Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management

Prof. Kenneth A. Bamberger University of California, Berkeley, School of Law

Berkeley Center for Law and Technology

Conventional Scholarly and Policy Focus “on the books”

▪ formal law; sometimes institutions

2

3

Last Research – 1995

US Legal Ambiguity creates:

▪ systemic inattention & lack of resources

▪ “non-existent” policies or not followed in practice

▪ administered by low-level managers not involved in business decisions

• Push towards “Europe:” omnibus, unambiguous mandates; dedicated privacy regulators; rights; full FIPPs

• No comparable work demonstrating success of the European model.

4

5

Sea Change in US Privacy Professionals

Associations

Services

Higher ed

Evidence of Bureaucratization in Europe

Divergence Between European Jurisdictions

6

Elements

Targeted interviews with “leading” corporate privacy officers (CPOs), as well as regulators

Document internal firm practices

Broader surveys of firms

Key Findings:

The Rise of Best Practices For Privacy Management Among Industry Leaders

A Convergence Between Practices – US, German, and UK(?) Leaders

Key Questions:

Why do we see this pattern emerging?

What can we learn for policy reform

7

8

1)`“Boundary-Spanning” CPOs Internal Influence External Orientations Translation function

2) The “Managerialization” of Privacy Expertise within the Firm Distributed Expertise

▪ Tools and Technology

Leveraging Firm-wide Risk-Management Systems Distributed Accountability

3) Privacy as Strategy and Operations (vs. notice and consent or notification)

Organizational Behavior/Decisionmaking Research Distribution vs. Siloed Function

Empowering Internal Actors within Organization

Tools and Technologies in Decisionmaking

Privacy Research Rules based on notice and consent vs. contextual

assessment & understanding of risk and harms

Privacy by Design

9

10

U.S. Leaders’ Definitions Limited role of compliance

New goal: Manage Risk

New touchstone: Protecting Expectations; avoiding “creepy”

German Leaders’ Definitions Compliance but nested in broader ethical frames

Data Protection linked to privacy; social interests and ethical obligations; workers’ rights

UK Leaders’ Definitions Privacy as Controls/Risk Management

Privacy as “Pragmatic”

11

Definition Privacy as political, unpredictable

and volatile

“Compliance” not realistic

Operationalization Legal task: rule bound, isolated,

internal focus

But…

Hi-tech socializing privacy

High profile more external engagement

12

Definition

What? -- Compliance/detailed rules-based

Operationalization

Limited; Siloed; Compliance-Focused

Lower-level privacy function

Absence of firm-wide leads in 1/3 of firms

13

A New U.S. Story: A Network of Norms, “New Governance” at the FTC

Other Legal Inputs

• State Laws/DBN

• EU Directive

Professionalism

Social License

14

Privacy Norms in Germany: Nested Norms and

the Negotiation of Privacy’s Meaning

Legal protections for DPOs; expansion of the role

Internal attention

Nested Norms – Others laws; Shoah; Nuremberg Protocol

Ex ante dialogues with multiple regulators

Stakeholder negotiations –works councils ; DPOs

Professional Network Growth

15

France: Rules-orientation Role of CNIL -- “In the end it’s the CNIL that decides.” Limits of the CIL designation Lack of Third Party Involvement Ongoing Transformation

▪ Regulatory – transparency and leadership ▪ CIL/DPO as an entrée for professional networks

Spain

Specification of Unachievable Formalities Penalties Politics

16

Need to Shift the Lens

From law and legal institutions

to the “privacy field”

From top down to bottom up

17

Substance

Formal/procedural?

▪ Notice and comment

▪ Cross-Border transfers

Substance/principle?

Form

Regulatory Specificity vs. Flexibility/Ambiguity

Transparency and Publicity

Institutional practices

Create fora?

Create institutional actors?

18

Specified regulatory obligation? or negotiated social constraint (with enforcement threat)? Associated with other value frameworks, harnessing

market and workplace forces?

Empowering the CPO

Where is the Privacy Expertise? and how is it used?

19

Questions of “Diffusion” Dominant stories

The Central Role of Privacy Professionals

20

PRIVACY ON THE GROUND: LESSONS FROM REGULATORY CHOICES AND CORPORATE DECISIONS IN THE US AND EUROPE (MIT Press: forthcoming 2014)

Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, George Washington University Law Review (forthcoming July, 2013)

New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States, Law and Policy (2011)

Privacy on the Books and on the Ground, Stanford Law Review (2011)