A call for shared responsibility for preserving individual privacy

Data theft and malicious spam are spiking. Consumer and privacy advocates are confronting Google and Facebook about invasive business practices. In this LastWatchdog guest post, attorney Christopher Wolf, of the law firm Hogan Lovells, examines the question of who should be responsible for preserving an individual’s privacy. Wolf is  the Founder and Chair of the Future of Privacy Forum, a think tank committed to improving personal privacy.

by Christopher Wolf

Whose job is it to protect the privacy of personal information? That is the burning question in Washington these days.

Privacy is receiving so much attention right now not just because of headlines about Facebook and Google and their privacy missteps, but because we live in a time when people are sharing volumes of information about themselves and others on social networks, and when technology that can collect, share, analyze and store information about people is advancing at a staggering pace.

Think geo-tracking, behavioral-targeted advertising, and sensors collecting data about us connected to the Internet.

So who should be protecting our privacy? Some say that the government should finally pass a comprehensive privacy law that strictly regulates the collection and use of data.

Others say that companies using personal data have a responsibility to protect privacy, but should not be shackled by one-size-fits-all laws and regulations, lest economic progress on the Internet – one of the few bright spots in the economy – be stifled.

And then there are those who say people should be smart enough to protect themselves by being careful about what information they share online.

So who is right? They all are right.

Governments at the federal and state level have a critical role in protecting personal privacy. We have laws on the books right now with detailed rules to protect the privacy of financial, health and kids’ information. The Federal Trade Commission is the “cop on the beat” when it comes to ensuring that companies keep the privacy promises they make and that they secure personal data.

The FTC, charged with consumer protection, has used its enforcement powers against that companies that have engaged in unfair or deceptive privacy practices, declaring it unfair not to have adequate data security. At the state level, there are dozens of laws addressing privacy and security, including some that are very specific about the protections that are required.

We may not have a comprehensive privacy law in the same way that countries in the EU do, but ours are focused on the collection and use of data that is the most sensitive and on misuse that can cause the most harm. The recent “omnibus” privacy bills introduced and circulated by various members of Congress shows the complexity and the potential of unintended negative consequences of trying to regulate personal data across the board. While baseline protections of privacy are a worthwhile legislative goal, the devil as always is in the details.

Whether Congress decides there is a need for a new privacy legal regime in the United States will depend a lot on how companies in the business of collecting and using data behave. Companies that ignore privacy and data security do so at their peril.

More and more, businesses are recognizing that only with consumer (and policy maker) trust will the business of data use flourish. That is why we see serious efforts underway by companies to self-regulate, to put in place policies, information and technology that informs consumers about what is going on with their information and that gives them control over the collection and use of the data.

Properly communicated, consumers will understand businesses are using data in ways that provide real benefits and in ways that protect the information. And leading businesses will set leading practices that will become the standard by which regulators can evaluate what is fair or unfair, using their general consumer protection jurisdiction.

And, finally, there is certainly a role for consumers to protect themselves. We each have a duty to understand what may happen to our information when we give it up online. (Part of the needed change in business practices is a move to simplified and clear privacy notices, which consumers can then use to evaluate what information they will share.)

Kids are coming to realize that posting inappropriate photos and statements can come back to haunt them when it is time to apply to schools or for a job. And with so-called privacy enhancing technologies, we can take steps to protect ourselves from the unwanted disclosure of information about us. Don’t want to publish to the world that you are away from home in a foreign city (and thus invite potential burglars to your home)? Utilize the don’t track or don’t share button on your mobile device.

Privacy is not a job for someone else to take care of. Lawmakers and regulators, businesses and consumers each have an important role to play, together. And, by the way, so do privacy lawyers and advocates. So I will be doing my part. Time to get back to my job.

About the author: Christopher Wolf  is also a partner in the Washington, DC office of Hogan Lovells LLP, where he is a leader of that firm’s privacy practice group. The views expressed by the Future of Privacy Forum are solely its own and do not reflect the views of Hogan Lovells LLP or its clients.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone