(This article appeared originally on the website of the International Association of Privacy Professionals (IAPP) in August 2016.
In recent months, a small but tenacious army of privacy and consumer rights activists has been quietly ramping up for an assault on poor privacy and data protection practices by companies and governments. These campaigners are building a new framework of strategic activism that may soon change the way all organizations do business.
At its most dramatic level, this new paradigm will trigger a sharp increase in high-profile media and legal actions against companies. There will, in my assessment, be a steep rise over the next two years in highly focused complaints to privacy regulators in North America and Europe. This trend will be accompanied by a resurgence in innovative consumer-focused campaigns similar to those adopted by the environmental movement of the 1980s. Those campaigns aimed to create reputational damage by destabilizing public confidence in targeted companies.
At its most dramatic level, this new paradigm will trigger a sharp increase in high-profile media and legal actions against companies.
Having said that, the new activist environment also creates unexpected opportunity for companies. After all, privacy campaigners are raising their tactical ceiling because they seek measurable reforms. This presents an opportunity for companies that genuinely care about privacy to build a constructive alliance for everyone’s benefit.
This is not a radical notion. An increasing number of organizations have benefitted in recent years from positive engagement with privacy activists. Such a constructive relationship often helps both parties and can circumvent the reputational damage that media controversy so often creates.
In short, it’s no longer appropriate to disregard Non-Government Organization (NGO) activity as a fringe annoyance that can be engaged by third-party PR agents. In my view, the time is right for companies to directly and constructively engage these entities — particularly on sensitive data issues.
Privacy activists are describing 2016 as the “perfect storm” for privacy reform. With a new data protection framework in Europe — backed by a raft of recent pioneering judicial decisions — the opportunity to intervene in the data policies of corporations has never been more inviting. After more than a decade of regulatory indolence and confusion over data protection in Europe, the coming few years offers a chance for consumer groups to build a far more strategic, integrated and aggressive approach to their privacy mandate.
This new privacy environment extends beyond the borders of the EU. In recent times, for example, both the US Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have appointed chief technology officers who — in the past — might have been regarded as unacceptably part of the “privacy elite”.
The elevation of Lorrie Faith Cranor to the FTC and — even more telling — the appointment of Stanford technology activist Jonathan Mayer to the FCC may shift the regulatory landscape in the U.S. and beyond. Mayer’s reputation as a privacy sleuth is unrivalled, while Cranor’s commitment to the rights field is made clear by her role as board member of the Electronic Frontier Foundation.
An increasing number of organizations have benefitted in recent years from positive engagement with privacy activists. Such a constructive relationship often helps both parties and can circumvent the reputational damage that media controversy so often creates.
For some CEOs and CPOs, however, privacy advocates and their NGOs are the least understood (and perhaps most underrated) part of the privacy landscape. This is a surprising gap in corporate intelligence. In recent years, privacy activists have caused immense reputational damage to organizations — including some of the world’s biggest brands. Their actions have paralyzed product rollouts, sparked regulatory investigations, brought actions resulting in substantial financial penalties and triggered the downfall of senior executives. This impact is likely to escalate over the coming months and years.
One notable example of this impact can be seen in the recent actions of Austrian activist Max Schrems, who almost single-handedly brought the EU-US Safe Harbor agreement to its knees and forced a renegotiation of trans-Atlantic data transfers.
In my 30 years as a privacy advocate, I have never before witnessed such a rapid twist. Before 2010, a significant number of commercial and government organizations viewed privacy as a negotiable and peripheral issue that could be managed by PR companies. In the space of six years, privacy has become a core issue attracting substantial financial backing — evidenced, for example, not just by the recent surge of mainstream-targeted privacy start-ups such as Sirin Labs (which by May 2016 had raised $72M), but also by a $250M bankrolling of The Intercept magazine. Activist groups, non-profits and NGOs (collectively known as “civil society”) have never experienced such a swell of support or popularity.
It’s not necessary here to recite the litany of legal and media battles that have ensued over the years between companies and privacy activists. Many of those are a matter of record (though by no means all of them). As the former head of Privacy International I can provide countless examples of the trouble that can be caused if organizations fail to take up an opportunity to engage.
Some of our interventions, however, turned out to be extremely positive for all parties. We worked with Google on the development of transparency reports — an initiative that was a clear win for everyone. And I recall Microsoft postponing the launch of Bing Streetside after we had suggested some security improvements. In that case it was a simple matter of us proposing stronger third-party audit provisions to obviate the sort of PR and legal drama that Google had faced over Streetview. Microsoft’s then UK National Technology Officer Jerry Fishenden trusted us enough to provide advance notice of the launch and that relationship allowed our advice to be circulated around the company. Microsoft responded quickly and positively, and privacy was the clear winner.
It’s instructive to look in more detail at how collaboration with NGOs can replace confrontation. For example, about 10 years ago we noticed that it seemed impossible for eBay users to delete their accounts. We sampled a number of people, none of whom were able to discover a link for account closure.
After more than a decade of regulatory indolence and confusion over data protection in Europe, the coming few years offers a chance for consumer groups to build a far more strategic, integrated and aggressive approach to their privacy mandate.
After years of dealing with big organizations we had become battle-scarred. To us it seemed hardly worth the effort of confronting some invisible PR company which in the end would do no more than read out a screen message telling us “XXX cares about the privacy of its users.” So we took the best course of action at our disposal and triggered an investigation by the UK Information Commissioner’s Office (ICO) over our claim that eBay had fundamentally breached data protection principles. Once we had received a positive response from the ICO, all that was left for us were some well-timed calls to the press.
The following day the story played loudly in the papers, both in the UK and overseas. ‘EBay under investigation’ was a nice coup for us, even if it was a tad overhyped
Within a few hours, eBay’s then-global privacy lead, Scott Shipman, reached out to us. Rather than taking a defensive position, he offered to work with us to help fix the problem. This offer, for us, was a rare experience. Scott convened a working group of engineers and set up conference calls, to which we were included. He even informally brought on Facebook at one point to help crack the problem. It turned out that account closure was indeed possible, but the pathway to that link was deeply obscure.
It took nine months to resolve the issue, a task which was complicated further because of the multiple languages that the company operated in. However, the result was — once again — a clear win for privacy.
Obviously there are clear limits to this sort of engagement. If a company’s business model is anti-privacy, no amount of engagement with a credible NGO will work. But for organizations that genuinely care about privacy, there is a well-established path forward.
In my experience, this path involves a few pinch points. First, don’t allow your PR people to use rhetoric to fend off privacy controversy. Provide a clear pathway to your legal teams and let NGOs know about the mandate of those teams.
Second, keep the communication real. Be careful about the use of jargon and ensure that proposed responses are measurable. This will also help build support for privacy reform within your organization.
My sense is that this approach will help build a much stronger privacy environment and will provide the sort of protections that both companies and NGOs are aiming for.