Key Topics in Privacy Leadership Today
Justin Antonipillai, CEO and Founder of WireWheel, moderated the panel, which also included Daniel Solove, President, and CEO of TeachPrivacy, computer-based privacy and security training company; Jocelyn Aqua, Privacy and Ethics Leader at PWC, Alexandra Givens, President, and CEO of Center for Democracy and Technology, a nonprofit that focuses on protecting civil rights and civil liberties in the digital age, and Nishant Bhajaria, Head of Privacy Engineering and Assurance with Uber.
Siloed organizations are part of the problem
The conversation began by exploring the challenges of bringing technology to the table to help solve some of the problems, but more importantly, bringing together leaders across an organization to better handle privacy issues. One of the key issues raised was the necessity to get lawyers and engineers talking to each other to enhance efficiencies and foster better privacy practices across the board. “As an attorney … you’re asking yourself, ‘What are my engineers not telling me? What do they not know?’ The engineers are [thinking], ‘Now I have this new privacy thing dropping on my head … at the last minute,” said Bhajaria.
Against this backdrop, with siloed organizations attempting to grapple with the complexities of privacy regulation, there are also ever-tightening budgets with their own requirements, along with executives and higher leadership who may not fully grasp what’s going on in the world of data privacy and regulation.
See how our Privacy Laws Comparison Table helps teams align quickly on requirements to stay ahead of compliance
Since this is a typical challenge most teams face, the next question becomes: how do you effectively build a privacy program with the right tools, framework, and processes all while being able to scale with time as more regulations come about?
Nishant went on to point out that it’s imperative to get the legal teams and engineering teams talking if privacy issues are to be adequately addressed. “First up, [there’s] this false myth that engineers don’t need to understand privacy law,” Bhajaria said. “And [this notion that] attorneys don’t need to understand engineering needs to be put to bed as soon as possible. … I expect attorneys to take an interest, I don’t need the attorneys to write code necessarily but understand how data flows to a system.”
Bhajaria believes that another pillar necessary to help companies grapple with privacy issues is to implement adequate technology—to centralize disclosures, scale the system, and make it as simple as possible. That way, engineers can focus on making better products, and worry less about getting into legal hot water. Whatever direction companies take, Bhajaria believes that it’s imperative to at least get something rolling.
“Getting started is a bit like working out,” he said. “The first mile is hard but by the fifth mile you are burning through the calories pretty quickly.”
The role of the privacy expert is shifting
According to the panelists, privacy leadership has evolved over the past few years. Leaders are now more than just subject experts on legal requirements, they are becoming solution leaders who facilitate the use of technology to automate privacy in fluid environments and encourage their employers to move away from old models. “Being a privacy leader requires thinking about [privacy] less as a check and challenge, and more about [solutioning] from a ‘privacy by design function,’” noted Jocelyn Aqua.
Aqua stressed that most companies try their best to be compliant, despite the complexities of having to work through a global privacy framework. The key, however, to getting to a “privacy by design” mode is to lean on technology.
Dan Solove also believes that the time is right for more privacy regulation, driven in part by new technology and marketing strategies, such as dark patterns, which are techniques used to trick consumers into making purchases they don’t want with websites or apps. “Previously, regulating design was a big no-no because that would step on the shoes of engineers—and policymakers were always hands-off,” he said. “But [legislating] now seems to be fair game with the emergence of things like dark patterns. I think we are entering a new realm where this is going to become a new element in privacy laws as they evolve.”
Be proactive: Don’t wait for legislation
With so many privacy laws proliferating—at the state and global level—it appears that the legal landscape will not become more clarified any time soon. Data privacy regulation continues to gain traction with state legislatures, however, primarily because people are beginning to demand more action from policymakers. “My hope is that the [enthusiasm in the states] sends a message to folks on Capitol Hill that the energy is really out there and we need to get serious about the conversation,” said Givens.
