Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management Prof. Kenneth A. Bamberger University of California, Berkeley, School of Law Berkeley Center for Law and Technology
Conventional Scholarly and Policy Focus on the books formal law; sometimes institutions 2
3
Last Research 1995 US Legal Ambiguity creates: systemic inattention & lack of resources non-existent policies or not followed in practice administered by low-level managers not involved in business decisions Push towards Europe: omnibus, unambiguous mandates; dedicated privacy regulators; rights; full FIPPs No comparable work demonstrating success of the European model. 4
Sea Change in US Privacy Professionals Associations Services Higher ed Evidence of Bureaucratization in Europe Divergence Between European Jurisdictions 5
Elements Targeted interviews with leading corporate privacy officers (CPOs), as well as regulators Document internal firm practices Broader surveys of firms 6
Key Findings: The Rise of Best Practices For Privacy Management Among Industry Leaders A Convergence Between Practices US, German, and UK(?) Leaders Key Questions: Why do we see this pattern emerging? What can we learn for policy reform 7
1)` Boundary-Spanning CPOs Internal Influence External Orientations Translation function 2) The Managerialization of Privacy Expertise within the Firm Distributed Expertise Tools and Technology Leveraging Firm-wide Risk-Management Systems Distributed Accountability 3) Privacy as Strategy and Operations (vs. notice and consent or notification) 8
Organizational Behavior/Decisionmaking Research Distribution vs. Siloed Function Empowering Internal Actors within Organization Tools and Technologies in Decisionmaking Privacy Research Rules based on notice and consent vs. contextual assessment & understanding of risk and harms Privacy by Design 9
U.S. Leaders Definitions Limited role of compliance New goal: Manage Risk New touchstone: Protecting Expectations; avoiding creepy German Leaders Definitions Compliance but nested in broader ethical frames Data Protection linked to privacy; social interests and ethical obligations; workers rights UK Leaders Definitions Privacy as Controls/Risk Management Privacy as Pragmatic 10
Definition Privacy as political, unpredictable and volatile Compliance not realistic Operationalization Legal task: rule bound, isolated, internal focus But Hi-tech socializing privacy High profile more external engagement 11
Definition What? -- Compliance/detailed rules-based Operationalization Limited; Siloed; Compliance-Focused Lower-level privacy function Absence of firm-wide leads in 1/3 of firms 12
A New U.S. Story: A Network of Norms, New Governance at the FTC Other Legal Inputs State Laws/DBN EU Directive Professionalism Social License 13
Privacy Norms in Germany: Nested Norms and the Negotiation of Privacy s Meaning Legal protections for DPOs; expansion of the role Internal attention Nested Norms Others laws; Shoah; Nuremberg Protocol Ex ante dialogues with multiple regulators Stakeholder negotiations works councils ; DPOs Professional Network Growth 14
France: Rules-orientation Role of CNIL -- In the end it s the CNIL that decides. Limits of the CIL designation Lack of Third Party Involvement Ongoing Transformation Regulatory transparency and leadership CIL/DPO as an entrée for professional networks Spain Specification of Unachievable Formalities Penalties Politics 15
Need to Shift the Lens From law and legal institutions to the privacy field From top down to bottom up 16
Substance Formal/procedural? Notice and comment Cross-Border transfers Substance/principle? Form Regulatory Specificity vs. Flexibility/Ambiguity Transparency and Publicity Institutional practices Create fora? Create institutional actors? 17
Specified regulatory obligation? or negotiated social constraint (with enforcement threat)? Associated with other value frameworks, harnessing market and workplace forces? Empowering the CPO Where is the Privacy Expertise? and how is it used? 18
Questions of Diffusion Dominant stories The Central Role of Privacy Professionals 19
PRIVACY ON THE GROUND: LESSONS FROM REGULATORY CHOICES AND CORPORATE DECISIONS IN THE US AND EUROPE (MIT Press: forthcoming 2014) Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, George Washington University Law Review (forthcoming July, 2013) New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States, Law and Policy (2011) Privacy on the Books and on the Ground, Stanford Law Review (2011) 20