Is the often abstract scholarship of privacy academics read by privacy regulators? It would seem that regulators may not have the time or inclination to read such work, but in many respects, at least on Wednesday, it was clear the answer was yes. Squeezed into a small room in the Rayburn House Office Building in Washington, DC, a handful of privacy scholars met briefly with some of the world’s most influential privacy regulators to discuss the future of public policy and the role of the privacy regulator as part of “Privacy Papers for Policy Makers,” co-organized by the Future of Privacy Forum and Congresswoman Sheila Jackson Lee, D-TX.
The crux of the discussion focused on the work of Berkeley Law & Technology Profs. Kenneth Bamberger and Deirdre Mulligan. There was much commentary and reaction from some of Europe’s top privacy regulators, including Dutch Data Protection Authority Chairman Jacob Kohnstamm, French Data Protection Authority and newly appointed Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin, as well as Assistant European Data Protection Commissioner Giovanni Buttarelli, UK Information Commissioner Christopher Graham and Mexico’s IFAI Commissioner Maria Elena Perez-Jaen Zermeno.
The scholarship of Bamberger and Mulligan—described in more detail yesterday by IAPP VP of Education and Research Omer Tene here—portends a watershed moment for privacy professionals. It argues that two emergent best practices—the rise of chief privacy officers who are integrated into the C-suite and privacy professionals embedded throughout an organization, from compliance to marketing and beyond—are a huge part of the solution, on both sides of the Atlantic, to advancing the cause of personal privacy together without harming the economic considerations of business.
Kohnstamm noted, however, that, unlike the EU, no comprehensive privacy legislation exists in the U.S. As a result, privacy regulation in the U.S. tends to be about data use, instead of data collection, which can result in function creep. Kohnstamm cited his work with Canada’s privacy regulators investigating the collection of contact information by WhatsApp. Previously, the app collected all of a user’s contact information, something Kohnstamm said amounts to excessive collection and is unlawful. To temper the data collection, a compare and delete solution was offered, where only the contact information of other users of WhatsApp would be collected. Yet, Kohnstamm noted, with Facebook’s acquisition of WhatsApp, would that mean all users of Facebook would then be collected? This would not be under the jurisdiction of the U.S. Federal Trade Commission under Section Five as it’s neither unfair nor deceptive, he argued.
Kohnstamm said that the legal cultures of the U.S. and EU are vastly different, as well, often resulting in stiffer financial penalties for businesses in the U.S., leading him to ask whether it might be best to find a hybrid of the best of both worlds: Europe’s comprehensive legislation with the stiff penalties of the U.S.
On the use-versus-collection debate, Bamberger said that notice and choice are simply not enough. “We need limits on use well above and beyond the FIPPs,” he said, but added that something more substantive than notice and choice are needed.
“What you say is true,” said the CNIL’s Falque-Pierrotin, “but on the other hand, your words are a bit binary.” It’s true, she noted, that people often don’t understand what is happening with their data, but on the other hand, they long for more transparency and control. People need to understand what is going on with their data in order to build a framework on which to make choices about their privacy, she said.
And with the free flow of information, she said a decentralized system for data protection authorities (DPAs) is needed. DPAs, she argued, cannot have a monopoly over other regulators, but instead a community is needed—something that’s going on in Europe right now, she said. DPAs can also extend the privacy community by complementing enforcement with tools to help industry. As an example, she said the CNIL is currently working with industry to create compliance tools for the Smart Grid.
Falque-Pierrotin said there is something to a hybrid of the U.S. and European privacy cultures. Codes of conduct, for example, are “very useful,” she said, but noted that standards differ from code to code, depending who has informed it, so it’s essential that codes, in the end, be set by regulators.
For DPAs, it’s not all about enforcement either. There is room for an advisory role, she said, but Falque-Pierrotin cautioned that conflicts of interest can get in the way. Some DPAs, she said, focus solely on enforcement, but warned “if you’re only active on enforcement, you deal with the illness but not the everyday life of the community.”
For the most part, Kohnstamm agreed, but noted that smaller countries have much smaller staffs—sometimes as little as five of six staffers—to complete an immense amount of work. Sometimes, DPAs have to make a choice whether to focus more on enforcement or take on more of an advisory role.
The UK’s Graham chimed in as well on the limited resources of DPAs. He expressed concern that too much time could be spent by regulatory authorities checking the credibility of data protection officers working in the EU—something proposed in the EU regulation. “Who on Earth can do all of this?” he asked. Graham backed Falque-Pierrotin’s use of operational tools, noting that his office released tools earlier this week. He also warned against having too many specifications in any regulation.
“Sometimes if we do too much,” Graham said, “We get less done.”
If you want to comment on this post, you need to login.