Simon Davies: Privacy’s New Image

Where privacy is concerned, Americans distrust their government. But they’ll gladly hand over their personal information to a corporation to get a deal on their groceries.

Europeans, on the other hand, will give their government extremely broad surveillance powers, but they largely forbid private enterprise from accessing any personal data without their express written consent. In the corporate security world, this has translated into an ideological disconnect: U.S. executives think Europeans are missing the marketing opportunity personal data provides, and the Europeans, by and large, see their American counterparts as fast and loose, callous even, when it comes to their citizens’ privacy. Until recently these issues had settled into a quiet détente. However, resentments churned up by recent world events have European privacy experts predicting that U.S. companies are likely to face a new hard-line approach to privacy enforcement in their business dealings on the continent.

But views on privacy have also been changing within the United States. HIPAA and a slew of post-9/11 antiterrorism legislation started the trend, and rapid technological advances that make invading one’s privacy shockingly easy have drawn more attention to the privacy issue. The result is that America is looking more and more like the Old Country, at least when it comes to privacy.

The libertarian values of the founding fathers infused American culture with a live-and-let-live attitude. A majority of U.S. citizens still wrinkle their noses at any proposal that smacks of increased government regulation. The issue of privacy has consequently been handled on an industry-by-industry basiswith only high-risk sectors such as health care and financial services bending to the force of legislation. Meanwhile, most businesses have been left to carry on the collection, use and trading of personal data and information at will behind a very thin curtain of “self-regulation.”

At the center of this confluence of government legislation, international pressure and the ongoing debate over security versus privacy is the CSO. He is charged withand will ultimately be held responsible fornavigating through the turbulence.

The CSO has a tremendous impact on the development, execution and effectiveness of the corporate privacy policy. Whether responsibility for privacy resides in the security group, with the legal counsel, in human resources or with a specially appointed chief privacy officer, the CSO is a critical partner in giving a privacy program life.

But it isn’t an easy partnership. “You can have great security without privacy I suppose,” says Peter Cullen, former chief privacy officer of Royal Bank of Canada and newly appointed chief privacy strategist for Microsoft, “but you can’t have great privacy without great security.”

Why is it so hard for companies, and indeed governments, to reconcile the two?

“Such intuition used to be at the heart of America’s Fourth Amendment,” says Jeffrey Rosen, associate professor of law at George Washington University, referring to the right of citizens to be safe from unlawful search and seizure. “The most invasive measures should be limited to the most serious crimes, but we lost that principle along the way,” adds Rosen, who is also author of The Unwanted Gaze: The Destruction of Privacy in America.

In the United States especially, the relationship between privacy and security has been a particularly contentious onenot only because of the disinclination toward legislation but also because information has always been the lifeblood of our capitalist culture: Privacy protections, it is feared, could put a stranglehold on the flow of commerce.

But the war on terror in particular has brought the clash between privacy and security to the forefront like never before. Recent casessuch as the attention given the Muslim-American woman in Florida who refused to remove her veil for a driver’s license picture, and the furor that greeted the announcement of the government’s plan for the Total Information Awareness Program, which would link and mine databases to identify security threatshave further muddied the relationship between the two. One always seems to be implemented at the expense of the other.

The problem is exacerbated on the corporate side by the breakdown in communication that often occurs between the privacy and security folks. CPOs such as Cullen feel somewhat misunderstood by the security profession. “CSOs don’t understand privacy as well as privacy officers understand security,” he says, noting that he believes privacy is more nuanced and less black-and-white. “Security is a fairly rational thingthe antivirus protection is either on or offwhereas there is a high degree of variability in privacy.” What feels invasive to one person can be of little matter to the next.

More than a quarter of the 1,010 U.S. citizens responding to the annual Harris Interactive poll in February 2003 identified themselves as being “privacy fundamentalists.” They feel strongly about the loss of privacy and will resist any further erosion. Only 10 percent of respondents identified themselves as “privacy unconcerned.” They have little or no anxiety about how their information is collected and used. But a majority of people63 percenttake the “privacy pragmatist” approach. They may be concerned and aware of issues surrounding privacy, but they are also willing to trade some of their personal information if the perceived benefit is great enough and the risk of information misuse is low. The Continental ClashIn Europe, however, the issue of privacy goes beyond that of a preference. It is seen as a fundamental human right. For that reason, the Europeans have had a much easier time combining the issues of security and privacy into a single ethic of information handling. “In the U.S., citizens see privacy as a legal minefield,” says Simon Davies, director of London-based Privacy International, noting that consequently it often is turned over to the legal counsel or human resources to manage. “In Europe [privacy is] more a human condition than a legal condition. It’s more a social issue than a litigation issue. So security people find it easier to take [privacy] on. In the United States, the corporate environment is steeped inand constantly threatened bylitigation.” When the prime directive is avoiding litigation, it becomes next to impossible for security and privacy to evolve side by side.

