Posted in Privacy Officers
A recent article in The New York Times noted that every one of Volkswagen’s (VW) manufacturing plants in the world has an employee works council except one: the VW plant in Chattanooga, TN. Works councils are popular in VW’s home country of Germany and created by a directive in the European Union. This directive mandates employees have a voice in working with management about working conditions in their environment.
U.S. chief privacy officers (CPOs) and their European counterparts—data protection officers (DPOs)—often work with works councils in many areas but especially in protecting employee privacy. In fact, German DPOs and their corporate works councils have a reputation for being strong defenders in protecting privacy rights. Want to monitor e-mail or social media in the workplace? Centralize your HR records in the U.S.? Or ready to add a whistleblower hotline? The German Works Council Act, for example, empowers the works council to agree or refuse consent of many employee-monitoring devices. All of these require consultation in advance of the organization’s works council, and you can expect to hear a strong statement in support of protecting privacy rights!
When I was Chief Privacy Officer at the U.S. Department of Homeland Security from 2009-2012, I was asked frequently how the Department of Homeland Security Privacy Office was able to ascertain whether the privacy protections initially embedded in DHS programs and systems were being applied, and whether they were effective in protecting privacy. As with many things in privacy, the answer is: auditing and accountability, the last Fair Information Practice Principle. In order to be effective, the accountability must be integrated through all parts of the information governance lifecycle, including analyzing the privacy programs at the Department and component level themselves.
To more accurately assess this inquiry, I looked outside of associations based solely on one’s education and looked for associations based on one’s role or job and I found several examples of codes of ethics for professionals. There are members of IAPP who are also members of some of these other professional associations: HCCA, ISC2, SCCE, just to name a few. Additionally, many members of the IAPP are licensed attorneys and bound by the ethics of their license; such is also true for medical professionals, accountants, social workers, teachers, and many other fields. Alex Fowler addressed this same issue.
Having experience in the medical, educational and legal environments, I am acquainted with the potential for conflict between professional obligations. For example, I occasionally faced conflicts between my obligations as a nurse and my obligations as an attorney. While there is always an eventual decision made after careful analysis, this decision is not always concrete and is subject to context and opinion.
The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals.
All of the companies caught up in the news that complied with secret court orders to hand over bulk user data have privacy officers and dedicated teams of privacy professionals. Yet the extent to which any of these privacy teams were involved or were aware of these orders is unclear. This simple irony provokes reflection on the role of privacy professionals and our associated ethical and social responsibilities.
Privacy has always been a difficult concept to define, and privacy issues are complex.
For Europeans, privacy is a human right, while for Americans, privacy tends to be about liberty. It’s often thought that the Holocaust and the rise of totalitarianism in 20th century Europe have been the catalysts behind the region’s strong privacy and data protection regimes.
A recent book by Edwin Black, in detailed research, examines Nazi Germany’s use of the computer’s forebear to aid in systematic genocide. These Hollerith machines and punch cards helped the Third Reich organize and carry out the atrocities of the Holocaust. And in post-war Europe, the widespread use of surveillance and coercion informed and empowered the Stasi, the KGB and other totalitarian enforcers.
But is that the real reason the U.S. and Europe have such seemingly differing cultural constructions of privacy?
Privacy on the Ground
Our previous posts reported some initial conclusions from almost one hundred interviews of leading corporate privacy officers, regulators and other privacy professionals in five countries. The second post explored one surprising finding—that the two countries in which privacy officers were most empowered were Germany and the United States, countries which couldn’t be more different in terms of their regulatory framework—and explored some of the reasons for privacy officer strength in Germany.
This final post explores a caution raised by privacy officers in both the public- and private-sector regarding particular risks created by attempts to ensure that privacy is part of high-level deliberations within a corporation—risks that must be managed in developing policy regarding privacy.
Privacy on the Ground
Our previous post began to explore findings from almost one hundred interviews of leading corporate privacy officers, regulators and other privacy professionals in five countries—and what they can teach us about how the structure of the corporate privacy function can affect the success of measures to protect privacy.
We ended that post with a surprising finding: The two countries in which privacy officers were most empowered, and most involved in shaping firm strategy, couldn’t be more different in terms of their regulatory substance and form—Germany and the U.S.