I find a certain irony in the current ubiquity of privacy-related topics when the concept was once defined (and not by current European thinking, but more than 120 years ago), as the “right to be let alone,” in “The Right to Privacy,” by Warren and Brandeis, 4 Harvard L.R. 193 (Dec. 15, 1890). Nonetheless, I could not wait to attend the IAPP Global Privacy Summit in Washington, D.C., for the first time this year.
The days were filled with snow chaos, certification training and CIPP testing (on Friday afternoon at 2pm-5pm!), an exciting reception and other great networking opportunities — including a group of about 15 brave individuals meeting up at 6:30am on Friday morning to go for a run. In between all these activities were plenty of good programs to attend, and there can be no doubt that privacy in M&A transactions, cloud computing, HIPAA and international data transfers, to name just a few, will all feature prominently in the privacy discussions of 2013. But my personal Top Three privacy trends are:
1. BYOD Is Here to Stay
It is no longer a question of whether companies will permit their employees to use their personal devices for work purposes, the remaining issue is how to implement a BYOD (bring your own device) policy to strike the right balance between convenience for the employees and data security for the company. Employee education, beta testing, accurate recording of work time for non-exempt employees, company access to employees’ personal information and remote wipes are only some of the buzzwords surrounding the implementation of BYOD.
2. Social Media
Facebook inevitably comes to mind when talking about social media. And not surprising, the rather difficult relationship Facebook enjoys with a number of the German data protection authorities was a recurring theme at the conference. It was therefore interesting to see Facebook’s Erin Eagan, Chief Privacy Officer, Policy; and Edward Palmieri, Associate General Counsel, Privacy discuss Facebook’s business model and its approach to protecting user privacy. Many of the technical details of how Facebook connects advertisement with targeted users were fascinating at the time, but quickly forgotten afterwards. Two key issues, however, remain to be shared:
- The hopes of some users, including yours truly, of Facebook permitting anonymized accounts were dashed comprehensively.
- Your privacy settings may protect you from oversharing with the Facebook community, but Facebook will always consider you a target for advertising, regardless of how “private” your settings are. The amount of advertising will obviously vary based on, among other things, your embrace of the new graph function — but it’s not to be avoided entirely. Alas, I will continue to scroll patiently past the handbag ads for which I seem to be a prime target.
3. EU Privacy Regulation
A very popular program for many of the European conference attendees was a conversation with Peter Schaar, the head of Germany’s federal data protection agency. He left no doubt about the broad political support the regulations enjoy among the majority of the European Union’s member states. Mr. Schaar also confirmed my concerns that the concept of a “one-stop shop” and the related determination of the lead data protection authority will be an issue of contention for Germany, which will likely result in the proliferation of the already impressive administrative apparatus created by the European Union. But at the moment, a superauthority tasked with the resolution of conflicts among the national data protection authorities seems to be the only workable compromise. Finally, addressing questions related to the expanded extra-territorial reach and enforcement actions against data controllers without a permanent establishment in the Union, Mr. Schaar expressed his belief that the significantly increased fines will be sufficient to encourage broad compliance.
What connects these seemingly unrelated trends is the realization that the scope of privacy obligations broadens by the minute. Whether this requires establishing a simple social media and BYOD policy or the daunting implementation of a global data privacy compliance program will vary greatly depending on a company’s business model. While the threat of an enforcement action is an undeniable incentive for compliance with privacy obligations, a company should mainly consider that its ability to provide adequate protection for its customer or employee data will provide a significant competitive advantage.