Privacyon the Books and on the Ground

Kenneth A. Bamberger & Deirdre K. MulliganUniversity of California, Berkeley

School of Law and School of Information

Deirdre K. MulliganDepartment of Commerce, May 7, 2010

Regulating for Privacy

I. The Conventional Debate over privacy regulation “on the Books”

II. Our Empirically-Based Project: privacy “on the Ground”

III. Policy Implications?

2

3

I. The Conventional Debate –Critiquing U.S. Law

• Fragmented, under-inclusive, disconnected from rights framework, ill-defined

• 1995 study of corporate practices

- systemic inattention & lack of resources

- policies “non-existent” or not followed in practice

- Low-level attention

- Attributes failures to “ambiguity” regarding the legal meaning of privacy and legal requirements

• Advocates and Academics Push European-Style Regulation

– comprehensive, unambiguous mandates

4

II. Our Project

• Revisiting Privacy “on the Ground”

• Sea change since 1995

• Empirical Component» Chief Privacy Officer Interviews» Document Internal Practices» Enforcement Studies» Revisit Descriptive Account

Privacy on the Ground

•First Data from Qualitative Interviews with Leading U.S. Chief Privacy Officers

– 9 CPO leaders (per the information privacy community)

– Cross-Industry

– Semi-structured interviews

– Baseline for a large-scale survey of privacy practices in other U.S. firms

– Striking uniformity as to three elements

U.S. CPO Responses

(1)The Limited Import of the Rules and“Compliance” to Privacy

(a) Compliance as a “starting point only”

(b) The shortcomings of FIPPS procedures in guiding decisions in light of ubiquitous computing

6

U.S. CPO Responses

(2) An Alternative Conception of PrivacyProtecting Consumer Expectations/Avoiding Harm to Expectations

• “consistent with customer or individual expectations”• “Do they get the heebie jeebies, you know? Is it kind of

creepy?”• “[H]ow likely, is a customer going to be comfortable using our

service in the future?”• “Trust, trust, trust, trust.”

7

U.S. CPO Responses

(2) Alternative Approach to manage P as CE- From Compliance to Risk Management

• Evolving, dynamic and contextual• “looking around corners” • “the next thing that’s coming down the pike because if you get caught

unawares, you’re behind the ball”• “Privacy is how you apply information usage to new contexts, whether

it's the creative marketing, or a new product you want to develop, so it's very contextual.”

• I want to keep changing the way we’re doing business so it is dynamic, so we are, you know, trying to mitigate the risk of the day while keeping our core program in place. And so we’re changing . . . I don’t keep [processes the same] the same.

• Implications for Internal Structures (Separate Paper)

8

U.S. CPO Responses(3) External Influences on Privacy’s

Conception – Federal Trade Commission

consumer protection authority

– State Data Breach Notification Laws

– Professionalization and Networks

9

10

A New Account of U.S. Privacy Law

“New Governance” at the Federal Trade Commission

Exploiting Regulatory Ambiguity

Soft and Hard Guidance

Workshops, White Papers and Roving Enforcement Powers

A site for Advocates Comparisons with Europe

11

Policy Implications

Broadening the Conventional Debate

12

Take account of law in practice and on paper

Concern with substance and form

Rules v. standards + enforcement

Power of civil society + market in regulatory context

More to the story than:• “Omnibus” privacy laws • robust procedural protections• dedicated data privacy commissioners

• Piecemeal regulation by sector; much left unregulated

• No dedicated regulator• Reliance on corporate self-regulation

Policy Implications

. . . for the Substantive Debate Over Privacy Regulation

- Recognizing technology shifts

- Recognizing context

- Overcoming collective action/behavioral problems with assigning privacy to individual choice

13

Beyond Conventional Debate

“Informational Self-determination”through process“notice and consent”EULA/TOS

14

Policy Implications

. . . Contextually grounded expectationswhat expectations do consumers as a whole bring to the table

But I do have an expectation of privacy when it comes to my e-mail, and I think that even in this age of social-networking TMI, most people still think of e-mail as a safe place for speaking privately with friends and family. And for Google to come along and broadcast that network to the world without asking first—and force you to turn it off after the fact—is, I think, both shocking and unacceptable.

Molly Wood, CNET

15

Policy Implications

. . . for the Debate Over Privacy’s Form

Regulatory Specificity vs. Ambiguity

Empowering those inside organizations

Bottom-up and top-down policymaking

Normative conservatism in the face of technological change

16

Questions

17

Bamberger, Kenneth A. and Mulligan, Deirdre K.,

“Privacy on the Books and on the Ground,”

forthcoming Stanford Law Review, Vol. 63, 2010

Available at SSRN: http://ssrn.com/abstract=1568385

Support

Rose Foundation, Consumer Privacy Rights Fund

TRUST (The Team for Research in Ubiquitous Secure Technology) National Science Foundation

NSF CCF-0424422