The differing views on privacy between the United States and Europeand even among the European Union countriesare based on the intrinsic values of cultures that are centuries old. For example, British citizens are protected by the EU Data Privacy Directive (see “EU Data Privacy Directive,” Page 53), which gives them the rights of notice, choice and access to their personal information that Americans don’t have. But they also live in a culture where camera surveillance is ubiquitous. From traffic lights to street corners, British citizens are under almost constant observation…and they don’t seem to mind. “Britain continues to confound and surprise me,” says Rosen. “They have embraced cameras, showing great deference to authority, and yet this same culture that is wired with cameras is far more respectful of people’s privacy in public. They don’t stare at celebrities or yell loudly on their cell phones on the train. They maintain boundaries the more democratic Americans don’t respect.”

The German experience with Nazism had a profound effect on that country’s cultural views about privacy and the rest of Europe’s as well. During World War II, people saw the destructive power that information could have in the hands of an evil government. The postwar lesson of maintaining a healthy relationship between citizens and organizations also fostered a belief in a right to privacy. Today’s German Secret Service, for example, is given broad surveillance authoritybut only to investigate terrorism. Any evidence of a low-level crime that is discovered in the process of that surveillance cannot be legally pursued, preventing authorities from going on fishing expeditions for information.

The French are tremendous proponents of government regulation for just about everything. Unlike Americans, they feel no need to constrain their government’s involvement in instituting privacy controls and have some of the most extensive regulations of dignitary offenses in Europe.

When Europeans embraced omnibus privacy legislation in 1995 with passage of the EU Data Privacy Directive, Americans were forced to respond. In order to preserve the continuity of trans-Atlantic commerce, the Federal Trade Commission brokered an agreement with the EU called Safe Harbor, which would require U.S. companies that sign on to it to abide by the EU’s basic privacy principles.

However, relatively few U.S. companies have signed ononly 353 at press timeand the vast majority of those are small companies rather than the Fortune 1000 behemoths whose information practices could cause the greatest harm to the privacy of European citizens. “Safe Harbor was and is a well-intentioned effort and works for many companies,” says Ivan Fong, chief privacy leader and senior counsel of IT at General Electric. “But it is only a partial solution for other companies, in that it only covers data flows between Europe and the U.S., and many multinationals have data flows that go beyond that route.” He adds that Safe Harbor, as currently negotiated, doesn’t cover financial services companies because the United States and the EU cannot agree on whether the U.S. data protection laws that govern financial institutions meet the EU’s “adequate protection” standard.

The FTC, by the way, is actually one of the central reasons behind Safe Harbor’s poor showing. It has enforcement authority over the program, and the majority of U.S. companies don’t want to come under its jurisdiction and open themselves up to litigation. Instead, most companies seeking to transact business in Europe have chosen to negotiate individual contracts with the EU member states, stating that they will abide by the basic precepts of EU privacy practices.

But terrorism and technology have changed the standards and the stakes of compliance. Since Sept. 11, the U.S. government has made new information demands on its European allies in the name of security, which forces them in many cases to break their own privacy policies. For example, U.S. authorities are requiring that all foreign airlines that land in the United States present complete passenger lists, a move that directly violates European privacy laws. But airlines such as Lufthansa and Air France that want to be able to land in the United States have been quietly surrendering that information anyway.

Davies notes that security measures such as those contained in the Enhanced Border Security and Visa Reform Act of 2002 (H.R. 3525) are causing a great deal of resentment in Europe. “There is a sense of betrayal in Europe that we will now have to be fingerprinted as we enter the United States. It’s a betrayal of comradeship and of trust,” he says. “We’ve been partners throughout the century, and to find ourselves now cast aside and treated as alienswell, it’s done incalculable damage.” Davies also points to further irritants: the war of words that erupted between France and the United States, and the fallout from Europe’s disfavor of the invasion of Iraq.

And Davies is not alone in feeling that way. Alan Westin, president of the Washington, D.C.-based Center for Social and Legal Research, and cofounder and publisher of the Privacy and American Business Journal, notes that Stephano Rodota, president of the Italian Data Protection Authority, recently spoke out strongly against the European airlines for surrendering their passenger information to the United States.

