Hard for me to believe, but it’s now been a year since we rolled out Perspectives, our very first blog here at the IAPP. As an organization, we were veering into uncharted territory, but our ultimate purpose was and continues to be to provide a forum for the difficult or practical or funny or just plain outlandish privacy conversations to play out.
Just before Christmas, we posted our top ten blog posts of 2013—all based on page views. But now that a full calendar year has gone by, I thought it worth looking back with a bit more nuance.
A lot of stories were told during this last year—166 to be exact—ranging from the hilarious to the serious to the practical. And driving many of these stories were privacy news developments that will resonate for years to come.
The News Breakers
Early 2013 started with a sad note. The passing of pioneering privacy scholar Alan Westin was a huge loss for our community. Luckily, his influence is all around us.
And, perhaps one of the biggest topics on the mind of many privacy pros early on in 2013 was the state of the proposed EU data protection regulation. Were the EU and U.S. going to find a way to get along?
In his first post for Perspectives, Wilson Sonsini’s Christopher Kuner put the EU-U.S. privacy relationship this way:
For someone who has received his legal education in both the EU and the U.S., and has long worked in both worlds, the current political skirmishes between the two concerning the proposed EU data protection reform have been both entertaining and disappointing. Entertaining, since observing the two largest political and economic entities in Western world engage in a game of one-upmanship over which has the best system for privacy and data protection can often be amusing. Disappointing, because it is obvious that each side has an imperfect understanding of each other’s system, and because the energy they have been putting into such tit-for-tat battles could be better spent trying to reach an accommodation between them.
By May, Kuner described a tense conversation between a U.S. company representative and a European data protection authority.
Company representative: Your data protection law is making it impossible for us to offer our technology in Europe!
DPA: It is your technology that has to adapt to our legal system, not the other way around!
And these tensions existed prior to the Summer of Snowden!
Yet, before the world became better acquainted with the NSA’s surveillance programs, we here in New England, and those of us in the office, were struck by the senseless events at the Boston Marathon. My colleague, Jennifer Saunders, had the right words for such a shocking time. It was a day to “put privacy aside.”
With personal perspective in check, the booming digital economy and all the information flows and privacy concerns that go with it, kept churning.
And then an unknown government contractor came along and turned the privacy world on its head. By far, the privacy news bombshell of the year, the NSA disclosures and their effects ripple as strongly today as they did last June.
With memories of the Marathon bombing still fresh and these new leaks showing the extent to which U.S. intelligence spied on individuals, I wrote about the tough choices between balancing security and personal privacy and information sharing with data protection. Since then, “Snowden” has appeared in 23 Perspectives posts and “NSA” in 38.
Peter Swire was the first to provide reaction to the Snowden disclosures on Perspectives by calling on the newly “stood-up” Privacy and Civil Liberties Oversight Board (PCLOB) to make investigating these surveillance programs a top priority. Well, the PCLOB did make such an investigation a priority, and just last month, declared its opinion that the phone metadata programs are illegal. Swire was also later appointed by President Barack Obama to help put together a set of recommendations on U.S. intelligence gathering.
Eduardo Ustaran followed suit and gave us a European perspective, assessing its impact on EU-U.S. data flows. If you thought it was difficult before, things went from an “exasperatingly awkward challenge” to a “massively distorted” debate post-PRISM. He later expressed caution after the LIBE Committee recommended data flows out of Europe cease.
And Steptoe & Johnson’s Jason Weinstein brought up the contentious cloud provider issue, while, in his post on The Brussels and Warsaw Privacy Peace Talks, Hogan Lovells’ Christopher Wolf kept us abreast of the latest developments between the EU and U.S. He also didn’t mince words when wondering aloud if the LIBE Committee had just “torpedoed” the Safe Harbor.
Andrew Clearwater pointed out in one of his posts that the revelations now place another layer of pressure upon tech companies to either comply with government subpoenas or sever the trust of their customers. (I’m also proud to say this post included our first animated GIF.)
The NSA news also prompted Mozilla’s Alex Fowler to pen an open letter to privacy professionals calling for a code of ethics:
As privacy professionals, do we have ethical obligations to the people whose data is our professional responsibility, or only to our employers? How do we handle conflicts of loyalty that arise? Does public safety trump privacy in every case and in any circumstances? Do we have obligations to report—even secretly, under legal requirements—our objections?
The Privacy Profession
K Royal, of Align Technology, also asked whether privacy professionals should carry a code of ethics—a question that perhaps doesn’t have a clear or easy answer. But as a professional organization there is nothing we take more seriously than the privacy profession. And in this past year, we’ve received insightful analysis and thoughts on becoming and charting a career as a privacy pro.
Take, for example, Emma Bulter’s post on “What Makes a Good Privacy Professional?” or Phil Lee’s explanation of “Why I Became a Privacy Professional—And What Privacy Means.” Not only has this been a forum to share these most fundamental constructions of the privacy profession, there have also been opportunities to share experiences while on the job.
