliance or Enterprise Risk, also have to manage communications to the business because our role typically is that of risk mitigation officers not legal advisors. As such, those of us with legal backgrounds are challenged to ensure  clarity around privacy compliance messaging to better help our internal business partners and senior management understand the nuances of a privacy program.  This is a facet central to the privacy professional's role  that could use more healthy dialogue.
  • comment David Wallace • Jan 23, 2016
    A provocative title (it got me reading it!) but a balanced article nonetheless.
    
    So we may conclude no one single "role" can be defined as the definitive font of all Privacy knowledge. Privacy experts can be, but do not have to be, legal counsels but that does not exclude anyone from being a "privacy professional". In fact I would go further to say that we are all judged by our actions and to that extent individuals are responsible from employees to board members to ensure we not only comply with the letter of the law but the privacy principles embodied in the intensions and purpose of those laws. It may well be the case that you can comply with laws and regulations but where these are yet to be developed sufficiently to cover new technological or societal developments we should continuously challenge the ethics as well as the compliance of doing, and being seen to do, the right thing (even if you have to use an institution's reputational damage as a "risk" factor). Then you have transparency and trust of all those who share their personal information that their information will be handled "appropriately". At the end of the day privacy professionals needs to work together and apply the principles and not only meet the legal requirements.
  • comment Domenic DiLullo, Jr • Jan 23, 2016
    Excellent article and raises a lot of valid questions while also providing a balanced approach. As one who is preparing to pursue his JD, this article provides good thought and analytical perspectives to ponder.
  • comment K Royal • Jan 25, 2016
    I loved the article as I believe there are attorneys who would not make good privacy officers - there calls for a different mindset in some instances that some attorneys cannot make the transition. I was prepared to regurgitate my logic in this regard, but not only did you capture it - my thoughts are linked in here! I seriously do like how you presented this and backed it up with solid rationale. We all know attorneys who are great privacy officers, whether in an attorney role or a non-attorney role. And we all know attorneys who just don't fit this need.
  • comment Tim DeGeorge • Jan 27, 2016
    The author fails to appreciate the role of law in our society and is a backhanded disparagement toward attorneys.
    
    Yes, there is a bigger picture regarding the importance of privacy in society.  There are bigger goals that all privacy advocates are moving towards, such as privacy by design and the right to be forgotten.  However, the author suggests that attorneys are not needed and in fact take the wrong approach to privacy issues.
    
    The law is the foundation for which all jurisdictional power exists in order to have a privacy discussion in the first place.  Attorney's are needed to make sure that the law is written in a certain way in order to have any meaningful effect inside the borders of the U.S. and  internationally.  A compliance approach by an attorney is the natural first step in making sure the law is being followed.  Without the law, corporations would be left to make up their own policy that suits their fancy.  Also, the application of the law through compliance lets us know whether we should change the law due to problems that are encountered.  
    
    You don't get to the broader societal goals until the law is being followed.  Attorneys are trained to review, advise and apply the law, whether they agree with it or not.  Attorneys don't have the luxury to dance around the law as they see fit, because their law license requires them to follow the law.  Attorneys think in terms of how certain actions will be defended in court.  Understanding the lawyer's point of view might help you to understand that difference and the importance of having an attorney review privacy issues instead of a lay person.
    
    Lay people, non-lawyers, get to write and say what they want without worrying about the rules that regulate attorneys.  It doesn't mean we can't move the cause of privacy further than it already is and help society in a positive way.  It just means that attorneys play an important role.  
    
    It appears that the author does not appreciate or understand the importance that the law plays in moving the goals of Privacy forward.  Nor does he understand how important it is to have someone trained in the law to help that understanding.
  • comment Jaipat Jain • Jan 29, 2016
    In all news fields, one started with competing principles and notions of rights and duties.  We then made laws with a view to a civil society, a rule of law.  The area of privacy - as imploded by bid data - is no different.  Some can be philosophers while others devote themselves to viewing things from the lens of law.  It seems to me that this piece fails to enrich the conversation because it begins to judge too soon.
  • comment Albert Raymond • Feb 10, 2016
    I'm also glad you broached this topic. Frankly, I, surprised you were even allowed to talk about it. I have always overplayed my non-attorney background in talking about my abilities and skills as a Chief Privacy Officer. I have repeatedly sold myself as a practitioner and as someone who understands the business risk of privacy - not just the ability to translate the legal citation. I am very happy to work quite closely with my Legal friends (as I often regret not going to law school, though not as much as my poor mother does), but in my experience, that nuance is what business senior management is looking for more and more these days. It is one thing to understand what the laws say; it is quite another to operationalize it so that business still happens. Bravo on the article.