Thursday, April 4, 2013

Stretch Goals for Privacy Lawyers



The global trends in privacy are crystal clear:  more privacy laws, more litigation, more regulation, more compliance obligations, more enforcement actions, bigger sanctions.  These trends are in place in almost all countries around the world, so the cumulative global impact of these trends on companies is dramatic.  So, want to guess which profession will profit from these trends?:  yes, the lawyers.  (In full disclosure, I'm a lawyer.) 

Historically, privacy leaders at companies have come from different backgrounds.  Some were lawyers, some were engineers, some were compliance managers.  At most companies, lawyers are already filling the roles of chief privacy officers (or data protection officers, as they're called in Europe).     

Privacy has changed over the years.  It is becoming an increasingly litigious matter.  A few years ago, privacy class actions hardly existed.  Now they're as common as locusts in Egypt.  

A few years ago, the sanctions for privacy breaches were relatively small, generally in line with the fact that the "harm" from them was often negligible, or difficult to define or measure.  Now, fines are increasing rapidly, and indeed, Europe plans to introduce fines in the range of 2% of global turnover, for rather routine privacy mis-steps.  Companies will have no choice but to fight threats of billion-dollar fines with teams of lawyers.  Europe is proposing billion-dollar fines for having a privacy policy that is "too vague", or for failing to properly document data processing, or for security breaches, or for riding a bicycle without a helmet.   In other words, you can face mega-fines for just about everything and anything, so you'll need plenty of lawyers to defend you. 

Lawyers are trained in reading, understanding, interpreting and advising on laws and legal compliance programs, and defending their clients from litigants and regulators.  Privacy laws, everywhere in the world, are vague, so they leave much room for legal interpretations.  The lawyers' skill set is becoming more and more central to the role of privacy leadership.  Moreover, lawyers benefit from attorney-client privileged communications internally, which is becoming an absolutely essential mechanism for privacy lawyers to have deep, unfettered, unfiltered exchanges of information and advice with their clients.  

Of course, non-legal disciplines will always play an essential role in safeguarding privacy at companies, e.g., the vital role played by security engineers.  Privacy will always be a cross-disciplinary project.  I'm not saying that the rise of the lawyer-privacy-leader is necessarily the best thing for "privacy".  Yet in the face of rampant litigation, discovery orders, vague laws, political debates, regulatory actions,  threats of billion dollar fines, companies will be looking to their privacy lawyers for a lot more than drafting a privacy policy.  It's a great profession, if you like stretch goals.  

3 comments:

Anonymous said...

Rather than "riding a bicycle without a helmet", wouldn't a better example be "riding a bicycle equipped with GPS, a 3D laser scanner, panoramic cameras mounted high enough to peer over tall fences and a Wi-Fi device for logging unencrypted private communications"?

Anonymous said...

Let me see if I get this right, you are advocating that Lawyers should be Chief Privacy Officers. If the lawyer is called upon to defend the corporation due to a breach and they are in fact advising senior management on how to respond to a security incident that occurred under their own management. Isn’t that like a conflict of interest?

direwolff said...

Wouldn't you have to agree that rather than simply position this as work for more lawyers and disparage E.U.'s vague regulations, it might also be worthwhile to point out that industry got us into this mess to begin with? Had companies not abused many privileges afforded them via their online interactions with their users, we wouldn't be in this lawyering windfall...wouldn't you say? The stagnation of getting new regulations operating in the U.S. is equally unhelpful towards maintaining the balance in the digital ecosystem.