Speaker 0
0:10 – 0:14
Welcome to Tech Talk. Bye. CT. Tea.
Speaker 1
0:15 – 1:25
Welcome to CDT's Tech Talk where we dish on tech and Internet policy while also explaining what these policies really mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. This week, we have two incredible guests, Ken Bamberger and Deirdre Mulligan from the UC Berkeley Center for Law and Technology. They're the co authors of a new book, Privacy on the Ground, and Deirdre just happens to be CDT's board chair. Welcome to Tech Talk, Deirdre and Kenneth. Thanks. It's good to have you here. Both West Coasters. We don't get too many visitors from the West Coast. We're really happy to be here. Great. So in your book, you examine privacy in five different countries, exploring how the protection of privacy actually works on the ground there. It's pretty impressive. It's also an impressive amount of research that went into the book. You have 75 pages of notes and a bibliography to prove it. And this was actually the type of book when I was in grad school that I love to read because it was like that surprise where you're like, yay. 75 pages I don't actually have to read. So first, tell me what motivated you to do this research and then to write this book. What's the questions you were hoping to answer?
Speaker 0
1:25 – 2:55
Sure. We were really interested in exploring the dominant narrative and unpacking it. You say what's the dominant narrative? Well, as long as I've been in privacy and as you know, I'm one of the folks who helped start CDT and I was had been in privacy a little longer than that. The story had been that The US was in particularly in the corporate sector doing a very poor job on privacy and that nothing would change unless we got a new free standing entity that was going to be responsible for privacy as they have in Europe, a data protection authority. And we got omnibus rules. So we got a set of rules that privacy officers being hired and we saw boutique privacy practices in law firms and we hired and we saw boutique privacy practices in law firms and we saw people in the technical community becoming interested in privacy and there was a growing cadre of people who were called privacy professionals and we saw professional associations emerging. And as researchers, it made us scratch our head because clearly there was something that was happening that was causing US companies and we really we started in The US to invest some resources in privacy. And the question became, well, what are these people doing? What's motivating this activity in the corporate sector? And frankly, does it matter? Is it window dressing? Or when you look under the hood, is it making a substantive difference on privacy?
Speaker 2
3:09 – 3:32
In changes that Deirdre talked about, happened despite the fact that there were no major regulatory changes. No new laws passed, in in a comprehensive sense. So we thought it was really important to dig down and say, it's fine to have words on the books, but clearly, it's much more important to understand whatever those words are,
Speaker 1
3:32 – 3:58
how they actually play out on the ground. And this is one of the and I'm not giving giving anything away here because it's, you know, you just flip open your book and on the cover, it gives one of the most surprising findings, I think. And particularly, the two countries that it's a little surprising. The United States and Germany, you say have some of the most ambiguous regulation, but yet some of the strongest corporate privacy practices. Can you kind of unpack this finding for me a little bit? It seems a little counterintuitive.
Speaker 2
3:59 – 4:51
Well, the usual thing we think about regulation and the this dominant narrative about privacy has been, if you create really specific rules and tell corporations what to do and use the expertise that regulators have about privacy, you can actually engineer what, corporations are doing on the ground and really get them to do it exactly right. It turns out that it's the opposite. That in fact, if you have a regulatory system that keeps companies on their toes, that actually makes, the the mandates a little more ambiguous as to what needs to be done to satisfy the law, you end up growing within companies an an expertise about what privacy means. And we saw that happening in Germany and The United States.
Speaker 0
4:52 – 7:03
Yeah. So it is one of those things where, again, you scratch your head and you say, how did these two very different legal environments end up? Because it's not just that they had what we think are the best practices and we're gonna talk a little bit about why we think they're the best, most promising practices, but why they would have similar practices, right? Given the different rules. And some people say, well, German names, their rules aren't very ambiguous. But the fact of the matter is that the way in which their legal regime operates is that they require responsibility for privacy to be, played out by a data protection officer within the firm. So the regulators there, they don't call themselves regulators. They enforce, they advise. But the person person who's really responsible on a day to day basis of figuring out what the law requires of the firm is that professional. And so in German law, professionalization was a regulatory choice very early on. In The US, the contrast is interesting that we don't have the adoption of an omnibus law that said you should have a privacy officer. But what happened is a mix of responses to, the data protection directive, which gave us the safe harbor negotiation, which required somebody to be responsible for privacy if you wanted to ascribe to those principles. And a very activist new regulator emerging on the scene in as the Federal Trade Commission. And there too developing what, some of our colleagues, Dan Sullivan and Woody Herzog have have called the common law of privacy, which required firms to have somebody who is responsible for privacy, for identifying and managing a comprehensive information privacy program. So they are too a push for a professional and the ambiguity in the external environment means you need a professional to navigate the kind of bumpy seas and investing in that professional and growing the professional forces within the firm end up with richer practices.
Speaker 1
7:03 – 7:27
One of the terms I saw in your book was compliance plus. And it was kind of like, you know, very regimented system led to straight up compliance. But then in these different models, you're seeing people go beyond mere compliance to more innovative approaches and, you know, consumer protecting forms of privacy. Do you think that privacy is becoming like a business commodity now, something that's essential to driving and growing your business?
