Multinationals, Privacy, AML/CTF et. al.

A small update (more to come) to announce that an article I wrote with W. Travis Selmier in 2015 has been published!  Due to unforeseen delays in production, Border Crossings released our article in their April 2016 issue.  We hope you enjoy it.

“Multinational Banks as Carriers for US & EU Law”

In other news, the SWIFT paper will be in the public eye very soon.  I had the opportunity to speak about it at the IAPP Global Privacy Summit in Washington, DC in November (“Mission Impossible: Complying with Banking Secrecy, Privacy, and AML Obligations”) to an enthusiastic audience, and with a great panel.  I am very proud of this work and hope that it helps the transatlantic banking and regulatory communities tackle AML/CTF and data protection issues as the EU’s 4th Anti-Money Laundering Directive (4AMLD) and the General Data Protection Regulation (GDPR) become realities in the next two years.

Why Bitcoin is Like PONG

I’ve been absent from blog writing to finish the SWIFT Project (nearly done!), and to write a piece for American Banker.   Now, I’m taking a moment to pause for some brief thoughts on bitcoin.

I ‘own’ 1,017.69 bits, which amounts to 25 cents USD. I was a little giddy when someone on Twitter gifted them to me as a reward for a snarky comment about the financial crisis.

Receiving bitcoin was like getting PONG for Christmas circa 1977.   For those not as nerd-minded as I, I assure you this is a compliment.

PONG, in its pixelated glory, was a pioneer of home gaming, a forerunner of the fantastic systems we have today.  Bitcoin is part of that same technological spirit because the blockchain has the potential take money, value, and payments out of the hands of states and financial institutions, and bring it into our homes.

Before people start screaming “It’s not widespread and a fad!”, or cheering “Down with the establishment!” let me explain – it’s a start not an end.

Bitcoin is a product of a community that has always been interested in stretching boundaries.  It’s where the ideas start, but the ideas really begin to enter our daily lives and become ‘normal’ because of their ability to adapt to current conditions, and then become mainstream.  That’s going to take some time, and some new ideas.

To me, the blockchain is part of an evolutionary development in money’s digital transformation.  This initiative came from the private sector, but we’ve already seen states create their own digital currency with Special Drawing Rights (SDRs).

The technology and the ideas behind the blockchain are diverse and adaptable – exactly the kinds of “innovative” thinking that the financial industry adores.

Markets and consumers are excited about the possibilities, because it:

States and regulators have been cautious.  In the EU, the European Banking Authority warned that virtual currencies are unregulated and that lack of regulation brings regulatory risk. However, a few months ago, an official from the EBA told me this did not mean it was against digital currencies – “ We like diversity.”

The US has issued fines and started to regulate Bitcoin with limited success.  Meanwhile, like-minded companies strive to provide individuals and firms who use bitcoin and the blockchain with the same confidence fiat currencies enjoy.

Lastly, the blockchain is transparent, but can offer privacy with some effort, which is one of the least understood aspects of the technology.  This year, I was at a dinner where a successful business guest dismissed bitcoin saying it was “just for illegal stuff.”  When I responded that it was appealing for many reasons including the possibility of privacy, I was asked, “What’s the big deal about your information? Are you some kind of data survivalist?”

No, I was not afraid of the government and did not envision some apocalyptic data future.  I just like the idea, which did not make me a contemporary societal anomaly.

The message was not well received, but I was not surprised.

Later, I road home on the train, playing PONG on my smart phone.

Google, the Right to be Forgotten & Multinational Corporations

Today, I joined 80 other academics in requesting Google to release more information about its implementation of the European Court of Justice’s “Right to be Forgotten” (RTBF) ruling.

Last year, in Harvard Business Review I said that the Decision presented opportunities for innovation and profit if transnational companies recognized the demands of established, and emerging, privacy markets.  However, profit isn’t the only reason why companies should be interested in Google’s RTBF process – it is a prime example of the important role that the private sector plays in setting transnational privacy standards.

The ECJ applied EU data protection law, but it did not set the procedures for the implementation of the Right to be Forgotten.   This task has been left to Google, which has been working with a core group of advisors and EU bodies like Working Party 29 to build internal procedures to comply with a legal concept that continues to evolve.  In effect, the Google experiment will set processes that will influence, either positively or negatively depending with whom you speak, the future of privacy and data protection for the EU and anyone who does business there.

Google’s actions, voluntary or not, are a valuable part of the data privacy dialogue among states, corporations, and individuals.   For any law to be successful (measure success how you will) it must take into consideration how companies operate.  In setting internal processes to comply corporations make their greatest contributions to data protection.

