The Problem With Privacy

Brand … Trust … Digital risk … Values … Ethics …?The right to be let alone …?The “creepy” factor …?Notice and choice …?Fundamental human right …

?These and other terms inevitably come up in just about any conversation about data privacy. For companies, though, these terms are often challenging. It isn’t that they are unimportant, but rather that their importance isn’t always put in the?proper?context so that companies can?actually understand and take appropriate action?with respect to data.

?From a business perspective, there are two key problems with privacy. First, it is “underinclusive.” As a concept?rooted in?individual rights (usually enforced by data subjects and data protection regulators), privacy fails to contemplate, let alone address, the broader point that data (both personal and nonpersonal) is what fuels the predominant line of communication in our world today.

?The second problem with privacy is the widely held perception that it isn’t directly relevant to the primary purpose of a corporation. Most corporate executive see privacy as offering a branding, marketing, and/or ESG benefit, not as something that, in and of itself, returns value to shareholders.

?To address these problems, and the growing centrality of data to our global economy, we need a new concept for describing how companies should govern their data practices. That concept is “data sustainability.”

?Whereas the vast majority of companies today focus on compliance with privacy laws, data sustainability also addresses the other three pillars of corporate governance—business strategy, operational viability, and financial performance. In particular, data sustainability would help to prevent, mitigate, and eliminate “unsustainable” data practices that could threaten the company’s resilience and continuity.

?Unsustainable data practices could include any number of issues that may not be illegal, but could nevertheless disrupt a company’s access to critical data. An example might be “creepy” data collection that, while lawful, may not be well received by data subjects, regulators,?policymakers,?the media, or other key stakeholders, and might include non-legal consequences to the company or its executives (e.g., reputational damage, congressional hearings, or other crises that compel the company to stop the practice in question, even before being legally compelled to do so). Another instance might be legally compliant cybersecurity practices that nonetheless result in data breaches, wherein essential data becomes unavailable to a company due to third party activity.

?To be clear, data sustainability is not about ignoring the legal ramifications of processing personal information. It is, in fact, quite the opposite. One need only look at some of the consequences of regulatory enforcement actions to?appreciate that the legal risks in many cases are actually operational resiliency risks.

In the U.S., for example, the Federal Trade Commission cannot obtain civil penalties for fist-time violations and instead relies on consent decrees that can compel companies to delete data, restrict conduct, and in some cases disgorge proprietary algorithms. In the EU, moreover, while GDPR-related fines are always a potential risk, the most pressing issue today is the potential suspension of cross-border data transfers and a possible “data blackout.” All of?these consequences have greater operational resiliency impacts than legal ones.

?Future articles will help to define data sustainability further, but the chief takeaway here is that the concept is meant to encompass more than the legal consequences of using personal data—specifically, the operational risks and benefits of such data use. Data sustainability certainly includes the concept of privacy, but it doesn’t stop there.?In?short, it acknowledges the reality that companies in every industry now face. Having?a road on which nothing can move due to a lack of fuel is effectively the same as having no road at all.