Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management
Prof. Kenneth A. Bamberger University of California, Berkeley, School of Law
Berkeley Center for Law and Technology
Conventional Scholarly and Policy Focus “on the books”
▪ formal law; sometimes institutions
2
3
Last Research – 1995
US Legal Ambiguity creates:
▪ systemic inattention & lack of resources
▪ “non-existent” policies or not followed in practice
▪ administered by low-level managers not involved in business decisions
• Push towards “Europe:” omnibus, unambiguous mandates; dedicated privacy regulators; rights; full FIPPs
• No comparable work demonstrating success of the European model.
4
5
Sea Change in US Privacy Professionals
Associations
Services
Higher ed
Evidence of Bureaucratization in Europe
Divergence Between European Jurisdictions
6
Elements
Targeted interviews with “leading” corporate privacy officers (CPOs), as well as regulators
Document internal firm practices
Broader surveys of firms
Key Findings:
The Rise of Best Practices For Privacy Management Among Industry Leaders
A Convergence Between Practices – US, German, and UK(?) Leaders
Key Questions:
Why do we see this pattern emerging?
What can we learn for policy reform
7
8
1)`“Boundary-Spanning” CPOs Internal Influence External Orientations Translation function
2) The “Managerialization” of Privacy Expertise within the Firm Distributed Expertise
▪ Tools and Technology
Leveraging Firm-wide Risk-Management Systems Distributed Accountability
3) Privacy as Strategy and Operations (vs. notice and consent or notification)
Organizational Behavior/Decisionmaking Research Distribution vs. Siloed Function
Empowering Internal Actors within Organization
Tools and Technologies in Decisionmaking
Privacy Research Rules based on notice and consent vs. contextual
assessment & understanding of risk and harms
Privacy by Design
9
10
U.S. Leaders’ Definitions Limited role of compliance
New goal: Manage Risk
New touchstone: Protecting Expectations; avoiding “creepy”
German Leaders’ Definitions Compliance but nested in broader ethical frames
Data Protection linked to privacy; social interests and ethical obligations; workers’ rights
UK Leaders’ Definitions Privacy as Controls/Risk Management
Privacy as “Pragmatic”
11
Definition Privacy as political, unpredictable
and volatile
“Compliance” not realistic
Operationalization Legal task: rule bound, isolated,
internal focus
But…
Hi-tech socializing privacy
High profile more external engagement
12
Definition
What? -- Compliance/detailed rules-based
Operationalization
Limited; Siloed; Compliance-Focused
Lower-level privacy function
Absence of firm-wide leads in 1/3 of firms
13
A New U.S. Story: A Network of Norms, “New Governance” at the FTC
Other Legal Inputs
• State Laws/DBN
• EU Directive
Professionalism
Social License
14
Privacy Norms in Germany: Nested Norms and
the Negotiation of Privacy’s Meaning
Legal protections for DPOs; expansion of the role
Internal attention
Nested Norms – Others laws; Shoah; Nuremberg Protocol
Ex ante dialogues with multiple regulators
Stakeholder negotiations –works councils ; DPOs
Professional Network Growth
15
France: Rules-orientation Role of CNIL -- “In the end it’s the CNIL that decides.” Limits of the CIL designation Lack of Third Party Involvement Ongoing Transformation
▪ Regulatory – transparency and leadership ▪ CIL/DPO as an entrée for professional networks
Spain
Specification of Unachievable Formalities Penalties Politics
16
Need to Shift the Lens
From law and legal institutions
to the “privacy field”
From top down to bottom up
17
Substance
Formal/procedural?
▪ Notice and comment
▪ Cross-Border transfers
Substance/principle?
Form
Regulatory Specificity vs. Flexibility/Ambiguity
Transparency and Publicity
Institutional practices
Create fora?
Create institutional actors?
18
Specified regulatory obligation? or negotiated social constraint (with enforcement threat)? Associated with other value frameworks, harnessing
market and workplace forces?
Empowering the CPO
Where is the Privacy Expertise? and how is it used?
19
Questions of “Diffusion” Dominant stories
The Central Role of Privacy Professionals
20
PRIVACY ON THE GROUND: LESSONS FROM REGULATORY CHOICES AND CORPORATE DECISIONS IN THE US AND EUROPE (MIT Press: forthcoming 2014)
Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, George Washington University Law Review (forthcoming July, 2013)
New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States, Law and Policy (2011)
Privacy on the Books and on the Ground, Stanford Law Review (2011)