Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Berthold, Mark --- "Mis-managing privacy" [1994] PrivLawPRpr 150; (1994) 1(10) Privacy Law & Policy Reporter 196

Mis-managing privacy

H. Jeff Smith Managing privacy: Information technology and corporate America, Chapel Hill 1994; 289pp, US$17.95

This is the first comprehensive empirical study describing the corporate response to privacy issues in the US. As with Australia, that jurisdiction lacks comprehensive private sector legislation. Instead, it has a patchwork of specific laws which fail to cover the field. Smith's findings are therefore pertinent to the issue of whether comprehensive legislation should be applied to the private sector in jurisdictions lacking such regulation. This greatly assists a debate which has been conducted hitherto mainly at a theoretical level. The study identifies forces at work requiring resolution quite apart from the usually cited justifications of securing human rights and the transborder flow of personal data.

The study is based on interviews with executives in seven unidentified companies, namely three banks, three insurance organisations, and one credit card company. He summarises the general pattern in the following terms:

The study reveals that in many industries, executives are afraid to confront the issue of information privacy - so much so that they go to extensive lengths to avoid the topic's discussion and investigation. And when executives do confront the issue, it is almost always in a reactive and not a proactive manner, primarily because the decision-making process is a cyclical one. A period of 'drift', in which executives rely on middle management to create new practices, is followed by some external threat - a disturbance, usually through legislation or the media - that shocks the corporation into an official response. Then, the totality of practices is considered formally in an official policy-making exercise.

The 'drift' period

Smith observes that all seven organisations studied 'exhibited a remarkably similar approach: the policy-making process, which occurred over time, was a wandering and reactive one'. He identifies the following factors as inhibiting companies from developing adequate and coherent privacy policies during this period of policy drift.

Corporate culture: Managerial attention tends to focus on items that benefit the corporation in the short term, such as cost reduction programs. Since information privacy guidelines would be more likely to reap organisational benefits in the long term, they receive less attention.

Corporate organisation: In the absence of top-down leadership, middle level management is left to develop their own set of localised and often divergent policies. In addition to fragmentation, this reduces the legitimacy of such policies. Employees cannot invoke an official company policy to support their actions. This weakens adherence to departmental policies, creating divergent practices.

Corporate coyness: Most executives surveyed said they wanted to support privacy policies only after their was a clear consensus in their industry. Few wanted to be at the forefront. This delayed a consensus developing.

Ambiguity: This is the most serious obstacle identified by Smith:

Because information privacy is not an area with clear-cut boundaries on appropriate and inappropriate behaviour, organisations are often left to plot their course through a thicket of differing opinions.

This ambiguity has several facets. There is no social consensus on whether companies have an ethical duty to protect privacy, rather than concentrate on immediate profits. Social consensus is also lacking on specific issues, such as which targeted marketing practices are acceptable, and which are not? He notes that 'we are dealing today with the technology of the 1990s but the social norms of the 1970s'.

The future

Smith predicts the following trends whether or not a comprehensive legislative solution is found.

Consumer backlash: Smith notes that the resultant lack of clear privacy policies abets the perpetuation of defective privacy practices. While consumers have tended to be largely unaware of these practices, this is changing with increasing media attention to the issue. He anticipates consumer backlash against corporations perceived as violating privacy. The study indicates that this is unlikely to be deflected by corporate arguments about profitability, if it is at the expense of the consumer's privacy. More positively, privacy will be used increasingly as a competitive weapon as it becomes of more vital concern for consumers.

Blurring of sectors: The distinction between the public and private sectors will become increasingly blurred. Direct marketers are buying government data and the FBI is buying direct marketers' data.

Solution

Smith observes that the US's existing approach of self-help and voluntary control are not working. Instead:

The US should move towards a more cohesive approach that reduces the ambiguity by acknowledging the validity of an updated set of fair information practices, clarifying the corporate responsibilities for protecting privacy, and establishing a new legislative infrastructure that creates proper incentives for industry and corporate actions.

He therefore concludes that legal regulation is necessary, notwithstanding its societal cost of government-created enforcement mechanisms requiring corporations to devote some of their resources in compliance. Until then, the drifting policy-making process observed by Smith will continue.

Corporate reaction

The Hong Kong Law Reform Commission's recent report has proposed a detailed regulatory regime for that jurisdiction's public and private sector. Extensive media coverage has not-elicited any public criticism by the corporate sector. This refutes the belief in some quarters that corporate regulation is always vociferously opposed. Smith cites a study which illuminates the possible reasons. Respondents were asked to choose which of the following options would best improve privacy protection:

1. Stronger laws.
2. Technological safeguards, such as computer passwords.
3. Corporate policies developed by the corporations themselves.

Smith comments:

The most interesting finding is that laws are generally preferred to corporate policies, if companies are left to set the policies themselves. Surprisingly, respondents preferred legal mandates over this ambiguous scenario. There are two possible explanations for this finding: 1) the respondents do not trust their own corporations to make policies; or 2) the respondents feel that the government's legal boundaries would be a welcome addition to what, in many cases, are areas of great ambiguity.

Mark Berthold,

Hong Kong Law Reform Commission.