Speaker 0
7:28 – 8:17
Well, we think that there are important choices that can be made. And you don't have to have the same regulatory choices but we think that there are regulatory so both, you know, choices between rules and standards and choices between whether you, engage multiple stakeholders in the conversation about privacy or just the regulator decides whether and how you use your enforcement authority that can help enact a culture help enact a culture that can drive privacy towards the place where we see the environment. And nobody would ever say if you say, so are you good on the environment? They would never say, oh, we comply. They say, oh, yeah. We have a green program and we do this. And and privacy is not there yet, but we think that there's the capacity if we make good choices
Speaker 2
8:17 – 10:18
to move closer. So let me tell you what we found about what compliance plus really means. What the best practices are that have developed in Germany and The United States, but that don't yet exist in France, in Spain, and in The United Kingdom. Really, these best practices involve two different things. First, an independent kind of privacy lead, privacy head, called the data protection officer in Germany and a chief privacy officer in America. And these folks are, both independent from the firm, but also embedded deep within the firm. Mhmm. So they have loyalties and reporting requirements and responsibilities to forces that are outside the firm, whether they be responsibilities to forces that are outside the firm, whether they be regulators or, activists or nonprofit advocacy groups or the media. And then they bring those, the knowledge that they get about privacy from the outside back in the firm. So that's one piece. This what we call a boundary spanning privacy professional. The second piece is privacy that's not siloed in a single office. It's not a bunch of privacy men and women sitting in the general counsel's office who don't interact with the rest of the firm. It's really a web of privacy act activists in a sense, people responsible for privacy within the whole company, within all of the units of the company, whether they be products or processes or marketing. There's somebody deep in there, buried in there, who's gonna be raising privacy issues and privacy red flags from the very beginning of of the development of a process of creating a product or creating a new business practice. And so it's those two pieces that create a a kind of entrepreneurial privacy practice inside the firm. And one of the things we tried to find out is what you do on the outside to try to spur
Speaker 1
10:18 – 10:49
those those best practices. And I'd love to go a little bit deeper into that. You know, you actually are so good that you anticipated my, questions. So I don't even need to ask the one about, you know, kind of what you saw across the the companies here. But what are you know, as a policymaker, what should you be thinking about now? Like, here in The US, we don't have, you know, a baseline privacy legislation in some countries you do. What are things policy makers should take from this book and say, okay, I should be thinking about this in my country? So I think one of the important takeaways,
Speaker 0
10:51 – 12:15
about the regulatory choices is seeding and providing a platform for conversations about privacy's meaning on a continual Right? So privacy, anybody who works in privacy knows there are multiple concepts of privacy. And how privacy plays out in a given context, right, to use Helen Nissenbaum's term, it depends on a lot of factors. And one of the things that turns out to be very important is to make sure that conversation about what are the privacy risks, what are the right concepts of privacy, company's obligations, are, conversations that are not just between the regulator and the company or the company just talking to itself. Having folks like the the great privacy thinkers at CDT and the ACLU and consumer protection advocates in conversation and academics create, a bit of a kind of high bar where privacy continues to be this kind of big concept instead of something that gets kinda whittled down to at least common denominator that is easy to implement along firm practices. So it shakes things up, and and that's one component.
Speaker 2
12:16 – 13:58
Deirdre points to a really big difference between what we thought of as the good countries and the countries that were still on the path to becoming good when it when it comes to privacy. Very diplomatic. Well done. Which is the notion of this very rich and diverse, again, what we might call boundary spanning community of privacy, experts and people involved in privacy within an entire privacy field. So in France, the privacy experts existed in one place, and that's in the CNIL, the French data protection regulator. And that's the French model. They figure out what they think data protection requires, and they articulate it in a downward fashion. In The United States and in Germany, you have a whole variety of locations for privacy expertise and privacy engagement. These non, the the nonprofit sector, which is so robust in The United States in really creating a dialogue around around privacy. In Germany, the labor unions, who have, according to German law, a place on the board in the form of the works councils. So you have a variety of different players. And in both in both of those two countries, you have regulators who are much more into discussion. They involve outsiders. They involve industry groups. They involve consumer protection groups. And you end up having this broad dialogue about what privacy means, that that just doesn't exist, in in the remainder of the countries we looked at.
Speaker 0
13:59 – 14:07
And so that was one component. Another component is what we called, discipline discipline or what's our term? Disciplinary
Speaker 2
14:08 – 14:09
Transparency. Transparency. Transparency.
