By Sam Pfeifle
Leslie Harris, who has headed the Center for Democracy & Technology (CDT) since 2005, announced this month that she will resign from her post in March of 2014, just as the CDT celebrates its 20th anniversary. In a conversation with The Privacy Advisor, Harris made it clear that she is not retiring but rather “right-sizing,” and she is hardly done with her work in the privacy arena.
Nor is she done with her work at the CDT. She has a number of goals for the upcoming nine months, not the least of which is finding a replacement. The CDT’s board has created a search committee, led by Chair Deirdre Mulligan and including Bill Bernstein, Danny Weitzner and Harris, and they’ve selected Russell Reynolds to assist in the search for a new president.
As for Harris personally, she said she’s looking for “someone with the capacity to globalize CDT…someone who understands the space and the issues.” Of course, an ability to raise money is important, too, but also “an ability to retain the culture,” Harris said. “I lead a band of equals, and that’s part of our strength. It needs to be someone who understands that this organization is not about them.”
Further, the job gets harder every day.
“When I came in,” Harris said, “privacy was on the agenda…but the issues were much more straightforward. The storage revolution, the addition of Big Data analytics and the growing appetite for access to data held by the private sector, the increasing flow of data through the cloud—all of that has taken privacy from small discussions to key global debates in the course of my tenure here. And I don’t know that we’ve made the progress I’d have liked.”
While the organization has grown from nine people focused on Washington, DC, to nearly 30 focused on the world at large, there still is not, for example, a baseline consumer privacy bill in the United States. There still has not been ECPA reform.
The progress the Federal Trade Commission has made in understanding privacy is gratifying, Harris said, but she’s disappointed by the lack of progress made otherwise in both the U.S. legislature and with the EU regulation reform. She’s encouraged by the Obama administration’s proposed Consumer Privacy Bill of Rights, saying “it’s a good model and takes into account innovation over time,” but the lack of movement in the legislature doesn’t leave her hopeful.
With that said, however, Harris does see the new Texas e-mail bill, the new bills in Montana and Maine require warrants for cellphone location tracking and the various social media access bills as steps in the right direction, legislatively.
One of the biggest problems, she feels, is that “the appetite for data is increasing far faster than the consumer can understand or even knowledgeable advocates like the CDT can keep up with. What was a fairly level and understandable conversation about who had your data and what obligations they had now extends to an enormous universe of players, many of whom a consumer has no idea that they have their data, and it’s such a complex environment that I worry that anybody, let alone lawmakers, will be able to unpack it in a way that’s useful rather than harmful.”
And there enters the chief privacy officer.
“Good privacy officers don’t view their role as just compliance,” she said. “It seems to me that an officer has an obligation to go quite far to explain the collection and uses of data to consumers in ways that are understandable and give them real and meaningful choices about that information. I think a privacy officer needs to be challenging the decisions of the company, not just saying, ‘If you’re doing this program, here’s the safeguards you put around it.’ I think they should be asking the question of whether they should be doing this program at all.”
Further, she believes the chief privacy officer (CPO) has new demands in consideration of the recent NSA revelations. Maybe a program of data collection would be good for the business, but if it opens up the possibility of vast government collection of that data, Harris feels privacy officers have an obligation to protect customers from that potential government intervention.
“Maybe six or seven years ago,” Harris said, “I remember raising the point that it was harder and harder to think about the consumer privacy questions without understanding the government privacy questions, and people were not happy with that. They wanted to bifurcate those two questions and not allow that to taint their nicely designed programs for legitimate purposes. But I don’t think you can continue to do that. Data collected by private companies is the principal fuel for our growing government surveillance programs…CPOs need to be thinking bigger than the accountability questions that good privacy officers ask now.”
Which is not to say Harris believes companies are shirking their duties to protect consumer privacy. She points to private industry’s support of ECPA reform and those who’ve joined the Digital Due Process Coalition as good corporate actors.
“But the most compelling example right now,” she said, “is the companies that have been pushing back on the national security demands: Yahoo's challenge to the statute at the FISA court, Microsoft and Google's challenge to the gag on the basis of their First Amendment rights. Companies do have obligations under human rights law. It is not the same as government responsibility, but there is a ‘duty to respect.’ Resisting and challenging overbroad government demands is certainly part of that obligation.”
Read More By Sam Pfeifle:
First PCLOB Meeting’s Ideas for USA PATRIOT Act; FISA Improvements May Affect Interaction with Private Industry
The Future of Data Dealer Is in the Balance
How UI and UX can KO privacy
IAPP Members in the News PRIVACY IN POPULAR CULTURE: This NSA PRISM Story Isn’t Funny … Except When It Is