However, the general consensus is that it’s not enough to wait for state—or federal—governments to take action on privacy. Rather, companies are urged to adopt their own stringent privacy protocols in anticipation of legislation. “Do not wait for privacy legislation to hit you because you don’t get to dictate when it comes or its applicability to your company … build something that takes the best of what matters [to your company and your clients],” said Bhajaria.
Bhajaria urged companies to build their own approach to privacy, perhaps based on the best aspects of GDPR and CCPA, among others.
The panelists agreed that it is in the best interests of companies to get out ahead of any pending legislation, in part because the pace of change, fueled by advances in technology, may make it difficult—if not impossible—to keep up with privacy issues. “Until there are regulations to address some of the new areas, building out a foundation to withstand new technologies and emerging issues is really important,” said Aqua. “It is really important not to just wait for legislation.”
That said, as technologies evolve, so will the approach to privacy. The panelists agreed that it’s unreasonable to put the burden on the consumer. The standard seems to be shifting, with companies warming up to the idea of baking the concept of privacy into their business model, rather than viewing it as an onerous legal hurdle. “One of the things that really matter to me and [the Center for Democracy and Technology] is making sure that—once and for all—we are putting behind us the notion that notice and choice is the governing paradigm,” said Givens. “And we’ve seen really good movement in that conversation, even from Republican-appointed Commissioner at the FTC.”
The implication of the TransUnion decision
The recent TransUnion decision, which limits the ability of individuals to bring a privacy case before the Supreme Court—even if (or when) a federal privacy law is adopted. Dan Solove views the decision as a potential roadblock for putting together any kind of effective, comprehensive federal privacy law. “I think [having the Supreme Court limit the ability to bring a lawsuit to those with a concrete injury as a result of a privacy violation] is a troubling decision,” he said. “It means private rights of action in federal laws can be limited in certain ways by courts using the standing doctrine.”
However, he does note that the decision, while far from being ideal, won’t have any effect or standing on states and whatever individual privacy regulations they may enact.
The upshot, according to the panelists, is that while the TransUnion decision may not be a good one, but it may not matter in the end. Privacy legislation is a rising tide, and it’s in the best interests of companies to recognize this fact. “The implication is that until people feel comfortable with how their personal data is being handled and they’re comfortable with privacy, there are going to be more and more privacy laws—it’s an itch that’s going to keep being scratched and I think that industry is coming around to this realization,” said Solove.
Givens agrees. “I think the biggest takeaway is that this really ups the stakes for conversations around enforcement … Congress and the states will be focused on how to enforce people’s rights and how to narrow the impact of the TransUnion decision, which is a very narrow set of facts, to begin with.”
Federal privacy law in two years? Or five? A few predictions
How soon can we expect a federal privacy law? That question has been posed for several years now, and the panelists weighed in to make a few predictions.
“I’m going to be an optimist … this is the moment we are going to push forward for federal privacy legislation, and I hope we see change within the next two years,” said Givens.
Other panelists were not so optimistic. Bhajaria believes a federal privacy law might occur in five years but tempered that prediction with a cautionary note about the effectiveness of business and government to arrive at a law that would—first and foremost—protect consumers. “I’m really hoping that there is some collaboration between government and industry on an ongoing basis to prepare for that moment,” he said.
Dan Solove was perhaps most pessimistic about the prospect of a federal privacy law coming to fruition, believing that at least 10 years is a more realistic time frame. “There are too many tough issues,” he said. “Preemption is incredibly tough, private right of action is incredibly tough. Then we go into other thorny issues like right to deletion, and so on.”
In the end, the momentum will be driven by the consumer and the possibility of bad press for corporations, not by the economic interests of business or government, according to Alexandra Givens. “These issues aren’t going away,” she said. “People are paying attention. Consumers are paying attention and companies really need to be on the right side of this—ahead of time—before there’s a bad story in the newspaper or a regulator coming after them.”