Royal, for example, shared her experience leading her company’s charge into Binding Corporate Rules, or what the heck you should do if you get an investigatory letter from the Office for Civil Rights. Mary Ellen Callahan let us into her “whirlwind excursions” around the world to discuss privacy.
And with experience, also comes other helpful tips.
Avepoint’s Dana Simberkoff, not long after the other big privacy news event—the Target breach—shared with us top data privacy tips. Similarly, the Online Trust Alliance’s Heather Federman, “in honor of the 2014 Data Privacy Day,” gave us 14 tips to create a data incident plan. Omer Tene and Marc Groman shared top tips on the protection of privacy for small- to medium-sized businesses.
With so many breaches stemming from thumb drives, Daniel Horowitz reminded privacy pros, “The bottom line is that organizations that collect personal information need to have mature privacy programs, which includes proper policies and procedures, and also fully functional enforcement mechanisms.” Others, including Intel’s Ruby Zefo and Wiley Rein’s Kirk Nahra, delved into the privacy issues around your co-workers and employees.
Marty Abrams has shared two over-arching posts for the privacy profession on the importance of accountability, and just this week looked at the debate between compliance and strategy, arguing that the privacy office needs to take part in a strategic development.
As Abrams pointed out, the profession is changing. R. Jason Cronk asked if 2013 was the year of the privacy engineer, while Peter Swire and his wife Annie Anton called on privacy lawyers and engineers to get along.
Allen Brandt shared ideas on creating user-friendly privacy policies, while Michael Bruemmer debunked perceived myths about cyber insurance. And for the public sector, Westin Research Fellow Dennis Holmes gleaned six practical privacy tips from the Department of Homeland Security annual report. No small task, I assure you.
The value of the privacy profession has been further bolstered by the invaluable research of Dierdre Mulligan and Kenneth Bamberger with their “Privacy on the Ground” series. They were kind enough to share three installments of their work with us in 2013.
The in-depth research of Ilana Westerman and the folks at Create with Context (CwC) has also been serialized on Perspectives. Through detailed and creative research on consumers, CwC helps examine consumer attitudes toward privacy and explain what privacy professionals can do within their organization to tailor organizational needs with gaining the trust of their customers.
And privacy has far-reaching consequences beyond the protection of personal data. We saw this with the thoughtful take from Cherri-Ann Beckles on the consequences of implementing the Right to be Forgotten on research and archiving.
Creative research was also on display by Karen Levy and her work on relational data and how data is shaping our most intimate relationships.
The Social Stuff
And this rise of digital technology and the social web is fundamentally changing the way we interact with one another. Whether we’re talking about netiquette or social media experiments or how our personal privacy disclosures affect the privacy of others, however you slice it, difficult questions are being asked, debated, played out and answered.
Hate speech and online anonymity are proving to be a difficult balancing act. We want some modicum of anonymity online, but too much allows hateful people to hide behind a mask. Trolls are everywhere, ready to set in motion damaging photos out of hatred and ignorance. The work of some has even caused people to lose their jobs or scramble to reconstruct their online reputation.
And what about social media in highly regulated organizations like hospitals or financial institutions? Valita Fredland helped tackle the healthcare issue with some unorthodox thinking.
And, as Stanley Crosley reminded us, let us not forget what we can learn about privacy from our children.
With shifting social norms, and a new generation being raised in the 21 century, the rise of the Internet of Things and Big Data are creating robust and very necessary debates. And regulators are paying attention. In recent weeks, we’ve featured posts from the New Zealand Privacy Commissioner’s office and from Interim Privacy Commissioner of Canada Chantal Bernier. And several contributors have debated who the de facto privacy regulator is here in the U.S. (here, here and here).
Businesses, advocates, privacy professionals and the government are all taking part in the digital privacy conversation.
The classic “privacy is dead” refrain has made its way into Perspective several times. But more specific and hugely important debates have recently been taking place regarding the role of the Fair Information Practice Principles (FIPPs).
Are ubiquitous connected devices and machine-to-machine communications diminishing the practicality of notice and consent? Some say “consent is dead” and continuing to promote it is simply dangerous. Ontario Information and Privacy Commissioner Ann Cavoukian has chimed in, noting that the FIPPs—all of them including notice and consent—are as strong and necessary as ever. Prof. Viktor Mayer-Schönberger also responded. The debate has also included the “privacy crazies” and warnings not to get “privacy twisted.”
And just today, Intel’s Zefo, with certain charm and wit, reminded us that, no, it may be freakishly changing right in front of our eyes, but privacy’s not quite ready to be counted out yet.
Hopefully, as we move into this exciting and challenging future—fraught with complex international frameworks, surveillance and civil liberties concerns, incredibly smart and predictive technology and changing laws and social norms—such a debate and conversation will continue.
And to all of you who have contributed, thank you. To those of you who would like to contribute, please reach out. I look forward to working with you all on this ongoing and important conversation.