The result could be serious for U.S. companies that want to do business in Europe. Davies predicts that European privacy authorities are going to get much tougher on Americans who flout their privacy regulations. “There is going to be far more attention to detail in contracts and on the information flow, and a more rigorous interpretation of data rules,” he says. “It may be occurring for all the wrong or all the right reasons, but this is the state of the world today. And because of the bad blood in Europe, data protection is one of the areas where rules will be more rigorously applied.”

Experts note that no overt actions have been taken against U.S. companies to date, and privacy officers such as Fong have had no bad experiences with the European information commissioners. But Fong does note that the relationship with the European authorities is one that GE has carefully cultivated. “We make an effort to get to know them and to learn what their priorities and concerns are. Just as with any other relationship, it’s important to develop open lines of communication,” says Fong. Innoculation against international mood swings could be a very smart policy.Homegrown HindrancesAs if continental mudslinging weren’t bad enough, corporate privacy practices are also on the defensive at home. The FTC has long been the government agency most closely associated with the issue of privacy in the United States. But even with niche regulations like COPPA (Children’s Online Privacy Protection Act), HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm-Leach-Bliley Act), the FTC’s role has been more of an educator than an enforcer.

But recently the FTC has taken a much more active role in calling companies to account for privacy violations. When Eli Lilly violated its own privacy policy by accidentally releasing 669 customer addresses in the “to” field of an e-mail from its Prozac.com website, the FTC filed a complaint that accused the company of failing to protect customer information, of inadequately training its employees, and providing insufficient oversight for the employee who sent out the e-mail. The complaint was settled last year.

Westin notes that the decision was important because it reinforced with high-profile action the FTC’s stated position. “If you make promises about privacy, you have to take adequate or reasonable measures to implement [those assurances],” Westin says. “Every security officer should have a copy of that ruling because it sets the standard for website security and confidentiality.”

The settlement requires Eli Lilly to establish a four-tiered information security program with the physical, technical and administrative safeguards necessary to guard against a similar breach in the future. Specifically, the company must designate appropriate personnel to coordinate and oversee the program, identify and address internal and external risks to the security of personal information, conduct an annual written review of the program to monitor and document compliance, and adjust the program in the future based on the review’s findings and recommendations. With its punitive actions, the FTC has basically become an active participant in Eli Lilly’s security programcreating a cautionary tale for other companies that might be inclined to accidentally or purposely disregard their own privacy policies.

California has enacted a law that will have an equally wide-reaching effect on corporate privacy practices. The Security Breach Notification Act went into effect on July 1 requiring companies to disclose details if they believe a breach has led to the release of personal information. The data covered by this law is an individual’s name combined with one or more of the following unencrypted pieces of information: Social Security number, driver’s license or ID card number, or an account, credit or debit card number with the password that accesses that financial information.

While the law is intended to make citizens aware of potential abuses of their personal and financial data, it is likely to create a public relations nightmare for companies that will have to quickly go public with suspected breaches even if they later discover that no personal information was actually compromised or used. Any company with customers in California must comply with the law regardless of where the company is based. “As consumers, we’re going to be getting lots and lots of notifications,” says Westin. “Hacking into customer files, laptop thefts and [accidental] information disclosuresthese things happen every day. And under this California law, it creates an extraordinary exposure.” As an example, Westin recalls receiving a call about three years ago from a company that handled benefits information for various employers. A car belonging to one of the company’s sales reps was broken into, and a laptop was stolen that contained the personal records of 50,000 employees complete with names, addresses, Social Security numbers and income informationan identity thief’s Valhalla. The company suspected that the laptop was stolen merely for resale value, but it wanted to know from Westin whether it should notify the employees that their information’s security was in potential jeopardy. At the time he advised the company to not directly notify employees but make some contacts within the employee group so that if any information was used improperly, they would hear about it quickly; contact the police in case the laptop turned up at a pawn shop; and certainly require salespeople to encrypt their files in the future. Hundreds of companies will now face this same dilemma without the option of taking a wait-and-see attitude.

Yet, regardless of who manages privacy, the CSO’s role is to bridge the gap between what is promised and what is possible. “The CSO has to to carry out, understandand if necessary, challengethe assumptions of policy-makers, especially when those policies place a demand on systems that the CSO knows can’t be met,” says Westin. These evolving standards further underscore the importance of having the security and privacy policies and practices inextricably linked so that each supports the other.