Scholars Discuss Real World Privacy Law Issues

By TAP Guest Blogger

Posted on April 17, 2013


On March 21, 2013, the Berkeley Center for Law and Technology (BCLT) hosted its Second Annual Privacy Law Forum in Silicon Valley. While information privacy has grown in prominence over the last decade, it remains a new field, posing problems for corporations, firms, and regulators alike. The Privacy Law Forum provides an opportunity for BCLT scholars to present their cutting-edge research on various real world problems facing privacy practitioners. The presentations covered a broad range of issues, from international privacy regulation to privacy by design. A panel discussion followed each presentation as attorneys, privacy officers, and scholars provided their own insights and potential solutions to these various challenges.

For the first panel, Paul Schwartz presented his research on the potential collision between E.U. and U.S. data privacy regulation. Since the E.U. Data Protection Directive of 1995, the United States and European Union have managed to find a tentative balance through safe harbor protections, model contract clauses, and binding corporate rules. While the European Union’s Proposed Data Protection Regulation could help to codify these instruments and provide a more consistent privacy protection, it could also increase conflicts between the European Union and United States. After Schwartz’s presentation, Karl-Nikolaus Peifer of the University of Cologne discussed why the European Union has fought so strongly for strict privacy protection and how the Proposed Data Privacy Regulation might achieve that goal. Christopher Wolf of Hogan Lovells shifted the conversation to the areas of strength in U.S. privacy regulation. He further argued that privacy should be part of broader trade agreements, which would provide a better context for negotiation. Microsoft’s Michael Hintze discussed the potential problems of some of the proposed regulation’s requirements but noted that, as before, businesses will find a way to deal with the realities of running a global technology company.

The second panel shifted the discussion from international relations to consumer relations as Chris Hoofnagle presented his research on privacy and “the price of free.” While behavioral economics suggest a ban of “free” offers entirely because of their tendency to generate unhealthy biases in consumers, Hoofnagle suggested that a transaction cost economics approach could provide alternative governance structures to make these transactions truly free. He argued that companies offload business risks onto consumers and hide costs associated with services by marketing them as “free.” Software developer and CEO of Dalton Caldwell provided the businessperson’s perspective, explaining the economics and methods of ad companies and describing his vision for as a type of for-free business model that would incentivize privacy and provide consumers with a less-restricted platform for purchasing apps. Michael Glaser of Perkins Coie and Daren Orzechowski of White & Case offered the perspective of attorneys who counsel start-ups in their development and business models. Without commenting on the merits of the current system, they discussed the risks companies face in this area, which are often a combination of public relations and regulations.

In his keynote address, Special Assistant Attorney General Travis LeBlanc discussed California’s role in the protection of privacy as well as the ways that the government must adapt in order to face the challenges of ever-developing technology. He highlighted California’s special relationship to technology and privacy issues. Not only has California often been on the forefront of privacy legislation, but it also is home to the pioneers of the technology world. As this world continues to innovate, LeBlanc insisted that regulators must “innovate the way we regulate.” Too often new technology renders legislation or cases obsolete before they can come into effect. LeBlanc described how the Attorney General’s office was focusing on strategically partnering with the technology industry, educating engineers and consumers as well as lawyers, and providing clear requirements and fair practices. While the California Attorney General’s office will not decrease its work in the courts, as evidenced by the new and active e-Crime Unit, LeBlanc remained hopeful that a more complete regulatory system would ensure that privacy protection becomes part of the fabric of emerging technology.

Deirdre Mulligan and Kenneth Bamberger led the third panel’s discussion on the growth and development of privacy management within companies. As the two professors pointed out, most research on the subject of data privacy discusses legislation and regulations but hardly ever goes “under the hood” into an analysis of how corporations manage privacy from within. In their study of companies worldwide, Mulligan and Bamberger have found a dynamic privacy community and an emerging role of the privacy professional. These developments are not limited to one side of the Atlantic, as privacy management has noticeably grown in both Germany and the United States. By isolating the similarities between the different privacy management systems in these countries, Mulligan and Bamberger presented some of the elements of healthy privacy management. These elements include the increase of power in the privacy officer within the company and a paradigm shift from compliance to risk and reputation management. The rest of the panelists consisted of current or past privacy professionals Harriett Pearson, Susan Lyon, Michelle Dennedy, and Scott Goss. In their lively conversation, they shared personal experiences, thoughts on the business aspects of the field, and comments on the expanding reach of privacy beyond attorneys and firms.

In the final panel, Jennifer Urban and Deirdre Mulligan presented their research on privacy by design, a topic that surfaced in nearly every panel before. This concept has garnered a great deal of attention as companies and regulators alike seek to build privacy requirements into products. However, Urban and Mulligan point out the difficulties that arise in pursuing privacy by design, namely defining the term “privacy” and developing tools for engineers to facilitate better privacy. Privacy as a term, like “freedom” or “democracy,” is complex to define and often takes on different meanings in different contexts. Jennifer Urban described the results of a nation-wide survey of consumers exploring current consumer expectations of privacy. She argued that consumer expectations are an important guide for businesses that want to implement privacy by design. Deirdre Mulligan suggested that a multi-dimensional privacy analytic could serve as a tool for developers, allowing for more specific analysis of the product and its privacy implications. Gabriel Ramsey of Orrick and Jim DeGraw of Ropes & Gray described the conflicts that arise when facing external conflicts like a data breach, or when trying to explain privacy requirements to a technologist. Overall the presentation, and the subsequent discussion, provided a fresh and critical perspective on privacy by design.

Listen to audio from the event’s panels, available on this page.

This forum summary is provided by Mark Langer, a student at the University of California Berkeley School of Law.