Privacy Influence – 7 Strategies for Trusted Advisors Who Seek to Influence Corporate Decision Makers Operating and Competing in the Data Driven Economy.
Special thanks to Lothar Determann, one of the world's eminent experts in the field of data privacy, for contributing this guest blog. Lothar practices technology law as a partner at Baker McKenzie in Palo Alto and teaches computer, Internet, and data privacy law at Freie Universität Berlin, University of California, Berkeley School of Law, and Hastings College of the Law, San Francisco.
Privacy leaders are in the eye of a perfect storm. Influencers and influenced alike can benefit from situational awareness and recognizing different approaches commonly used by advisors:
Data and Privacy in a Perfect Storm
Some of today's most successful and valuable businesses are relatively young and rose to the top based on innovative data processing and usage. Large, established enterprises watched in disbelief as their business models and markets became disrupted by companies barely 10 years old: Print media, retail chains, taxicabs, travel agencies, video rentals and many more. Fighting for survival, established businesses sensed an urgent need to collect and monetize more data for themselves.
But, most started too late and moved too slow, and at a time when the winds were already beginning to shift again: Just as print media journalists were getting traction with amplifying global tech-lash and consumer privacy agitation, their own companies' executives began to embrace cutting-edge digital advertising technologies that tracked, traced and traded consumer data full throttle. Meanwhile, old school retailers attracted regulatory scrutiny for intrusive "community market research" programs and major security breaches.
Increased regulation and enforcement mirrored this shift. In May 2018, the European Union ratcheted its already prohibitive data processing regulations up a few notches with the General Data Protection Regulation (GDPR), threatening fines of up to Euro 20m or 4% of global, group-wide sales, whichever is greater. Just a month later, the California Legislature, pressured by a popular ballot initiative, established even more rigid and complex restrictions in the California Consumer Privacy Act (CCPA). In 2019, the U.S. Federal Trade Commission set a new record with a $5bn fine for violations of privacy laws.
So, just as old school businesses discover the value of data as the fuel of the digital economy, fuel is rationed by privacy regulators, fuel prices are rising steeply and compliance risks are going through the roof. In addition, just as management finally steered their ships in new directions, they have had to bring data privacy officers on board who say "no" to innovation more sternly than ever imaginable in the face of mounting waves of regulatory inquiries, data subject access requests, shareholder protests and class action lawsuits, all focused on data, privacy, or both.
Influence on Course
In this perfect storm, many captains seem unsure what to do about privacy: Follow industry leaders while they are hammered with fines? Turn back from data mining to coal mining at a time when it is clear that businesses cannot survive without data and sound analytics? Steer the ship toward calmer waters but take the risk that a competitor barreling through the storm will find land faster? Haul sail? The captains consult their crew more: Data privacy officers and counsels get more face time with company boards now than ever before.
In my role as legal counsel and law professor, I normally write about what companies should do, why, and how they should do it. In my Field Guide to Data Privacy Law, I address the "why protect privacy" question in an "A-Z" chapter under "Y" for "why."
In this note, I am offering a few observations on how people influence companies with respect to privacy. After all, companies do not really exist in the physical world. Companies are legal entities. Companies are fictions, invented by lawyers to shield individuals from responsibility and liability under certain circumstances. In the real world, people (not companies) are acting, deciding, communicating and processing personal data. In the real world, people protect or intrude into privacy. Influencers can direct people towards protection or intrusion.
Captains, Coxswains and Counsels
Chief executives and other managers make decisions for companies; they are the direct influencers regarding their companies' actions and omissions affecting the privacy of their employees, customers and service providers. Most companies also task a number of specialists with responsibilities regarding privacy, including data protection officers, privacy operations managers, information security officers, and legal counsels. And many outside counsels and consultants note that privacy is everyone's responsibility at companies, because every employee can intrude or protect. So, a wise captain trains everyone to keep watch.
Indirect influencers are those who cannot formally decide or act on behalf of a company, but who can try to steer the company in a certain direction: Consumers, counsels, consultants, journalists, advocacy groups.
Methods and Madness
Consumers, journalists and advocacy groups can influence with carrots and sticks: They can reward good behavior and expose or punish bad behavior in the context of business dealings, consumer reviews, news articles, opinion polls, ballot initiatives and litigation.
Outside legal counsels and consultants tend to be limited in their advisory roles. Primarily, they influence decision-makers by providing valid information, as requested by the decision-makers. At a minimum, privacy counsel answer their client's questions: what is required, what is permitted by law?
