Why I Became A Privacy Professional—And What Privacy Means
Long before I became a privacy professional, I first graduated with a degree in computer science. At the time, like many graduates, I had little real notion of what it was I wanted to do with my life, so I took a couple of internships working as a database programmer. That was my first introduction to the world of data.
I quickly realized that I had little ambition to remain a career programmer, so I began to look at other professions. In my early twenties, and having the kind of idealistic tendencies commonplace in many young graduates, I decided I wanted to do something that mattered, something that would—in some way—benefit the world: I chose to become a lawyer.
Not, you might think, the most obvious choice given the (unfair) reputation that the legal profession tends to suffer. Nevertheless, I was attracted to a profession bound by an ethical code, that believed in principles like “innocent until proven guilty” and acting in the best interests of the client and that took the time to explore and understand both sides to every argument. And, if I’m completely honest, I was also attracted by the unlimited access to truly wonderful stationery that a legal career would afford.
After brief stints as a trainee in real estate law, litigation and environmental law, I decided to pursue a career as a technology lawyer. After all, given my background, it seemed a natural fit, and having a technical understanding of the difference between things like megabytes and megabits, RAM and ROM and synchronous and asynchronous broadband gave me a head start over some of my peers.
On qualifying, I began picking up the odd bit of data protection work (Read: drafting privacy policies). Over time, I became a privacy “go to” person in the firms I worked at, not so much through any great talent on my part but simply because, at the time, I was among the small number of lawyers who knew anything about privacy and, for reasons I still don’t really understand, my colleagues considered data protection work a bewilderingly complex area of law, best left to those who “get” it—much like the way I felt about tax and antitrust law.
It’s not a career path I regret. I love advising on privacy issues because privacy speaks to all the idealized ethical notions I had when I first graduated. With privacy, I get to advise on matters that affect people, that concern right or wrong, that are guided by lofty ethical principles about respecting people’s fundamental rights. I run projects across scores of different countries, each with different legal regimes, regulators and cultural sensitivities. Intellectually, it is very challenging and satisfying.
Yet, at the same time, I have grown increasingly concerned about the dichotomy between the protections law and regulation see fit to mandate and what, in practice, actually delivers the best protection for people’s personal information. To my mind, far too much time is spent on filing registrations and carefully designing legal terms that satisfy legal obligations and create the impression of good compliance; far too little time is spent on privacy impact analyses, careful system design, robust vendor procurement processes and training and audit.
Lawyers, naturally enough, often think of privacy in terms of legal compliance, but any professional experienced in privacy will tell you that many legal obligations are counterintuitive or do little, in real terms, to protect people’s information. Take the EU’s binary controller/ processor regime, for example. Why do controllers bear all the compliance risk? Surely everyone who handles data has a role to play in its protection. Similarly, what good do local controller registrations do anyone? They’re a costly, burdensome paperwork exercise that is seldom completed efficiently, accurately or—in many cases—even at all. And all those intra-group data sharing agreements—how much time do you spend negotiating their language with regional counsel rather than implementing measures to actually protect data?
Questions like these trouble me. While the upcoming EU legal reform attempts to address several of these issues, many of its proposed changes to me seem likely to further exacerbate the problem. But for every critic of the reforms, there is an equally vocal proponent of them. So much so that reaching an agreed position between the European Council and Parliament—or even just within the Parliament—seems a near-insurmountable task.
Why is this reform so polarizing? It would be easy to characterize the division of opinions simply as being a split between regulators and industry, privacy advocates and industry lobbyists—indeed, many do. However, the answer is, I suspect, something more fundamental: namely, that we lack a common understanding of what “privacy” is and why it deserves protection.
As privacy professionals, we take for granted that “privacy” is something important and in need of protection. Yet privacy means different things to different people. To some, it means having the ability to sanction uses of our information before they happen; to others, it means being able to stop uses to which we object. Some focus on the inputs—should this data be collected?—others focus on the outputs: How is the data used? Some believe privacy is an absolute right that must not be compromised; others see privacy as a right that must be balanced against other considerations, such as national security, crime prevention and free speech.
If we’re going to protect privacy effectively, we need to better understand what it is we’re trying to protect and why it deserves protection. Further, we need to advocate this understanding and educate—and listen to—the very subjects of the data we’re trying to protect. Only if we have this shared societal understanding can we lay the foundations for a meaningful and enduring privacy regime. Without it, we’ll chase harms that do not exist and miss those that do.
My point is this: As a profession, we should debate and encourage an informed consensus about what privacy really is, and what it should be, in this digital age. That way, we stand a better chance of creating balanced and effective legal and regulatory frameworks that guard against the real risks to our data subjects. We’ll also better educate the next generation of eager young graduates entering our profession to understand what it is they are protecting and why. And this will benefit us all.
Editor’s Note: Privacy jobs are proliferating, with privacy professionals fast becoming the go-to people for solid legal guidance within their organizations. To hear how three privacy pros got started in the field and for a high-level review of basic privacy laws, register for the IAPP’s web conference, Legal Privacy Primer—First Steps in a Career, to be held July 11.
About the Author
Phil Lee is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP, and runs the Palo Alto office of Field Fisher Waterhouse (California) LLP. Lee has particular specialisms in behavioral profiling and cookie regulation, e-marketing and international data transfer strategies (including binding corporate rules). He has worked on numerous multi-jurisdictional data privacy projects across more than 80 countries.
Lee holds an M.A. in computer science from Cambridge University and a postgraduate diploma in intellectual property from Bristol University. He is a frequent contributor to FFW's Privacy and Information Law blog and is also a contributing author to the IAPP's European Privacy: Law and Practice for Data Protection Professionals and Wolter Kluwers' Global Privacy & Security Laws. Lee is a former committee member of the Society for Computer and Law's Privacy & Data Protection Group.
He can be contacted at firstname.lastname@example.org.