Privacy Payoff

• Privacy definitions redux– “The claim of individuals, groups or institutions

to determine for themselves when, how, and to what extent information about them is communicated to others.” Weston

– “The extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others’ attention” Gavison

• The problem of being misjudged (or judged out of context) or misdefined

Privacy Issues Often Involve Competing Values

• Rights versus duties• Individual versus community• Self-determination versus public welfare• Confidentiality versus public safety• Consider privacy with respect to

Megan’s law or potential epidemics• Consider the benefits of personalization

through IT versus intrusive marketing

Three Kinds of Privacy

• Decisional Privacy – The kind of privacy intrinsic to a self-determined autonomous life.– J.S. Mill “…the principle requires liberty of tastes

and pursuits; of framing the plan of our life to suit our own character; of doing as we like, subject to such consequences as may follow: without impediment from our fellow creatures, so long as what we do does not harm them, even though they think our conduct foolish, perverse, or wrong.”

– At issue are choice of friends, religion, jobs, hobbies, etc.

Three Kinds of Privacy

• Informational Privacy – the control we have over information about ourselves– How do we experience the loss of that

control?

• Local privacy – having physical space where we can be alone and unobserved (a private home)

• How do these three kinds of privacy complement each other?

Positive and Negative Liberty

• Negative liberty – freedom from government or commercial intrusion

• Positive liberty – “I wish, above all, to be conscious of myself as a thinking, willing, active being, bearing responsibility for my choices.”

• How do the three kinds of privacy relate to positive and negative liberty?

Europe Compared to the US

• European privacy concerns tend to be directed toward business intrusion on personal privacy.

• US concerns tend to be directed toward government intrusion.

• Differences with respect to bias toward governmental regulation versus free market

• The US has no comprehensive privacy law, no agency charged with administration of privacy law.

Global Privacy

• US – Privacy Principles, 1974 Privacy Act, ad hoc privacy laws, e.g. Video Privacy Protection Act, CAN-SPAM, no independent oversight body

• Canada – National Privacy commissioner and provincial commissioners, Human Rights Act, sector laws

• Europe - Council of Europe

Transnational Governance of the Internet

• Now governance is ad hoc– The problem of jurisdiction

• Mice and elephants• France v. Yahoo• Australian firm v. DJ News

– Standard setting– ICANN (Internet Corporation for Assigned Names and

Numbers) and the DNS (Domain Name System)

• The EPD (European Directive on Privacy or more properly European Directive on Data Protection) could force more transnational agreement

Logic of the EPD

• Supports the creation of a unified European market

• Requires a minimum standard for protecting personal data

• When the standard is met, it increases the free flow of information

• By restricting data flows outside the EU, it prevents finessing the intent of the EPD by setting up off-shore data havens

Data Protections

• Includes Fair Information Practices• The individual shall not be subject to

decision-making based on the automated processing of data – e.g. decisions about work performance, creditworthiness, etc.

• Processing of sensitive data is prohibited – e.g. religious affiliation, political affiliation, philosophical beliefs, etc.

Article 25

• Transfers of personal data outside the EU are permitted only if the country ensures an adequate level of protection.

• What is adequate?

Insuring Compliance

• Each EU nation must have a privacy agency with:– Investigative powers– Powers of intervention– Power to engage in legal proceedings

• There is an institutional means for coordinating among the fifteen nations in the EU

Effects of the EPD on US Firms

• Potential large compliance costs– Depends on existing privacy practices

for the firm• Because of existing US practices,

data transfer for some sectors may face a credible challenge

• Are there potential benefits from compliance?

Canada and PIPEDA

• Personal Information Protection and Electronic Documents Act – consistent with FIP

• Support of Jon Gustavson, President of Canadian Direct Marketing Association

• Privacy Commissioner give authority to launch investigations, publicize violations, and initiate legal action

Adversaries or Partners

• Customer and personal data is a raw material to be refined and exploited– Spam, pop-up ads, junk mail, data

mining, etc.

• Partnerships between consenting firms and customers will yield mutual benefit

Loyalty and Retention• Customer loyalty results in higher

retention rates• By increasing customer retention

5%, a company will increase its profits from 25% to 95% (Reichheld, HBR)

Research Model for Privacy, Trust, and Loyalty

Benevolence

Integrity

Ability

Trust RTR

Results• The fair privacy policy engendered greater trust – the

firm with the fair policy scored significantly higher on benevolence, ability, integrity, and overall trust.

• Respondents said they would be more likely to:– Purchase more products and new products from the

firm with the fair privacy policy and– Provide truthful information to the firm with the fair

privacy policy• Respondents said they would be more likely to switch

from the unfair company to the fair company for competitive products

• Respondents were more concerned about the unfair company’s use of their PII for solicitations and as a means of manipulating them

Cost of Privacy• Studies aimed at showing that the cost

of privacy is prohibitive, estimate costs between $9B and $36B

• Estimates are likely too high– Many companies have already addressed

some concerns, e.g. Y2K– Costs based on large firms– Costs based on extreme view of necessary

complaince– Assumes no economies of scale

Privacy Infringement as an Externality

• Privacy infringement costs borne by the individual

• If costs borne by firms’ they will be passed on to customers

• Litigation costs• It is socially desirable to eliminate externality

when the cost of doing so is less than the damage caused

• Building in privacy protection to new products and services rather than dealing with privacy implications after damage occurs

Privacy Audits and Privacy Seals

• Privacy Risk Assessment• BBBOnline, TRUSTe• Safe Harbor certification

Chief Privacy Officers

• Privacy & American Business– Are privacy issues a passing fad or

are they here to stay?

• Why appoint a CPO?– Is the position cosmetic?– Privacy issues are cross-functional

and require coordination across external constituencies.

What does a CPO do?

• Internal data and software management• Product development• Development of a Privacy Policy• Legal and Governmental compliance• Training and Education• Customer advocacy• Employee advocacy

CPO Qualifications

• At what level should the CPO report?

• What training is appropriate?• What experience is appropriate?

Canadian Firms compared to US Firms Privacy Practices

• US firms more focused on risk management, Canadian firms more focused on the value of privacy as a differentiator

• US firms more focused on security, and protection from hackers – Canadian firms more customer centric

• Canadian firms more focused on data control procedures, 3rd party vendor compliance, data quality, and attention to trans-border data transmission