Yet, clients often ask for more than strictly legal advice and frequently add a question about "what would you do?" Moreover, clients expect trusted advisors to be proactive and bring important risks and opportunities to their attention without being prompted.
In practice, attorneys and other advisors typically pursue one or more of the following approaches to influence management into good decisions:
- "Scare Tactics:" Advisors are quick to point out risks of large fines and catastrophic outcomes; this is appropriate to some extent, given the excessive increase in fines in the last couple of years; but fear-mongering by indirect influencers in the privacy field has been disproportionate in the last twenty years and most direct influencers do not react well to it. Informed leaders are more effective than scared ones.
- "Follow the Herd:" Advisors who are familiar with common industry practices can offer valuable commercial insights to their clients beyond reporting on the black letter law. Direct influencers often make their decisions based on calculations of risk, which depend not only on what laws require, but also how the laws are enforced and how competitors are adhering to laws. Knowing industry trends is helpful, but following herds like lemmings does not guarantee good outcomes.
- "Best Practices:" Some advisors frame their recommendations as "best practices" where the law is unclear or perhaps where the advisor is not entirely familiar with legal or industry requirements. Recommendations regarding "best practices" can be helpful where grounded in commercial reality, but a list of unattainable goals is typically not helpful to direct influencers. Perfection can be the enemy of the good. Some advisors who couch their advice as best practices seem to follow recommendations from government authorities or advocacy groups without much critical analysis or reflection.
- "Taking Positions:" Where laws are unclear and industry practices are developing, advisors can be particularly influential if they propose possible positions and brief their clients with sufficient detail and authority on how to put a stake in the ground and what potential repercussions could be.
- "Automation and Technical Solutions:" Data processing is largely automated. Consequently, data privacy advisors must consider technical solutions to be effective. Yet, data privacy is not as binary as information security (whose only objective is to prevent unauthorized access to data). Influencers have to work through a lot of balancing-of-interests questions before they can define processes that can be automated. Consultants that rush companies into buying automation tools before intelligent decisions are made regarding the balance of data usage and privacy typically disappoint their clients in the long run.
- "Transaction, Project First." Some advisors offer narrowly tailored compliance solutions focused entirely on a particular type of project or law. For example, as companies ramped up to ready themselves for the GDPR by May 15, 2018, and for CCPA compliance by Jan 1, 2020, many advisory firms were quick to offer standardized project packages with a transactional mindset. Some firms even offer "legal tech" tech solutions; e.g., “CCPA compliance for $5,000”. While focusing on compliance in the context of a particular project or law can be beneficial, companies should consider carefully what type of advice they want and need when they request and receive proposals to obtain compliance advice. Companies should be wary of claims that subscribing to a particular online solution and downloading a suite of off-the-shelf documents will automatically result in compliance. Within rigid frameworks of fixed fee budgets and pre-defined deliverables, indirect influencers can become confined by statements of work and incentivized to check boxes. Whether their influence lasts will show relatively soon after the project is completed and the deadline has passed.
Which course is best to chart for those at the helm of new and established enterprises depends on the personality of captain and crew. Corporate culture determines how decisions are made and are strongly influenced by risk tolerance. Proactive leaders and advisors can benefit from recognizing features, strengths and weaknesses of different approaches and becoming aware of preferences and methods. Influencers can lead by observing trends, establishing programs, and empowering all crew members to stay on watch for privacy swells and calms. Over time, as this continues, the enterprise and its advisors will find a rhythm of watch and response, leading to resilient privacy programs that are able to adapt in the face of shifting currents.
Lothar Determann practices technology law as a partner at Baker McKenzie in Palo Alto and teaches computer, Internet, and data privacy law at Freie Universität Berlin, University of California, Berkeley School of Law, and Hastings College of the Law, San Francisco. He has published more than 150 articles and 5 books, including Determann's Field Guide to Data Privacy Law (4th Ed. 2020), which has been translated and published also in Chinese, German, Japanese, Portuguese, Russian, Spanish and Turkish. Opinions expressed in this article are those of the author, and not of his firm, clients, or others.
The views and opinions expressed in this blog are those of the author(s) and do not necessarily reflect the views or position of Jenoir International Inc. As we are critically thinking human beings, these views are always subject to change, revision, and rethinking at any time. The author(s) and Jenoir International Inc. are not to be held responsible for misuse, reuse, recycled and cited and/or uncited copies of content within this blog by others.
This blog is designed to inform readers and stimulate discussion. It is shared with the understanding that it does not constitute legal, accounting, medical, securities or other professional advice to be relied upon. If such advice is needed, the services of a competent professional person should be sought.