The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.
The number of CPOs started to grow rapidly – as did their importance in organizations. These days, CPOs are consulted regularly. Big companies have entire privacy teams. The stakes are high and are getting higher. The new EU General Data Protection Regulation (GDPR) has sanctions of 4% of global revenue. That will surely register on the CEO’s radar.
Kenneth Bamberger and Deirdre Mulligan have spent years researching CPOs – how their roles and responsibilities have developed, what they are doing now, and how their roles compare in different countries. Bamberger is a professor of Law at U.C. Berkeley and Mulligan is a professor at U.C. Berkeley Law School and also the U.C. Berkeley School of Information. Both co-direct the Berkeley Center for Law and Technology.
Their recently published book is Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press, Oct. 23, 2015).
This is a very important book for the privacy profession. As I wrote in my blurb for the back cover: “Privacy on the Ground is a deep and insightful account of the unwritten law of privacy, crafted from the way that privacy professionals steer internal governance of privacy within companies. The rise of the privacy profession has had as great an impact on privacy today as any law. Privacy on the Ground shows us that law isn’t self-executing but depends upon people who must navigate and change the culture and structure of their institutions. This book is the definitive scholarly analysis of the role of privacy professionals in the United States and in Europe.”
I interviewed the authors about their book, and they provided many great insights and highlights from their research.
SOLOVE: You’ve written a book discussing the corporate treatment of privacy “on the ground” in the United States and Europe. What do you mean by that?
BAMBERGER & MULLIGAN: So much of the privacy discussion focuses on the laws governing corporate treatment of personal information – privacy “on the books” – what it says and what it should say. But until now, we haven’t known much about what actually goes on inside corporations: what they think privacy means, what practices they have in place to protect privacy (or not), and the forces that prompted adoption of these practices. Our book looks “under the hood” to learn these things.
We interviewed CPOs in the United States, Germany, France, Spain, and the UK. We did further interviews with engineers and others in these same firms, with regulators, and with other privacy practitioners. We conducted over 100 interviews, and gained unique access to proprietary firm processes, decisions, behaviors and concerns.
SOLOVE: The book focuses a great deal on role of the Chief Privacy Officer (CPO). What they do. How the position is, and should be, structured. And the way the position differs in the United States and Europe. What can we learn about CPOs?
BAMBERGER & MULLIGAN: The roles of CPOs, their respective levels of power and influence within firms, their level of access to boards and senior management, and their activities outside the firm – the way they interact with the broader field of privacy experts including regulators, activists, professional groups, and peers in other companies – are determining factors in whether firms have robust practices in place to protect privacy.
Firms with what we call boundary-spanning CPOs are more likely to consider privacy as a strategic issue, rather than solely a legal compliance matter, and more likely to have robust infrastructures that build privacy into governance, business, engineering, and other processes. And companies develop more robust practices in countries that foster and emphasize the development of privacy professionals. So professionalism is not just a management by-product, but an immensely valuable regulatory strategy.
SOLOVE: Does this mean that specific legal choices about the substance of “privacy” don’t matter?
BAMBERGER & MULLIGAN: Not at all. Certain aspects of substantive law were immensely important in catalyzing firms to adopt and empower boundary-spanning CPOs. But those substantive commitments were only one aspect of the external environment, and it turned out their impact depended upon other factors that are often not accounted for in assessments of privacy regimes. The existence of other factors that promote a certain role for privacy professionals determine how well substantive commitments will be implemented – or not – through firm decisions. So CPOs are linchpins in the way privacy pans out “on the ground,” and choices about substantive law matter but must be viewed against a broader landscape of external factors influencing firm behavior.
SOLOVE: What can CPOs and upper management learn from your research?
BAMBERGER & MULLIGAN: The book identifies an emerging set of global corporate privacy best practices, and explores how they’ve developed and why they hold promise for both firms and society. These include three things.
First, in leading firms, privacy “makes the Board’s agenda.” The privacy function receives a high level of attention, resources, and prominence, and CPOs have access to top firm management and the Board.
Second, the privacy function is headed by what we call a “boundary-spanning privacy professional.” That person must be a high-status privacy lead, often sitting within the c-suite. And their job must involve mediating between external privacy demands and internal corporate privacy practices – translating the uncertain and dynamic requirements of privacy as shaped by regulators, advocates, consumers, and peers into corporate strategy and practice. Having one foot outside the corporation and the other inside enhances the CPOs independence and importance. This type of expertise in helping the firm translate the external landscape helps secure the CPO a place at the table when corporate decisions are made, and ensures privacy plays a strategic role in firm decisions.
Finally, evolving best practices involve what we identify as the “managerialization” of privacy through “distributed expertise.” The privacy function can’t be siloed in just one individual or compliance unit. Privacy decision making actually needs to be integrated into technology design and business-line processes. This occurs best where privacy expertise and responsibility is distributed to staff embedded within business units, so that it can be brought to bear from the inside and from the bottom-up throughout the development of data-intensive processes and systems.
SOLOVE: From your description, it sounds like the role of the CPO has evolved over the years.