Speaker 0
14:09 – 15:54
It sounded a little kinky there for a second. So I was afraid but but yeah. Right. And what do we mean by that? So, there's all people are always talking about transparency when we talk about privacy. Right? We want individuals to understand how their information is being used, etcetera. And both in The US and in Europe, we've had a tradition of requiring firms to provide notices or in in Europe to provide regulators with more naming, blaming, shaming forms of transparency which are provoked by laws such as the data breach notification laws that require firms to say, hey, we had a privacy failure. Right? Or the big investigations that end up with changes in practices and fines where there's transparency about privacy violations. Why are those important? Because privacy then becomes something, that gets the attention of the board. It's not just a kind of failure on paper, It's a failure in the the land of public opinion and it affects the In the newspaper. Information. So that sort of disciplinary transparency around privacy was very important in escalating privacy and changing it in from something that was viewed as a legal compliance function to a strategic issue that the board wanted to hear about. Mhmm. Shareholders cared about, and kind of ricochet throughout, the kind of broader corporate community
Speaker 2
15:54 – 17:00
in ways that a legal compliance mandate just didn't. This disciplinary transparency did something really cool in the context of privacy. In a lot of context, you have a small powerful interest that really cares about a small powerful interest that really cares about a legal or social issue, and they can organize easily and put a lot of resources towards, making an issue important, putting it on on the social agenda. But with privacy, it's really hard to measure what the individual damage might be or the individual interests might be. And in fact, it affects all of us everywhere in The United States, in Europe, in the whole world. In those contexts, it's really hard to organize around issues of privacy, and it's really hard to organize in ways that force corporate actors to change their behavior. What this trans this type of transparency has done, is really moved this issue by taking everybody's interests, combining it, and putting it on the front page of the newspaper in a way that finally makes boards attentive to the issue,
Speaker 1
17:01 – 17:28
in in a way that also then forces companies to change how they act. I understand. As, someone that works for one of those great nonprofits in advocacy work here, is there any message that we should be telling to consumers or, you know, to general people that may not be the privacy experts, that you you've talked about that they maybe a message they should take from this book or something that they should be thinking about, an action they could take. It's a tough one.
Speaker 0
17:29 – 19:42
Yeah. For the general public. I think it it is important, you know, that I think that there are different ways in which companies come to have, a social conscience about issues. And again, you can look at the environment as one. And certainly, consumer pressure and public pressure is a place that is distinct and important from regulatory interventions or the, you know, interventions by advocates and academics. And it's always interesting to see the way in which, people kind of claim that they've had a, they have a privacy problem or a privacy concern. And I think often feel like nothing's gonna happen. Nobody's gonna pay attention. So they're reluctant to actually make their voice heard. And I I think one of the things that's important to take away is that there are these privacy professionals, and if you let them know that there are that you have concern about their practices or you've had a bad experience around privacy, that that actually gives them leverage within the firm. Right? It brings Good point. More credence to the strategic information that they're bringing in and it amplifies, their ability to affect the firm. And so as a consumer, I actually think it's worth if you object to a firm practice or if you think something is good, like because getting a firm to do something new. Right? In, right, encryption. That was a cost. Right? And somebody had to fight for that. And you can bet that the chief privacy officer, data protection officer was one of the warriors inside on that issue. And letting the firm know that you actually think that was a battle worth fighting, that that was an investment, that was worth something to you as a consumer. You're not you probably won't get to buy the thing, like, so you can't actually show them that you you paid you pay you wanna pay extra for the encryption. But letting them know in other ways that it mattered, I think is important for the kind of continual, strength of those firm professionals.
Speaker 2
19:43 – 20:21
Yes. Strengthening these warriors within the corporation, these agents of public values around privacy and consumer protection is really what it's all about. Whether you're a consumer or whether you're a regulator or whether you're an advocacy organization, giving them more power to take the dialogue that's happening outside the company and and the concerns that are expressed outside outside the company. And and going in in a forceful way within the firm and saying, we've got to do things differently. That's what our book's about.
Speaker 1
20:21 – 20:49
Right. So I actually need to let these two go because they are doing a book signing at CDT soon, a book talk, and then a signing. If you want to be on CDT's mailing list, be sure to go to our website, www.cdt.org, and sign up for our newsletter to get on that. We do great events like this all the time. Any last thoughts from the either of you two that we didn't cover in this or maybe, you know, talk about what's the future for you two? There's gotta be more research. Right?
Speaker 0
20:50 – 21:16
Well, lots more research. I think I would just say that privacy advocates, organizations like CDT, organizations can think they can think nimbly about it, how they can affect change that are interested in engaging in conversations about best practices, litigating, talking to regulators and engaging the public, are an incredibly important part of the puzzle.
Speaker 2
21:17 – 21:19
It's the link that we have here in The United States
Speaker 1
21:20 – 22:05
that just doesn't exist in the same way anywhere else. Well, that makes me feel great. So the book again is Privacy on the Ground. Be sure to check it out. I'm sure it's available online for purchase. It would be a wonderful stocking stuffer. And if you read it, you would unquestionably be the smartest privacy person at your holiday party. So check that out. Thanks so much for joining Tech Talk, Ken and Deirdre. Thanks so much. That's it for this week's CDT Tech Talk. And if you wanna know even more about privacy and data beyond this incredible book, visit www.cdt.org. As always, tweet us any questions you have or topics you'd like us to cover to at sendem tech. I'm Brian Wasilowski. Thanks for listening.