The Triumph of the Privacy Profession: An Interview with Bamberger and Mulligan
Fotolia

The Triumph of the Privacy Profession: An Interview with Bamberger and Mulligan

The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.

The number of CPOs started to grow rapidly – as did their importance in organizations.  These days, CPOs are consulted regularly. Big companies have entire privacy teams. The stakes are high and are getting higher. The new EU General Data Protection Regulation (GDPR) has sanctions of 4% of global revenue. That will surely register on the CEO's radar.

Kenneth Bamberger and Deirdre Mulligan have spent years researching CPOs – how their roles and responsibilities have developed, what they are doing now, and how their roles compare in different countries. Bamberger is a professor of Law at U.C. Berkeley and Mulligan is a professor at U.C. Berkeley Law School and also the U.C. Berkeley School of Information. Both co-direct the Berkeley Center for Law and Technology.

Their recently published book is Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press, Oct. 23, 2015).

This is a very important book for the privacy profession. As I wrote in my blurb for the back cover: “Privacy on the Ground is a deep and insightful account of the unwritten law of privacy, crafted from the way that privacy professionals steer internal governance of privacy within companies. The rise of the privacy profession has had as great an impact on privacy today as any law. Privacy on the Ground shows us that law isn't self-executing but depends upon people who must navigate and change the culture and structure of their institutions. This book is the definitive scholarly analysis of the role of privacy professionals in the United States and in Europe.”

I interviewed the authors about their book, and they provided many great insights and highlights from their research.

SOLOVE: You’ve written a book discussing the corporate treatment of privacy “on the ground” in the United States and Europe. What do you mean by that?

BAMBERGER & MULLIGAN: So much of the privacy discussion focuses on the laws governing corporate treatment of personal information – privacy “on the books” – what it says and what it should say. But until now, we haven’t known much about what actually goes on inside corporations: what they think privacy means, what practices they have in place to protect privacy (or not), and the forces that prompted adoption of these practices. Our book looks “under the hood” to learn these things.

We interviewed CPOs in the United States, Germany, France, Spain, and the UK. We did further interviews with engineers and others in these same firms, with regulators, and with other privacy practitioners. We conducted over 100 interviews, and gained unique access to proprietary firm processes, decisions, behaviors and concerns.

SOLOVE: The book focuses a great deal on role of the Chief Privacy Officer (CPO). What they do. How the position is, and should be, structured. And the way the position differs in the United States and Europe. What can we learn about CPOs?

BAMBERGER & MULLIGAN: The roles of CPOs, their respective levels of power and influence within firms, their level of access to boards and senior management, and their activities outside the firm – the way they interact with the broader field of privacy experts including regulators, activists, professional groups, and peers in other companies – are determining factors in whether firms have robust practices in place to protect privacy.

Firms with what we call boundary-spanning CPOs are more likely to consider privacy as a strategic issue, rather than solely a legal compliance matter, and more likely to have robust infrastructures that build privacy into governance, business, engineering, and other processes. And companies develop more robust practices in countries that foster and emphasize the development of privacy professionals. So professionalism is not just a management by-product, but an immensely valuable regulatory strategy.

SOLOVE: Does this mean that specific legal choices about the substance of “privacy” don’t matter?

BAMBERGER & MULLIGAN: Not at all. Certain aspects of substantive law were immensely important in catalyzing firms to adopt and empower boundary-spanning CPOs. But those substantive commitments were only one aspect of the external environment, and it turned out their impact depended upon other factors that are often not accounted for in assessments of privacy regimes. The existence of other factors that promote a certain role for privacy professionals determine how well substantive commitments will be implemented – or not – through firm decisions. So CPOs are linchpins in the way privacy pans out “on the ground,” and choices about substantive law matter but must be viewed against a broader landscape of external factors influencing firm behavior.

SOLOVE: What can CPOs and upper management learn from your research?

BAMBERGER & MULLIGAN: The book identifies an emerging set of global corporate privacy best practices, and explores how they’ve developed and why they hold promise for both firms and society. These include three things.

First, in leading firms, privacy “makes the Board’s agenda.” The privacy function receives a high level of attention, resources, and prominence, and CPOs have access to top firm management and the Board.

Second, the privacy function is headed by what we call a “boundary-spanning privacy professional.” That person must be a high-status privacy lead, often sitting within the c-suite. And their job must involve mediating between external privacy demands and internal corporate privacy practices – translating the uncertain and dynamic requirements of privacy as shaped by regulators, advocates, consumers, and peers into corporate strategy and practice. Having one foot outside the corporation and the other inside enhances the CPOs independence and importance. This type of expertise in helping the firm translate the external landscape helps secure the CPO a place at the table when corporate decisions are made, and ensures privacy plays a strategic role in firm decisions.

