By Leslie Gordon
Governments and industries have been shaken when hackers, foreign spy agencies or various unethical actors violate personal data online. While privacy regulations seeking to curb those violations have been enacted, it’s been unclear how those regulations have shaped corporate behavior and whether personal data is more or less protected. Until now.
Privacy on the Ground: Driving Corporate Behavior in the United States and Europe is a new book that delves inside corporations and examines how the privacy protectors there actually do their work and what kinds of regulations have effectively shaped their behavior. Co-authored by Professors Kenneth Bamberger and Deirdre Mulligan, faculty directors at the law school’s Berkeley Center for Law & Technology, the book is an intensive, five-nation study that searches out corporations’ best privacy practices and provides guidance to policymakers.
“The conventional wisdom in the last two decades has been that there’s a strong contrast between the U.S. and Europe when it comes to privacy,” Bamberger explained about the impetus for the project. “The U.S. has been considered the Wild West: unregulated, irregular, haphazard. Europe, it’s thought, really cares about privacy in ways the U.S. doesn’t, and European countries have strong laws to protect privacy much more effectively. But we realized that no one had looked at what was actually going on to determine if that was really the case.”
There was a “mantra,” Mulligan added, that the U.S. is weak on privacy and should adopt a European model. “But I was seeing an awful lot of activity in the U.S. corporate sector: a growing number of Chief Privacy Officers (CPOs) as well as money and resources being spent on privacy at companies.” Privacy regulations had been enacted, but it wasn’t clear how they were playing out, Mulligan said. “I began interviewing CPOs in the U.S. to understand how they interpret privacy and implement regulations – to lift the hood of the car, so to speak.”
That research “rewrote the story” about privacy in the U.S., Mulligan said. Regulations were in fact affecting privacy practice and legal structures were empowering privacy professionals. Bamberger and Mulligan then compared what was happening in the U.S. to Germany, England, France and Spain, by interviewing privacy officers, regulators, privacy lawyers, journalists and technologists in those countries.
The results were surprising. It turns out that the two countries with the most ambiguous regulations – Germany and the U.S. – actually had the strongest corporate privacy management practices. And despite their very different cultural and legal frameworks, “the set of emerging best practices that had arisen in the U.S. and Germany were really very similar: privacy officers had a lot of power, status and resources,” Bamberger said. “The CPOs were involved not just with compliance, but also corporate strategy. U.S. and German companies also had a privacy conscience within the firm, which creates a backbone when the government comes in and asks for information.”
In contrast, companies in the more rule-bound countries of Britain, France and Spain trended towards compliance processes rather than embedded privacy practices. Companies in those countries typically had low-level people working on privacy from a compliance-only or public relations standpoint. “It was striking and counterintuitive,” Bamberger said.
Ultimately, Mulligan and Bamberger concluded that more flexible regulatory instruments, coupled with oversight, enabled companies to leverage the talent of people dealing with privacy on the ground. “It’s best when regulations encourage privacy practices to embed in the corporation’s own DNA,” Mulligan explained. “It comes up not just in how the company uses data, but also when people come knocking and demand data from the company – they’re empowered.”
Privacy on the Ground will be “hugely helpful for privacy professionals, CEOs and lawyers” who want a snapshot of current best practices, according to Bamberger. The book is being released by MIT Press in conjunction with Amsterdam Privacy Week, the year’s largest worldwide privacy gathering at the end of October. There, the book will be celebrated at a launch party given by the Hogan Lovells law firm and the Future of Privacy Forum, a leading privacy organization.
That same week, the Confederation of European Data Protection Organisations, the association of privacy officers in Europe, will hold a briefing and panel about Privacy on the Ground at the International Data Protection and Privacy Commissioners Conference, which will also feature FTC Commissioner Julie Brill and former European Data Protection Supervisor Peter Hustinx. After Amsterdam, book launch events for Privacy on the Ground will take place in the coming months in Israel, New York, Berkeley and Washington, D.C.