News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Why Are German and U.S. Practices so Similar, if Their Regulatory Structures Are so Different? Related reading: Norway's DPA issues requirements for code of conduct monitors

rss_feed

""

""

Our previous post began to explore findings from almost one hundred interviews of leading corporate privacy officers, regulators and other privacy professionals in five countries—and what they can teach us about how the structure of the corporate privacy function can affect the success of measures to protect privacy.

We ended that post with a surprising finding: The two countries in which privacy officers were most empowered, and most involved in shaping firm strategy, couldn’t be more different in terms of their regulatory substance and form—Germany and the U.S.

This is especially startling, because in global debates the German legal commitment to privacy protection is frequently held up as representing one end of the spectrum (strongest), while the U.S. approach is placed at the other.

It is also remarkable, given that the definitions of privacy we found at work within corporations in each country are similarly distinct. In the U.S., CPOs reported an amorphous and evolving definition of privacy, infused by the consumer protection-oriented objectives of key regulators (the Federal Trade Commission and state Attorneys General) in a manner that makes achieving privacy obligations a more forward looking, externally oriented and dynamic task.

In Germany, by contrast, corporate DPOs describe privacy efforts centered around compliance with data protection law—as do their colleagues in Spain and France.

Why then, are German corporate privacy practices largely different from those in other European jurisdictions? And why are they most similar to those in the U.S., where approaches to privacy are decidedly different?

While our research indicates that a large number of elements combine to shape the privacy landscape in a country, a few elements of the German scene stand out in explaining some of the similarities:

  • In Germany we found that data protection within the firm is solidly and specifically influenced by other ethical frameworks that—like consumer protection in the U.S. context—require DPOs to be more actively engaged in sorting out privacy’s meaning as it is shaped by a negotiation with a variety of players in the privacy “field.”
  • As an initial matter, our interviewees described, privacy in Germany is conceived within a broader ethical framework of human dignity derived from the atrocities of World War II, and therefore engages a number of social and political players beyond the privacy profession in shaping its meaning.
  • Secondly, information privacy is considered a strong element of commitments to protect and respect employees—commitments protected elsewhere in German law, which mandates the existence of a powerful workers council within each firm, exercising representation on the corporate board.
  • These additional institutional structures, committed to engagement with negotiations about the meaning of privacy, and empowered to ensure corporate accountability, support the work of DPOs within the firm and provide a richer language that DPOs can leverage to engage firm leadership, garner resources for privacy and move beyond a purely compliance focus.

It is important to note that despite a longstanding statutory requirement for firms to employ DPOs—with protections guaranteeing independence and management access similar in many respects to the requirements set out in the EU Draft Regulation—the German DPOs who we interviewed indicated that the DPO role has only achieved its full and robust form in recent years.

Thus our interviews suggest that statutory command—while sufficient to establish a data protection office within firms—did not, on its own, deliver the robust DPO equipped with the power, authority and resources to push privacy aggressively into firm activities.

According to our interviewees it took: (1) risks to firm reputation flowing from the increased possibility of negative publicity wrought by higher fines and penalties meted out by regulators, (2) the adoption of data breach laws in a growing number of countries and (3) the fact that these two developments empowering existing institutional players like consumer groups, workers councils and the legally-mandated DPO to fully realize the lead privacy officer roles they now occupy.

This suggests that ensuring DPO power and authority to influence privacy within the firm requires more than a statutory mandate. It also needs a focus on keeping privacy matters in the public spotlight and supporting constituencies—be they consumer and privacy organizations or labor representatives—that use information about firm practices and missteps to focus the attention of the public, regulators and firms fueling a constant improvement in policy and practice.

Authors
Headshot Deirdre Mulligan Nonmember Contributor
Headshot Kenneth Bamberger Nonmember Contributor
Tags
Personal Privacy
Privacy Operations Management
2 Comments

If you want to comment on this post, you need to login.

  • comment IAPP Member • Mar 28, 2013 
    Dear Professor Mulligan, Dear Professor Bamberger,
with excitement I will be awaiting the publication of your study in 2014, hoping that I will then better understand the finding that German and US practices are similar to each other in the private sector. This blog post, unfortunately, leaves me wondering. If this study is about privacy practices and not just about the daily routines of privacy officers then one difference comes to my mind which is so fundamental that it is impossible to find practices in general similar, even if some details look alike: Absent a privacy policy’s promises to the contrary, in most industry sectors in the US data controllers do not need specific permission by the data subject to have his or her data processed. Data once collected for purposes of executing a contract with the data subject may and will be stored forever by many US based companies, and there is nothing a data subject can do against that. Often, privacy policies do not even relate to time-limits of retention, nor do they foresee a consumer’s right to demand deletion. The amount of dormant, unnecessary data should be much higher in the US than in Germany, and so is probably the temptation to story large amount of personal data for the sole reason that in the future there may be some use for it. In Germany, however, data storage for executing a contract with the data subject must be necessary. After execution, data will be deleted. Data subjects have a right to being informed about their personal information being stored by companies, and they may demand deletion if unnecessary data is stored or data is stored without permission (in case of data collected for advertisement purposes, for example). I would assume that this legal framework which for the most part is shared among European countries determines the privacy practices of companies. It may not so much determine how privacy officers perceive their profession and their role in the organization, but that wasn’t the question, was it? After all, an interesting blog, but it poses questions that so far remain unanswered.
  • comment burgada • Apr 1, 2013 
     germans are Nazis of past and americans are Nazis of today so this resemblance.
Related Stories
Colorado passes bill to protect brain data 
The Colorado General Assembly approved an amendment to the Colorado Privacy Act for the protection of sensitive biometric and "neural data," The New York Times reports. The law aims to protect consumers from devices that collect data from brain activity. State Rep. Cathy Kipp, D-Colo., said while th...
Read More queue Save This
Related Stories
Tags
Personal Privacy
Privacy Operations Management
Recent Comments