DC vs. Marvel and What it Can Teach Us About Data Privacy?

As a kid I loved Superman. How could you not? A man who could transform into a superhero who possesses great powers and saves the world? Faster than a speeding bullet, more powerful than a…. You get the idea.

While stuck at home during lockdown last year my wife and I decided we would watch the entire Marvel Cinematic Universe series. And so we began, with the first movie – Iron Man. Great movie, tons of actions, great actors in Robert Downey Jr. and Gwyneth Paltrow. Before we knew it we reached the end of the movie, the final scene. Tony Stark calls a press conference. The reporters are all silent, hanging on his every word. You can slice the tension with a knife. Finally, after a long silence, Downey Jr. delivers an iconic line, “the truth is... I am Iron Man”. The room goes berserk. End of scene, end of movie. Wow, what an ending!

The more I replayed this scene in my mind the more I realized how truly unusual it was compared to the superheroes-of-old. Tony Stark, the individual, the human, revealing his true identity after keeping it hidden for so long. The more Marvel movies we watched, the more I realized that the superheroes I grew up watching – Superman, Batman, The Flash, Green Lantern, most if not all DC Comics – had secret identities. In stark contrast (pun intended ??), however, the Marvel superheroes put much less effort into protecting and concealing their personal identities. On the contrary, they thrive on the fact that their identities are known. The scenes in Captain America where random people call Chris Evans “Cap”, Tony Stark testifying before Congress and defiantly telling them he will not hand over the Iron Man technology to the US government, are all integral to the plots of the movies and to building the characters’ identities.

Contrast the openness of the Marvel characters with how far Bruce Wayne and Clark Kent go to conceal their identities and you have no choice but to ask the following questions: why do some superheroes have secret identities while others don’t, and what purpose does the concealment of the superhero’s real identity serve?

There are, very generally, three answers given to the first question.

1. Superheroes conceal their identities because otherwise they could never live lives as “normal” civilians. Much like real-world celebrities, whose incessant attention by the paparazzi and inability to escape the limelight, make living a “normal” life pretty impossible. Can you imagine how difficult it would be for Alan Scott (the current Green Lantern) to go to the supermarket without someone asking about his magical ring and superpowers?

2. Superheroes conceal their identities so that the villains cannot harm their loved ones. If Lex Luthor knew Superman’s true identity was Clark Kent he could target all the people Kent loves and cares about.

3. Superheroes conceal their identities because it makes them appear stronger. The aura of mystery strikes fear in the eyes of their enemies, a fear that would not be as powerful if the baddies knew that behind the mask was just a man or a woman. This is true for villains as well, by the way. They strike fear because they are masked, unknown and unpredictable and will go to great lengths to maintain the aura of mysticism around their identity.

What does all this have to do with data privacy, you ask? First off, the obvious connection. Superheroes are perhaps the only people in the world whose real identity remains private unless they decide otherwise. They are in control. This is arguably the degree of autonomy to which privacy regulations aspire – to enable people to be the gatekeepers of their own personal information, who has access to it and what is done with it. Imagine if you were able to completely separate between your professional identity and your personal identity, to walk into a wardrobe or a phone booth and emerge a different person – how amazing would that be? How many explanations of embarrassing spring break photographs would be spared during job interviews?

However, I believe the connection between superheroes’ secret identities and privacy laws runs much deeper. More interesting than the question of whether the creator of the superhero tale has chosen to conceal the superhero’s identity or not, is the question of why they’ve chosen to do so. The reason behind the identity concealment is just as important, if not more so, than the concealment itself, because it adds to the complexity and depth of the character and enriches the plot.

For example, Batman is a billionaire recluse who operates in the shadows of society. Having lost his parents at a young age, and with no friends or family by his side, he doesn’t have many people in his life to protect (aside from his trusted advisor, Alfred). The reason for concealing his identity therefore can’t be care for someone he loves (reason 2), rather it is much more likely intended to give him a more revered identity and strike fear in villains (reason 3). In contrast, in almost every Superman plot, the villain targets Lois Lane (superman’s love interest), thus the concealment of his identity is most likely tied to protecting those Superman cares about and loves the most. The plotline is enriched once the reason for the secret identity is clarified, adding an additional dimension to the character and enhancing what makes them “tick”.

Back to privacy. As privacy professionals we often get “bogged down” in the specifics. Is the 30 day deadline to respond to a Data Subject Access Request under GDPR inclusive of the day it was made or exclusive of it? Does an activity fall under the definition of “sale” of data under CCPA? Is our payroll provider considered a “service provider” under that same law or not? We are so focused on the specifics, the “what”, that we often forget ask “why”. Why was this law passed? What is the underlying purpose of this regulation and how does that affect its contents?

A number of years ago I was advising a U.S.-based charity, which had a branch in the U.K., planning and implementing their GDPR compliance program. One of my recommendations, in order to enable data to be transferred between the charity’s different entities, was for the U.S. branch to sign up to the Privacy Shield framework (an option which no longer remains available, as the entire scheme was invalidated recently, but that’s a topic for a whole other article). This, I explained, would enable data to pass freely between the U.S. entity and the entity in the U.K. (and other European location) which are subject to the GDPR. “We checked and it can’t be done” was the response I received one day from the charity’s chief executive. “What do you mean ‘can’t be done?’” I asked. After much investigation I was informed that the Privacy Shield framework is only available for entities subject to the jurisdiction of the Federal Trade Commission, namely for-profit commercial entities, and being a non-profit charity means this framework was not available to them.

Just as the reason for the concealment of a superhero’s identity adds an additional dimension to the character and engages the audience in the plotline, so too the backdrop and reasoning behind the enactment of privacy regulations around the world are a critical piece of the puzzle, sometimes even more than the specific requirements of the law itself. It is crucial for us as privacy professionals to remember what the ultimate purpose of the law is and why it was enacted as much as, if not more than, the specific and technical requirements themselves.

Avengers Assemble!