On February 6, the State and Local Government Law Section of the American Bar Association sponsored a panel at the Midyear Meeting titled "Privacy in the Digital Age – Is There Even a Barn Door Left to Close?". Our very own Ron Raether was pleased to participate in the discussion in which three differing perspectives on privacy were presented: government, industry and that of the consumer, or public policy.
The government lens was represented by Joyce Yeager, assistant attorney general from the Missouri Attorney General's Office, and Lyman "Chuck" Taylor, deputy attorney general for Indiana's Office of the Attorney General. Hearkening back to the days of civics classes when we learned about the three branches of government, I'm reminded that the attorneys general are part of our executive branch and are charged with enforcing our laws, rules and regulations. So it comes as no surprise that Ms. Yeager's and Mr. Taylor's positions reflect that businesses dealing with privacy data are best served by proactively policing themselves and implementing policies and procedures to minimize the risk of data breaches. Self-policing will help to reduce the possibility of facing legal action by a state attorney general's office or worse, the Federal Trade Commission. Yeager suggested that companies avoid data collection if it isn't needed because the consequences could be dire. Simply put, if you play with fire, you could get burned. As we have blogged here before, planning for privacy up front keeps companies ahead of the compliance curve before products hit the marketplace. Taylor also observed that the issue of privacy is complicated because expectations are constantly evolving. The problem facing businesses that deal with privacy data is that the laws they must operate within cannot evolve fast enough to keep pace with the ever-changing privacy expectations of consumers. Therefore, they risk the wrath of government intervention while trying to stay on the cutting edge of what their customers want as consumers' expectations change.
The industry viewpoint was represented by Jerry Jones, Chief Ethics and Legal Officer for Acxiom Corporation, and Ron Raether. Jones' comments continued to reflect the theme that technology is moving faster than the law can keep up when it comes to digital privacy, noting that, "if [he] just focused on the law, [he'd] be behind." Not a good position to be in when you consider Acxiom is the largest processer of consumer data. Acxiom is no stranger to the perils of data collection and the fallout from a data breach. It was the unsuspecting victim of a data breach that spanned two years at the beginning of the turn of the new millennium which, surprisingly, was due to a lack of encryption of their data. Raether keenly observed that there has not been a lot of movement in the privacy debate or in possible solutions. Consumers want "choice, accuracy and security," while industry wants "certainty, profitability and goodwill." The solution, he proposed, would be a uniform set of privacy principles for consumers, and companies can agree to abide by them. This would be a good balance to strike between the fast-evolving privacy expectations of consumers and the slow-to-evolve nature of the legislative process.
The public interest group's perspective was represented by the Electronic Frontier Foundation ("EFF"); a non-profit digital rights group started twenty-four years ago in San Francisco. EFF has been an advocate for the privacy rights of individuals since the wave of online communication began to grow in the 1990's, and served the ABA panel by representing the perspective of the group at which government and industry meet: the consumer. EFF's Nate Cardozo observed that technology companies have recognized the need for privacy before other types of companies. This is not surprising when you consider the growth of social-media over the last ten years and the amount of personal data consumers put out there that is used by the technology industry. Furthermore, these technology companies quickly get consumer feedback on their products and services from the consumer and thus have the ability to quickly respond and adapt to changing customer needs and concerns, including those involving data protection.
The constant in the privacy debate, as observed by the panel, is that privacy expectations evolve much quicker than the laws, rules, and regulations that govern them. Thus, at least in the realm of digital privacy, it is inevitable that the need to review and amend our laws and bring them current with the state of our privacy expectations will never go away. Interestingly, and fortunately for any business operating today, the Fair Information Privacy Practice Principles still serve as a firm foundation for any business collecting, storing, using and sharing personally identifiable information. The more things change, the more they stay the same. Perhaps any agreed-upon industry framework as described by Mr. Raether will include these very principles. Until then, as we have discussed many a time here on our blog, privacy and security compliance need not be onerous, overwhelming, or expensive. However, it does need to be done (and preferably before your next data breach). A principled approach is the way to start, regardless of your perspective.