Privacy on the Ground

Why Are German and U.S. Practices so Similar, if Their Regulatory Structures Are so Different?

Note from the Editor:

This is the second in a series of three posts on privacy officers in the U.S. and Europe from Berkeley Profs. Kenneth Bamberger and Deirdre Mulligan. They discussed some of their findings in the breakout session Privacy on the Ground in the U.S. and Europe, March 7, at the IAPP Global Privacy Summit in Washington, DC.

Our previous post began to explore findings from almost one hundred interviews of leading corporate privacy officers, regulators and other privacy professionals in five countries—and what they can teach us about how the structure of the corporate privacy function can affect the success of measures to protect privacy.

We ended that post with a surprising finding: The two countries in which privacy officers were most empowered, and most involved in shaping firm strategy, couldn’t be more different in terms of their regulatory substance and form—Germany and the U.S.

This is especially startling, because in global debates the German legal commitment to privacy protection is frequently held up as representing one end of the spectrum (strongest), while the U.S. approach is placed at the other.

It is also remarkable, given that the definitions of privacy we found at work within corporations in each country are similarly distinct. In the U.S., CPOs reported an amorphous and evolving definition of privacy, infused by the consumer protection-oriented objectives of key regulators (the Federal Trade Commission and state Attorneys General) in a manner that makes achieving privacy obligations a more forward looking, externally oriented and dynamic task.

In Germany, by contrast, corporate DPOs describe privacy efforts centered around compliance with data protection law—as do their colleagues in Spain and France. 

Why then, are German corporate privacy practices largely different from those in other European jurisdictions? And why are they most similar to those in the U.S., where approaches to privacy are decidedly different?

While our research indicates that a large number of elements combine to shape the privacy landscape in a country, a few elements of the German scene stand out in explaining some of the similarities: 

  • In Germany we found that data protection within the firm is solidly and specifically influenced by other ethical frameworks that—like consumer protection in the U.S. context—require DPOs to be more actively engaged in sorting out privacy’s meaning as it is shaped by a negotiation with a variety of players in the privacy “field.”
  • As an initial matter, our interviewees described, privacy in Germany is conceived within a broader ethical framework of human dignity derived from the atrocities of World War II, and therefore engages a number of social and political players beyond the privacy profession in shaping its meaning. 
  • Secondly, information privacy is considered a strong element of commitments to protect and respect employees—commitments protected elsewhere in German law, which mandates the existence of a powerful workers council within each firm, exercising representation on the corporate board. 
  • These additional institutional structures, committed to engagement with negotiations about the meaning of privacy, and empowered to ensure corporate accountability, support the work of DPOs within the firm and provide a richer language that DPOs can leverage to engage firm leadership, garner resources for privacy and move beyond a purely compliance focus.

It is important to note that despite a longstanding statutory requirement for firms to employ DPOs—with protections guaranteeing independence and management access similar in many respects to the requirements set out in the EU Draft Regulation—the German DPOs who we interviewed indicated that the DPO role has only achieved its full and robust form in recent years.

Thus our interviews suggest that statutory command—while sufficient to establish a data protection office within firms—did not, on its own, deliver the robust DPO equipped with the power, authority and resources to push privacy aggressively into firm activities. 

According to our interviewees it took: (1) risks to firm reputation flowing from the increased possibility of negative publicity wrought by higher fines and penalties meted out by regulators, (2) the adoption of data breach laws in a growing number of countries and (3) the fact that these two developments empowering existing institutional players like consumer groups, workers councils and the legally-mandated DPO to fully realize the lead privacy officer roles they now occupy.

This suggests that ensuring DPO power and authority to influence privacy within the firm requires more than a statutory mandate. It also needs a focus on keeping privacy matters in the public spotlight and supporting constituencies—be they consumer and privacy organizations or labor representatives—that use information about firm practices and missteps to focus the attention of the public, regulators and firms fueling a constant improvement in policy and practice.

About the Author

Deirdre K. Mulligan is an Assistant Professor at the School of Information at UC Berkeley, and a Faculty Director at the Berkeley Center for Law & Technology. Prior to joining the School of Information Mulligan was a Clinical Professor of Law and the founding Director of the Samuelson Law, Technology & Public Policy Clinic at the UC Berkeley School of Law. She is the policy lead for the NSF-funded TRUST Science and Technology Center, which brings together researchers at U.C. Berkeley, Carnegie-Mellon University, Cornell University, Stanford University, and Vanderbilt University. Prior to joining academia she served as staff counsel at the Center for Democracy & Technology in Washington, D.C. Mulligan’s current research agenda focuses on information privacy and security. Current projects include comparative, qualitative research to explore the conceptualization and management of privacy within corporations based in different jurisdictions and policy approaches to improving cybersecurity. Other areas of current research include exploring users' conceptions of privacy in the online environment and their relation to existing theories of privacy. She is chair of the board of directors of the Center for Democracy and Technology, and co-chair of Microsoft's Trustworthy Computing Academic Advisory Board.

See all posts by Deirdre Mulligan

Kenneth A. Bamberger is Professor of Law at the University of California, Berkeley, and co-director of the Berkeley Center for Law and Technology. He is an expert on government regulation and corporate compliance, especially with regard to issues of technology and information privacy. His groundbreaking study of privacy practices in the U.S. and Europe, conducted with UC Berkeley Information Prof. Deirdre Mulligan, will be published by MIT Press in 2014.

See all posts by Kenneth Bamberger

Comments

  • March 28, 2013
    IAPP Member
    replied:

    Dear Professor Mulligan, Dear Professor Bamberger,
    with excitement I will be awaiting the publication of your study in 2014, hoping that I will then better understand the finding that German and US practices are similar to each other in the private sector. This blog post, unfortunately, leaves me wondering. If this study is about privacy practices and not just about the daily routines of privacy officers then one difference comes to my mind which is so fundamental that it is impossible to find practices in general similar, even if some details look alike: Absent a privacy policy’s promises to the contrary, in most industry sectors in the US data controllers do not need specific permission by the data subject to have his or her data processed. Data once collected for purposes of executing a contract with the data subject may and will be stored forever by many US based companies, and there is nothing a data subject can do against that. Often, privacy policies do not even relate to time-limits of retention, nor do they foresee a consumer’s right to demand deletion. The amount of dormant, unnecessary data should be much higher in the US than in Germany, and so is probably the temptation to story large amount of personal data for the sole reason that in the future there may be some use for it. In Germany, however, data storage for executing a contract with the data subject must be necessary. After execution, data will be deleted. Data subjects have a right to being informed about their personal information being stored by companies, and they may demand deletion if unnecessary data is stored or data is stored without permission (in case of data collected for advertisement purposes, for example). I would assume that this legal framework which for the most part is shared among European countries determines the privacy practices of companies. It may not so much determine how privacy officers perceive their profession and their role in the organization, but that wasn’t the question, was it? After all, an interesting blog, but it poses questions that so far remain unanswered.

  • April 01, 2013
    burgada
    replied:

    germans are Nazis of past and americans are Nazis of today so this resemblance.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!