Everybody knows the conventional wisdom: United States privacy law is weak and fractured, with neither comprehensive data protection legislation nor a dedicated privacy enforcement authority. The European Union is the gold standard of global privacy regulation, with its omnibus Data Protection Directive and collective force of 28 national data protection authorities.
Alas, as is so often the case, conventional wisdom is wrong.
These are the conclusions from a series of trail blazing articles by University of California, Berkeley, Professors Ken Bamberger and Deirdre Mulligan (see part 1, part 2 and part 3). Soon to be published as a full-length book titled Privacy on the Ground: Governance Choices and Corporate Practice in the U.S. and Europe, Bamberger and Mulligan’s research, which is based on a series of in-depth interviews conducted over two years with dozens of leading privacy professionals, makes (at least) two important contributions to privacy discourse: First, it introduces the reality of privacy on the ground, which in the U.S. comprises an emergent privacy profession replete with a rapidly expanding body of knowledge, training, certification, conferences, publications, web-tools and professional development; self regulatory initiatives; civil society engagement; academic programs with rich, multidisciplinary research agendas; formidable privacy practices in leading law and accounting firms; privacy seals; peaking interest by the national press; robust enforcement by Federal and State regulators, and individual and class litigation. Second, it avoids the all-too-common tendency to gloss over the variance between European privacy regimes by fleshing out some stark differences between EU Member States, with Germany elevating privacy to a strategic, forward-looking issue while France and Spain confine it to a reactive, compliance matter.
This week’s IAPP Global Privacy Summit will provide ample opportunity to further explore privacy on the books and even more so, privacy on the ground, with Professors Bamberger and Mulligan arriving in Washington together with leading European and global regulators. On Thursday, Bamberger and Mulligan will debate their most recent paper, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, with Giovanni Buttarelli, the Assistant EDPS. Some of the cross-border issues will also be discussed on Friday, in a special keynote conversation with Isabelle Falque-Pierrotin, the President of the French CNIL and Chair of the Article 29 Working Party; Christopher Graham, the UK Information Commissioner; and Jacob Kohnstamm, the Dutch data protection commissioner (until recently, himself the Article 29 Working Party Chair). In addition, tomorrow, the Future of Privacy Forum will host its annual Privacy Papers for Policymakers event on Capitol Hill, featuring a presentation of Bamberger and Mulligan’s paper, to be followed by a discussion with the privacy commissioners of France, Mexico, the Netherlands, the United Kingdom and the Assistant EDPS. (Other papers selected for presentation include ones by Neil Richards and Adam Thierer).
Bamberger and Mulligan’s work finds that, in the U.S., privacy has become ingrained in organizational risk-management processes and driven by business considerations focusing on the preservation of consumer trust and corporate reputation. In contrast, in many European jurisdictions, privacy remains confined to legal compliance and focused on registration and reporting obligations targeted at regulatory agencies as opposed to the public at large. The development of privacy in the U.S. closely tracks the emergence of the privacy profession and its linchpin, the Chief Privacy Officer, which has become a senior executive role with strategic vision, access to the board and oversight over increasingly distributed teams of privacy experts, who are ingrained in every arm of a business, including product teams, designers and engineers.
The CPO is both internal and external facing, with internal responsibility for introducing privacy into larger risk management processes and the external engagement with policymakers, civil society, and – perhaps most important – similarly placed peers. Indeed, Bamberger and Mulligan quote one CPO who tells them “my team is not responsible for compliance, they’re responsible for enabling the compliance of the business.” This stands in contrast to the European Data Protection Officer, which – with certain exceptions in Germany – remains sidelined from business processes and relegated to legal compliance.
Thus they suggest that “changes in the field have arisen because, rather than in spite, of regulatory ambiguity.” Specifically, the FTC’s reliance on a standard-based regulatory mandate, requiring an assessment of “unfairness,” “reasonableness,” “consumer expectations,” and “countervailing benefits,” allowed for the development of a dynamic, consumer-focused, risk-management privacy processes. Such innate flexibility is essential in an area like privacy, which features still-nascent social norms that are as brittle as they are contextual.
Here, too, this organic development contrasts with the top-down European approach, which features highly detailed, technical legal mandates imposed by a staid bureaucracy and implemented by DPOs, whose “independence” becomes a double-edged sword, protecting them from corporate retribution but at the same time removing them from core organizational processes. As any parent who tries to educate a young child knows, children are ill served by strict and arbitrary mandates, such as “do x and y but not z,” but rather benefit from an iterative process that clarifies why doing x and y is better than doing z. This means – and should be an alarming lesson to the emerging European General Data Protection Regulation – that highly prescriptive legislative mandates actually foment less, not more privacy. In this vein, one Spanish DPO interviewed by Bamberger and Mulligan “blamed the compliance mentality for steering his company toward an inefficient and less privacy protective—but easily understandable—solution.”
On the positive side, the expansive, organization-wide, risk-management approach to privacy is spilling over from U.S. organizations to the EU. This is happening through multinational businesses with robust global privacy programs; the activities of professional organizations such as the IAPP; and the evolution of certain EU DPAs to focus less on administrative reporting obligations and more on the creation of best practices and engagement of broader constituencies and the press. As Bamberger and Mulligan note, “blending privacy into business unit decision-making from the start also offers a means for transforming privacy from a cost or limit to a function that must be integrated, along with other core specifications, into each product or service.”
Surely this is what “Privacy by Design” means on the ground.
If you want to comment on this post, you need to login.