Finally, evolving best practices involve what we identify as the “managerialization” of privacy through “distributed expertise.” The privacy function can’t be siloed in just one individual or compliance unit. Privacy decision making actually needs to be integrated into technology design and business-line processes. This occurs best where privacy expertise and responsibility is distributed to staff embedded within business units, so that it can be brought to bear from the inside and from the bottom-up throughout the development of data-intensive processes and systems.

SOLOVE: From your description, it sounds like the role of the CPO has evolved over the years.

BAMBERGER & MULLIGAN: Yes, the CPO role is on a hockey stick curve. You can see that development over time in the US, and also comparatively, by looking at the privacy leads identified as leaders in the five countries we studied, as each country is at a different stage in the evolution of the CPO (or DPO – data protection officer – as they are generally called in Europe) role.

Two decades ago, privacy was handled by low-level managers who lacked status, influence or power in their companies. Privacy suffered from systemic inattention and lack of resources. Policies in important areas were virtually nonexistent, and those that existed were not followed in practice. Executive neglect signaled to employees that privacy was not a strategic corporate issue. When the external environment demanded firm engagement, the midlevel managers who stepped in to fill the gap in leadership lacked substantive expertise. Privacy considerations were particularly absent in decisions about technological or business developments.

The high-status, strategic CPO that we found among today’s German and US leaders, supported by professional networks like the International Association of Privacy Professionals, which claims 25,000 members from the private and public sector, marks a radical development.

SOLOVE: Does the CPO role differ between countries?

BAMBERGER & MULLIGAN: Most certainly. We found “strategic” high-level CPOs in the leading firms we identified in the U.S. and Germany. But in France, where the meaning of privacy has traditionally been decided top-down by government regulators, privacy leads had little role in its translation and were lower level players within the firms. In Spain, DPOs described privacy as more of a political issue, and their work centered around compliance and government relations, and had much more limited interaction with business units. And in the UK, privacy leads came from lower levels of firm management. Leaders in all of these countries demonstrated ongoing development towards the best-practices we identified in Germany and the U.S.. Yet in each of these contexts, privacy was far less integrated in firm decision making, the function was much more siloed, and – especially in France and Spain – firms generally described much more of a compliance-oriented, check-the-box, data protection-centered operation.

SOLOVE: What is the greatest take-away for privacy professionals about your research on the CPO role?

BAMBERGER & MULLIGAN: That empowered, boundary-spanning CPOs are in the interest of both firms and society. Empowered, independent CPOs charged with what one of our interviewees called “thinking around corners” bring social obligations and concerns about privacy more meaningfully into firm practice. The demands of protecting privacy, and mitigating the operational risks it poses, change constantly. Having an empowered privacy “mole” who can bring the outside discussion of privacy protection into the boundaries of the corporate organization can help firms mitigate risks and avoid being blindsided.

Our book begins with the story of the Yahoo!’s 2004 disclosure of information about dissident journalist Shi Tao’s identity to the Chinese government. The disclosure led to Shi Tao’s imprisonment, and spawned widespread public condemnation of Yahoo!’s action—including a U.S. congressional hearing in which the firm leaders were called moral “pygmies,” law suits, and widespread criticism by human rights, civil liberties, and journalism organizations. These condemnations were felt in boardrooms throughout Silicon Valley and beyond.

Several years later, Yahoo! responded very differently, battling National Security Agency demands to turn over customer information in the secret intelligence court. The company did the right thing, and was later lauded publicly for it.

Why the change? The regulatory climate – the law on the books – had not changed in the interim. But the company had empowered and resourced its privacy and law enforcement staff, launched a Business and Human Rights program covering privacy and freedom of expression, and supported several related initiatives outside the company. These firm personnel and structures ensured that Yahoo! was able to identify and respond to privacy issues as important human rights questions deserving of strategic engagement not just routine legal compliance. They had the capacity to engage in discussion and action when new issues arose.

SOLOVE: What are your predictions for the future of the CPO?  What possibilities and challenges do you see ahead?

BAMBERGER & MULLIGAN: Let’s start with two.

First of all, the demand for privacy professionals is only set to rise exponentially; in Europe alone, it is estimated that the new regulation will require the employment of 20,000 new CPOs or DPOs within the next 3 years!

Second the substance of privacy is changing. Privacy leads now find themselves grappling with the social implications of data mining, machine learning, and artificial intelligence. Their portfolios are growing to include issues of fairness, autonomy, and data ethics. CPOs are becoming responsible for all kinds of information policy issues.

