Privacy on the Ground: Driving Corporate Behavior in the United States and Europe

Privacy and Security

Article Snapshot


Kenneth A. Bamberger and Deirdre Mulligan


MIT Press, 2015


Interviews with privacy professionals in the United States, Germany, and other countries show that firms in Germany and the United States integrate privacy into the firms’ business strategy; however, in France and Spain, firms see privacy as a set of legal mandates, focusing on compliance.

Policy Relevance

Different legal and regulatory regimes can shape firms’ approach to privacy.

Main Points

  • Interviews with firms based in the United States considered leaders on privacy issues reveal a gap between the letter of privacy law and firms’ privacy practices; privacy law in the United States treats privacy differently in different sectors (medical, financial), but these U.S. firms take a more integrated approach.
  • In Germany, privacy laws and regulations differ greatly from those in the United States, but German and firms based in the United States approach privacy in the same way.
    • Privacy is part of firms’ strategic decision-making, not a subsidiary issue.
    • Privacy is handled within business units.
    • Firms implement policy through a network of high-status privacy professionals.
  • In the United Kingdom, firms tend to see privacy as firms in Germany and the United States do.
    • Privacy officers in the United Kingdom are often of lower rank than those in the United States and Germany.
    • As in the United States, firms in the United Kingdom are concerned about fairness, consumer protection, asking how consumers would feel about firms’ data practices.
  • In France and Spain, firms’ focus tends to be on compliance with privacy-related legal mandates, and is handled by legal staff.
  • In France, regulated firms had little role in shaping privacy policy historically; however, French policy is evolving, influenced by German policy, and French privacy regulators have opened a dialog with firms.
  • Regulatory regimes that encourage firms to enact stronger privacy protections share certain characteristics:
    • Broad legal mandates combine ambiguity with accountability.
    • Data breach laws encourage transparency about privacy failures.
    • A large community of corporate privacy professionals, advocates, and government officials participate in policy-making.
  • A government-centric approach to privacy policy is unlikely to give firms the incentive to cultivate privacy expertise within the firms.
    • Strict regulatory environments result in the atrophy of firms’ internal mechanisms to monitor privacy.
    • A government-centric approach makes it unlikely that firms will develop the know-how to check privacy abuses by government.
  • Policymakers should encourage firms to take responsibility for developing, interpreting, and enforcing privacy; the fear of market failure, the loss of reputation, and regulatory censure are necessary to ensure that bad behavior is punished.
  • The European Union’s new data protection regulations focus on harmonizing privacy rules; this could foreclose country-by-country variations; clearer guidelines would reduce regulatory costs to firms, but result in a return to more government-centric privacy rules.

Get The Article

Find the full article online

Search for Full Article