On the Microsoft on the Issues blog, a guest post from Leslie Harris, President and CEO, Center for Democracy & Technology. For more on Microsoft’s approach to accountability in privacy, see our backgrounder, “Privacy Accountability,” available on the Trustworthy Computing Policymakers site.
Last Friday, I had the pleasure of moderating the inaugural panel of Microsoft’s new “Conversations on Privacy” series in Washington.
I was joined by FTC Commissioner Julie Brill, Microsoft Chief Privacy Officer Brendon Lynch , Intuit CPO Barb Lawler and privacy expert Peter Swire of Ohio State University to discuss comprehensive privacy programs (aka “accountability programs”) and the role such programs play in efforts by the nation’s biggest brands to secure data and build consumer trust.
The hallmark of the accountability approach is a move beyond simple compliance with privacy rules to a focus on data stewardship: rigorous attention to privacy in all processes that touch consumer data and in the design of new products and services. On the front end, innovative tools such as privacy impact assessments and privacy enhancing technologies help to identify and mitigate risk. And on the back end, monitoring and auditing ensure that privacy promises are honored.
We began the conversation with a look at the well-developed privacy programs at Microsoft and Intuit. It was obvious that the secret sauce in the success of both programs included an experienced chief privacy officer at the helm, strong buy-in for the program from top leadership, and a company-wide desire to maintain consumer trust in the brand.
Peter Swire questioned whether the message that privacy matters is getting through to companies without established brands, particularly those that collect consumer data outside of public view. Consumers do not “choose” to do business with these companies, and thus the incentives for these companies to build consumer trust are often low.
However, is the resource intensive accountability model beyond the means of small and mid- size firms that may want to do the right thing on privacy? Brendon Lynch offered an important level set, reminding us that accountability should be tied to the risk that a firm’s products or processes will have on privacy impact. As Commissioner Brill noted – in response to my question about whether recent enforcement actions mean that all companies need to adopt an accountability program – the ends, not the means, are what matter most. A company that does not have a CPO, for example, can still be doing the right thing on privacy.
Panelists offered several ways that good privacy practices could be encouraged in small and mid-size companies. Barb Lawler emphasized that industry associations and groups like the International Association of Privacy Professionals can serve as a resource for smaller businesses. She also described mechanisms that Intuit employs to bring the company’s customer base of small businesses and individuals into the privacy dialogue. Brendon Lynch explained that large companies like Microsoft have a vested interest in ensuring that partners and participants in their ecosystem take privacy seriously and has therefore published its “Security Development Lifecycle” and made its privacy standards available.
Finally, we discussed whether and how comprehensive privacy programs could be integrated into privacy legislation. Should accountability be required by legislation or is accountability a path forward that makes legislation unnecessary?
Panelists – and audience members – held a range of views about whether baseline privacy legislation is truly necessary, but Commissioner Brill made the astute observation that improvements in company practices are correlated with periods of increased pressure from both the Hill and the FTC. If everyone were to “call it a victory and go home,” one important incentive for companies to improve their data stewardship practices would disappear. Brendon Lynch also expressed concern that without a baseline law to assure global customers that their data is being protected, American companies may find themselves at a disadvantage as they deploy innovative cloud services. One point that all agreed on: privacy legislation that set out privacy principles at a high level could be consistent with an accountability approach.
At least from my perspective and that of my organization, the Center for Democracy & Technology (CDT), accountability programs are not a substitute for baseline privacy legislation. Microsoft and Intuit are among the major brands at the vanguard of privacy innovation. They understand why investing in privacy makes sense. However, without a baseline set of flexible privacy rules, much consumer data will have little or no privacy protection, and there will be little incentive for the myriad of companies that collect, use and share personal data to make similar investments.
Having said that, core elements of accountability programs could be included in legislation, starting with privacy risk assessment for companies that collect and use large amounts of consumer data. And flexible privacy legislation that creates a safe harbor for companies that meet certain standards – such as implementing strong accountability programs – will reward responsible companies while ensuring that consumers’ privacy is protected in all instances.
Leslie Harris is the President and CEO of the Center for Democracy & Technology and a recognized global leader in Internet policy. CDT is the leading Internet freedom organization working at the vanguard of technology and policy innovation.