So those aiming for a CPO role must demonstrate broad training, and broad engagement, with the range of policy issues arising from increasingly intensive use of data, embedded computation, and the nudging and decision-making it facilitates. This includes, but is not limited to, privacy.

SOLOVE: What’s the most surprising thing you learned in your research?

BAMBERGER & MULLIGAN: Well, for decades it’s been a commonplace that the US is a privacy laggard, while Europe protects privacy well. So European-style “privacy on the books” – laws mirroring the EU regime – was heralded as a necessary way to ensure robust privacy protection everywhere.

It turns out, however, that it is the leading US and German firms who are the most proactive in implementing strong privacy practices throughout their operations. And French, Spanish, and UK companies lag behind. There are important substantive differences in the policies firms adopt, and those often relate to specific legal requirements, but in the U.S. and Germany those substantive policies have real traction within the firm as a matter or day-to-day practice. There is room to strengthen laws on both sides of the Atlantic. But when it comes to implementation, and the identification of privacy risks posed by new innovations such as big data and AI – in some ways the US has a leg up on much of Europe. And “Europe,” in turn, is not just one thing. Despite shared legal frameworks, the privacy experience “on the ground” varies depending on where you are.

SOLOVE: I look forward to following up with you on those points in our next interview. The book is Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press, Oct. 23, 2015). It’s an essential read for all privacy professionals.

 * * *

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. He is the author of 10 books and more than 50 articles.

Image Credits: Fotolia

Professor Solove's Privacy + Security Training

Professor Solove's Social Media

Please join Professor Solove's LinkedIn groups:

TWITTER: Follow Professor Solove on Twitter @DanielSolove.

NEWSLETTER: Sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.

jaap karman

ICT professional (SAS BI EM DA)

8 年

What you really are saying is "privacy" is big business. - Become a high paid board member CPO - Do your marketing with that topic. No need for a real practical verifiable realization. It is all about marketing. That is a contradiction as the end of privacy started by financial goals. As ethics are lost with that it is a repeating story.

回复
Stephan Engberg

Specialist in trustworthy identity, security and data sharing

8 年

However greaet it is that privacy has increased attention, one might ask if is not merely about compliance and brand management rather than actual security and rights of individual citizens. If we define Privacy by Design in the Digital Sustainability appraoch as enabling data services without creating or using personal data, i don't detect any real attention or dedication to privacy in an interview such as this? CPO today merely seems as doing damage control - a bit like the tobacco industry's army of Consumer Rights lawyers in US and EU. The interesting question is perhaps - wich so much attention, why do we see so few privacy solutions?

回复

要查看或添加评论,请登录

Daniel Solove的更多文章

  • Cybersecurity and Privacy

    Cybersecurity and Privacy

    In this newsletter I share some great resources on cybersecurity and privacy. Are Many Privacy Violations Also Data…

    1 条评论
  • Halloween Privacy and AI Cartoons

    Halloween Privacy and AI Cartoons

    In this newsletter I have a Halloween treat for you! Enjoy these Halloween cartoons. · Cartoon: AI Trick-or-Treating ·…

  • Teaching Privacy Law

    Teaching Privacy Law

    In this newsletter I have gathered some great resources on teaching privacy law. · Webinar: Teaching Information…

    1 条评论
  • HIPAA and Health Privacy

    HIPAA and Health Privacy

    HIPAA and health privacy are often a source of many questions. In this newsletter, I gather some resources I recently…

    1 条评论
  • AI's Fishy Branding

    AI's Fishy Branding

    One can learn a lot about AI from fish. The 1990s were a terrible time for the toothfish.

    18 条评论
  • Privacy Humor

    Privacy Humor

    For some summer fun, I thought I would offer some privacy humor from my cartoon archive. Privacy Humor Do you want…

    4 条评论
  • Essays on Privacy, AI, and Data Security

    Essays on Privacy, AI, and Data Security

    Here are some of my latest essays on privacy, AI, and data security: Against Privacy Essentialism Murky Consent: An…

    2 条评论
  • New Developments in Privacy Law

    New Developments in Privacy Law

    Believe it or not, there have been some new developments in privacy law. Today, I will be sharing some resources to…

    4 条评论
  • Free Speech and Social Media

    Free Speech and Social Media

    Several new laws and cases involve free speech and social media. Here are some writings, videos, and events related to…

    2 条评论
  • International Privacy Law

    International Privacy Law

    I have a long list of courses and whiteboards that I have developed for international privacy laws. Check them out…

社区洞察

其他会员也浏览了