Monday, November 5, 2012

The Marketplace of Privacy Compliance Programs

The data protection establishment, worldwide, has been inventing a lot of new privacy compliance programs.  All these different, well-intentioned initiatives are meant to serve the same purpose:  improve privacy protections.  All of them are, or likely will soon be, mandatory for most big companies.  I can hardly keep track of all the different initiatives, but here are the ones I have struggled to understand:

  • Accountability
  • Privacy by Design
  • Privacy Impact Assessments
  • Consent Decrees
  • Audits (internal and external)
  • Regulatory reviews
  • Data Processing Documentation
  • Database notifications/registrations
  • Binding Corporate Rules
  • Safe Harbor Compliance programs
Lots of my acquaintances in the privacy field have asked me what I think about all this:   Are these programs meant to run independently, even if they overlap and cover the same ground?  Does anyone have a clue how much all this will cost?   Where do you turn for help to implement these programs?  Can one solid privacy compliance program be implemented to meet all of these goals?  Clearly, all of us privacy professionals are struggling to understand this. 

I'm sure we all believe that privacy programs need a solid compliance-program foundation to be effective.  Most of also probably believe that different actors should have the freedom to develop programs that fit their cultures.  Nimble Internet companies have very different cultures than government bureaucracies, so naturally, these different cultural worlds must have the freedom to design programs that works in their respective cultures.  Clearly, one-size-does-not-fit-all.  Programs have to be customized for the size and sensitivity of the processing.  A government database of child-abuse records is more sensitive than a database of some web site's analytics logs, so it's wrong to try to run the same compliance programs for both. 

On cost:  despite all the good intentions motivating these compliance initiatives, no one has even begun to figure out what all these compliance programs are going to cost.  Take Europe as an example:  I've read some statements from politicians that future EU privacy laws will reduce business' compliance cost.  That is simply not credible.  On the one hand, under the new rules, businesses in Europe will save a little money, once they no longer have to fill out national database notification forms across Europe.  In the scheme of things, that is peanuts.  On the other hand, imposing new compliance obligations (mandatory privacy impact assessments, mandatory data protection officers, mandatory security breach notifications, mandatory data processing documentation) will cost a lot.   The problem is that nobody knows how much all this will cost.  I'm working on the educated guess that the current EU privacy compliance proposals will increase the privacy compliance costs on businesses in Europe ten-fold, starting around 2015.  Yes, ten-fold.  That excludes the costs of fines and sanctions for non-compliance, now proposed to run up to some percentage(s) of a company's worldwide turnover.  This massive increase in compliance costs is largely the result of the proposed EU sanctions for failing to adequately document compliance programs.  I'm still hopeful that more realistic compliance obligations will be created for Small and Medium sized Enterprises, but the big trend is clearly towards costly new compliance obligations in Europe.  

I get the feeling that the many people debating privacy laws have no idea (and perhaps don't care) how much all this ends up costing.  I also haven't read any classic regulatory cost/benefit analysis on these new obligations.  As a lawyer trained at Harvard in the cost/benefit analysis of government regulations, I am surprised to see that there's been essentially zero academic or economic analysis to decide which privacy compliance rules are effective and which are pointless red tape.    

At the writing of this blog, I really don't know how all the compliance initiatives above are supposed to fit together.  I don't know which are superfluous.  All this has yet to be worked out.  While each of the programs above overlaps with the others in some ways, each is also slightly different too.  We've got to figure out how to minimize duplication among these programs, or we're all going to waste our time and money on re-inventing the wheel.  

Privacy compliance initiatives today remind me of the early days of the railroad, when each railroad line had its own track width, meaning trains could only travel on one track.  Eventually, all this will get sorted out, just as railroad track width was eventually standardized, but in the meantime, I fear we're all going to be running around in circles.  Like the early days of the railroad, we're still in the early, experimental, inefficient, non-standardized, frontier-age of duplicative privacy compliance programs.   

1 comment:

Eric Goldman said...

You write: "there's been essentially zero academic or economic analysis to decide which privacy compliance rules are effective and which are pointless red tape." I'm not an empiricist, but I would be willing to consider undertaking this research. But given how new the programs are, any thoughts about how?