BAMBERGER & MULLIGAN: Yes, the CPO role is on a hockey stick curve. You can see that development over time in the US, and also comparatively, by looking at the privacy leads identified as leaders in the five countries we studied, as each country is at a different stage in the evolution of the CPO (or DPO – data protection officer – as they are generally called in Europe) role.
Two decades ago, privacy was handled by low-level managers who lacked status, influence or power in their companies. Privacy suffered from systemic inattention and lack of resources. Policies in important areas were virtually nonexistent, and those that existed were not followed in practice. Executive neglect signaled to employees that privacy was not a strategic corporate issue. When the external environment demanded firm engagement, the midlevel managers who stepped in to fill the gap in leadership lacked substantive expertise. Privacy considerations were particularly absent in decisions about technological or business developments.
The high-status, strategic CPO that we found among today’s German and US leaders, supported by professional networks like the International Association of Privacy Professionals, which claims 25,000 members from the private and public sector, marks a radical development.
SOLOVE: Does the CPO role differ between countries?
BAMBERGER & MULLIGAN: Most certainly. We found “strategic” high-level CPOs in the leading firms we identified in the U.S. and Germany. But in France, where the meaning of privacy has traditionally been decided top-down by government regulators, privacy leads had little role in its translation and were lower level players within the firms. In Spain, DPOs described privacy as more of a political issue, and their work centered around compliance and government relations, and had much more limited interaction with business units. And in the UK, privacy leads came from lower levels of firm management. Leaders in all of these countries demonstrated ongoing development towards the best-practices we identified in Germany and the U.S.. Yet in each of these contexts, privacy was far less integrated in firm decision making, the function was much more siloed, and – especially in France and Spain – firms generally described much more of a compliance-oriented, check-the-box, data protection-centered operation.
SOLOVE: What is the greatest take-away for privacy professionals about your research on the CPO role?
BAMBERGER & MULLIGAN: That empowered, boundary-spanning CPOs are in the interest of both firms and society. Empowered, independent CPOs charged with what one of our interviewees called “thinking around corners” bring social obligations and concerns about privacy more meaningfully into firm practice. The demands of protecting privacy, and mitigating the operational risks it poses, change constantly. Having an empowered privacy“mole” who can bring the outside discussion of privacy protection into the boundaries of the corporate organization can help firms mitigate risks and avoid being blindsided.
Our book begins with the story of the Yahoo!’s 2004 disclosure of information about dissident journalist Shi Tao’s identity to the Chinese government. The disclosure led to Shi Tao’s imprisonment, and spawned widespread public condemnation of Yahoo!’s action—including a U.S. congressional hearing in which the firm leaders were called moral “pygmies,” law suits, and widespread criticism by human rights, civil liberties, and journalism organizations. These condemnations were felt in boardrooms throughout Silicon Valley and beyond.
Several years later, Yahoo! responded very differently, battling National Security Agency demands to turn over customer information in the secret intelligence court. The company did the right thing, and was later lauded publicly for it.
Why the change? The regulatory climate – the law on the books – had not changed in the interim. But the company had empowered and resourced its
privacy and law enforcement staff, launched a Business and Human Rights program covering privacy and freedom of expression, and supported several related initiatives outside the company. These firm personnel and structures ensured that Yahoo! was able to identify and respond to privacy issues as important human rights questions deserving of strategic engagement not just routine legal compliance. They had the capacity to engage in discussion and action when new issues arose.
SOLOVE: What are your predictions for the future of the CPO? What possibilities and challenges do you see ahead?
BAMBERGER & MULLIGAN: Let’s start with two.
First of all, the demand for privacy professionals is only set to rise exponentially; in Europe alone, it is estimated that the new regulation will require the employment of 20,000 new CPOs or DPOs within the next 3 years!
Second the substance of privacy is changing. Privacy leads now find themselves grappling with the social implications of data mining, machine learning, and artificial intelligence. Their portfolios are growing to include issues of fairness, autonomy, and data ethics. CPOs are becoming responsible for all kinds of information policy issues.
So those aiming for a CPO role must demonstrate broad training, and broad engagement, with the range of policy issues arising from increasingly intensive use of data, embedded computation, and the nudging and decision-making it facilitates. This includes, but is not limited to, privacy.
SOLOVE: What’s the most surprising thing you learned in your research?
BAMBERGER & MULLIGAN: Well, for decades it’s been a commonplace that the US is a privacy laggard, while Europe protects privacy well. So European-style “privacy on the books” – laws mirroring the EU regime – was heralded as a necessary way to ensure robust privacy protection everywhere.
It turns out, however, that it is the leading US and German firms who are the most proactive in implementing strong privacy practices throughout their operations. And French, Spanish, and UK companies lag behind. There are important substantive differences in the policies firms adopt, and those often relate to specific legal requirements, but in the U.S. and Germany those substantive policies have real traction within the firm as a matter or day-to-day practice. There is room to strengthen laws on both sides of the Atlantic. But when it comes to implementation, and the identification of privacy risks posed by new innovations such as big data and AI – in some ways the US has a leg up on much of Europe. And “Europe,” in turn, is not just one thing. Despite shared legal frameworks, the privacy experience “on the ground” varies depending on where you are.
SOLOVE: I look forward to following up with you on those points in our next interview. The book is Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press, Oct. 23, 2015). It’s an essential read for all privacy professionals.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.