Pondering the Role of Privacy Lawyers: From Jerusalem to New York
During the final week of October and beginning of November, I attended two privacy events that were set far apart geographically and philosophically: the Data Protection Commissioners Conference in Jerusalem and the ad:tech conference in New York City. The Jerusalem event had a decidedly pro-privacy flavor, while at ad:tech businesses showcased myriad ways for monetizing personal information. Both conferences posed interesting questions about the future of privacy, but as a privacy lawyer I was more interested in learning and observing than engaging in the privacy debates. The events’ apparently divergent privacy narratives made me ponder where a privacy lawyer may fit on the privacy continuum between these two great cities.
In Jerusalem, regulators and privacy advocates from around the world called for greater privacy protections. A few industry representatives who suggested that the industry was doing a good job protecting privacy seemed to be drowned out by regulators and privacy advocates, as well as other industry representatives who took a decidedly pro-consumer view of privacy protection, seeing it as a good business practice. Participants discussed boxing businesses that stray from certain principals of processing personal information in public shaming, investigations, privacy suits and enforcement actions. Aside from Facebook, businesses that are fueled by collecting, using and sharing personal information seemed significantly underrepresented in Jerusalem. These companies are critical players in the information economy to which speakers and panelists often referred, but their take on privacy remains largely unpopular with regulators and privacy advocates.
Seemingly on the other end of the privacy continuum was ad:tech at the Javitz Center in New York City. For many New York lawyers visiting the lower level of the Javitz Center must be an eerie experience because this is where thousands of us took the bar exam. Fortunately, this time the basement was not filled with endless rows of beige tables and matching folding plastic chairs. Instead, businesses from around the world working in interactive advertising and technology field were exhibiting their ability to track users’ online activities, build user profiles online and offline, combine personal information from multiple sources into sophisticated marketing profiles, and help advertisers target individuals ever more precisely. Many of the companies have built detailed databases containing the profiles of tens or hundreds of millions of consumers. Walking the isles of the exposition, I tried to imagine what the Jerusalem conference participants would think of ad:tech. My gut feeling was that they would think they were in a parallel universe. Here, far from walking on eggshells around privacy issues, talented and enthusiastic entrepreneurs (some of whom I met in person), arguably had no qualms about collecting and using personal information to create business value. Looking at the vibrant sea of colors and people that filled the space, and experiencing the excitement of business leaders who told me about their companies, it was hard to argue with the innovation and enormous value these businesses bring to the economy. It would be unfair to say that ad: tech exhibitors had no concern about privacy of the individuals whose personal information drives their businesses. But to what extent these businesses are focused on privacy concerns such as those raised in Jerusalem, is an open question.
There clearly is a significant divide between how privacy was seen in Jerusalem and New York. I do not know if regulators, privacy advocates and the industry can easily bridge this divide on their own. I believe, however, that privacy lawyers can contribute significantly to building a bridge between these somewhat parallel universes. Privacy lawyers can do this in an old-fashion way, by helping the various stakeholders understand each other better.
Today, U.S. privacy lawyers are facing a complex legal landscape. While there are well-established privacy laws (for example, GLB, FCRA, HIPAA and state breach notification laws), overall, the privacy landscape is unstable and evolving, and combines many legal and non-legal challenges. A number of factors contribute to this complexity. For example, privacy is a hot topic that continuously garners publicity. Privacy advocacy groups and more recently journalists are on the lookout for privacy practices they deem unfair. As a result, companies’ privacy practices and mistakes are often exposed instantaneously to unpredictable results. Another factor is that personal information crosses national borders at the speed of light, whether between people and organizations sending and receiving information, or for processing in the cloud. This movement of data leads to overlapping claims of jurisdiction. On one of the panels in Jerusalem, for example, several European lawyers and regulators disagreed sharply about jurisdiction when offered a complicated fact pattern of data transfers to and from Europe. Even in the U.S., privacy laws are constantly evolving with states enacting privacy and information security statutes at an alarming rate, courts and regulators reinterpreting privacy rights, and regulators and industry groups issuing their own guidance. Privacy may seem like a minefield for which there is no map.
Privacy lawyers strive to survey and understand this minefield and translate it into a roadmap that helps businesses not only to avoid the mines, but to think about privacy in a positive way. We want our clients to know that privacy is not a prohibition against collecting and using personal information, but a commitment to collect and use the information in a fair and transparent manner. We help our clients be proactive in addressing privacy and understanding that privacy can and should be good for business. On the other hand, we help companies frame their business models, personal information processing activities and privacy programs in a manner that helps privacy regulators and privacy advocates view our clients’ businesses and privacy programs in a positive light.
As privacy lawyers, we take on this complex task of achieving privacy harmony, and I believe we are best-suited to succeed in this quest.