25 leaders, 25 moments at 25 years: "Privacy on the Ground"

At IAPP Global Privacy Summit 2016, Deirdre Mulligan and Kenneth Bamberger took to the keynote stage to accept the IAPP Privacy Leadership Award for work that informed their book, "Privacy on the Ground: Driving Corporate Behavior in the United States and Europe."

Originally published in October 2015, Bamberger and Mulligan's research examined corporate privacy management in five countries: France, Germany, Spain, the U.K. and the U.S. After a multitude of interviews with chief privacy officers, data protection officers, engineers, lawyers, advocates and regulators across the five countries, they discovered the one thing that had been overlooked previously was the privacy professional.

"For decades, privacy discussion has focused on laws governing treatment of personal information, privacy on the books, what it says and what it should say," Bamberger said. "But until now," Mulligan continued, "we've had precious little insight into how those words we've argued so passionately about actually shaped the behavior of the companies that handle so much of our data."

Bamberger and Mulligan decided to "look under the hood to see what really mattered."

"It turns out that all of this discussion about privacy on the books, all of these articles, these debates, these hearings, they missed something crucial about what really matters: They missed you. They missed the crucial role of the privacy professional."

What Bamberger and Mulligan found, they said, was that privacy pros had "respective levels of power and influence within" companies, access to boards and senior management, and an external network connecting a broader field of experts, regulators and advocates through associations such as the IAPP.?

To document the evolution of the privacy pro's corporate influence, "Privacy on the Ground" starts with Yahoo's 2004 decision to disclose the identity of a Chinese dissident to the Beijing government, which led to the man's imprisonment. The move led to widespread criticism and was "felt in boardrooms throughout Silicon Valley," they said.

Fast-forward a few years later, Yahoo opposed the U.S. National Security Agency's demands to turn over consumer data. "That time," they said, "the company did the right thing and was celebrated."

But what changed, especially since relevant, existing laws really had not in the intervening time?

The company, they said, changed dramatically by empowering and resourcing its privacy and law enforcement staff. "It built privacy in and, when the government came knocking this time, Yahoo was ready to engage in an important discussion about the interplay between privacy and surveillance." That corporate evolution was seen elsewhere, they noted.

"What you do is really special," they added.

Their research has left its mark in the intervening years.

"'Privacy on the Ground' had a significant and lasting impact on privacy policy and practice," Indiana University Professor of Law and Information Accountability Foundation Executive Director Fred Cate said. "It was the first systematic look at how privacy leaders in companies actually approached their work. And it offered the first evidence, as opposed to intuition or impression, that formal privacy law had only a limited relationship to the quality of privacy protection afforded by organizations. It therefore made a particularly important contribution to solidifying the essential role of privacy professionals."

In considering its influence, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy said, "'Privacy on the Ground' may have even more resonance today, as the U.S. and EU revisit their approaches to digital governance, than when it was first published a decade ago. Mulligan and Bamberger demonstrated how crucial the appointment of responsible privacy leaders inside organizations has been in steering effective privacy practices, whether navigating prescriptive regulations or building best practices to earn consumer trust. At a time when this latter, principles-based approach prevailed, privacy officers helped to ensure strong privacy in practice. Since its publication, governments around the world have embraced these findings, encouraging or requiring the appointment of knowledgeable privacy professionals as part of broader data protection reform."

For Gerard de Graaf, who currently serves as Senior Envoy for Digital to the U.S. and Head of the EU Office in San Francisco, the book “illuminated profound realizations for corporate privacy practices by shifting the focus from legal formalism to the practical realities of privacy governance within organizations. They demonstrated how much privacy compliance can be deeply influenced by corporate culture, industry norms, and professional practices.”

He said it also provided “a critical perspective on how important accountability mechanisms and internal corporate governance approaches are in bridging regulatory gaps. I am thankful to Ken and Deirdre for advancing the discussion beyond rigid legal comparisons, highlighting the importance of corporate governance, accountability, and practical implementation in shaping effective privacy protections.”

Though their 2016 speech predated implementation of the EU General Data Protection Regulation, Bamberger and Mulligan's words were prescient. Not only did they note the GDPR would lead to tens of thousands of jobs for privacy pros, they also looked further ahead to a trend that was just beginning to emerge then and is now in full swing.

They noted CPO job titles were beginning to change and expand to address new challenges brought on by artificial intelligence, machine learning and other technologies. A trend that has now been reflected in the IAPP's 2024 mission expansion to include AI governance, cybersecurity law and digital responsibility.

"The privacy professional community has built a path-breaking model for dealing with the challenges of the information age," they said, "melding strategy and operations, spanning outside commitments and internal legitimacy. … These are the models that will serve us well."