Google has already responded to our open letter saying it will “consider” more transparency.  I suspect it fears publishing data on still-evolving policies or revealing proprietary information.  However, clarifying RTBF procedures may assist the company to identify program strengths and weaknesses, reduce the number of ineligible removal submissions, help other companies to understand regulatory expectations and perhaps prompt them to adopt some of Google’s strategies, and in due time, inform the content and character of future legislation.

Thus, Google’s practices demonstrate the private sector’s influence on the implementation of data protection law.  It is also suggests that corporations shouldn’t have to engage in standards-setting only in response to a legal mandate.

In today’s global digital business atmosphere, companies confront transnational data flows and privacy conflicts in their operations every day. Yet, multinationals typically view privacy concerns as an infringement on their business models.  Instead, the private sector could use its operational knowledge and implementation power to create industry-wide data protection standards that consider national legislation, are responsive to customer concerns and lower their operational risks, before, or even in the absence of regulatory mandates.

Adopting a privacy inclusive view of data operations is better than waiting for, and responding to, litigation, which is a losing strategy in an interconnected world.

Separation Anxiety: AML, Privacy, Vendors & Multinationals

Last month, I had the pleasure of speaking at the 20th Annual ACAMS AML & Financial Crime Conference in Hollywood, FL.  From my understanding, it was the first time the organization had offered a panel on compliance and privacy for cross-border data flows. Our panel was well-attended, which demonstrated the industry’s growing concern about these issues. It was a great experience and I had a wonderful time with my fellow panelists.

I attended many panels in those two days as the lone academic in a sea of compliance professionals (social anthropology note: they dress better than academics, drinks are free and top-shelf, nice swag).  I had great conversations, quite a lot of fun, and the insights I gained from these interactions reinforced some of the mantras in my research.

So this intrepid academic decided to do some very informal interviewing and observations at the exhibition hall.  I walked through to see if any vendors listed privacy as a service in their displays (only 2). At the same time, I randomly asked about their experience with AML and privacy.

My opening salvo went something like this:

Do you have any technology-driven or governance-centered services that address AML and data protection for national or international banking?

“No, each of those services are client-driven.”
“We don’t have anyone at this conference who can speak about privacy.”
“It’s separate from AML.”
“Our service doesn’t handle data protection.”

At this point, there are few, if any, services able to provide the financial community with technological solutions that take into account INFOSEC, data protection, and compliance (AML and otherwise).   And, we cannot ignore the governance and policy instruments that must come with them.   I love the automated aspects of the filed but they cannot, and should not, dominate compliance.

Now I’m not blaming the vendors solely for these shortcomings.  They respond to their customers’ demands.  Everyone is focusing on AML because the fines are getting bigger and privacy is pushed to the low-risk back-burner.   (By the way, I’ve found similar problems with privacy professionals, so I’m not picking on AML.)

These conditions also reflect a separation between security and privacy in the regulations themselves (e.g. I’ll be speaking about the still unresolved problems in the 4th Money Laundering Directive and data protection in London in May).

However, privacy is catching up.

I predict that in 5 years financial institutions will find themselves scrambling to respond to data protection/privacy regulations that are already issues, or in the pipeline.  They will spend money to employ a new team of specialized consultants, which will produce redundant services that could easily be integrated into existing structures with a little ingenuity. They will do all of this not realizing that privacy is already part of their business, because their clients already expect it.

Innovation involves seeing relationships beyond your nose – and the horizon.

Common Interests, Uncommon Responses

Last month, Jan Philipp Albrecht, Member of European Parliament (Greens/EFA) and rapporteur for the EU’s Data Protection Regulation stated, “There is an urgency to build a common interpretation of national security.  It is on our common security interest.” 

It caught my attention because I have been writing about the correlation among threat perception, counter-terrorism, and data-sharing.

It is important to build a common interpretation of national security for a number of reasons. Governments are more likely to cooperate when they share similar perceptions of a treat. However, because of their experiences with political violence, the US and EU have developed different institutions and procedures to deal with terrorist threats, which have heavily influenced their views and laws on privacy, surveillance, and data-sharing.

In short, they understand why it is important to confront political violence, but disagree about how to do so.

Today President Obama and Chancellor Merkel recognized how historical experience had produced divergent approaches to government surveillance. Mr. Obama stated, “Given Germany’s history, there are going to be sensitivities around this issue…There are going to be irritants like there are among friends.”  Merkel concured, “There are still disagreements on some points.” [Es gibt da nach wie vor unterschiedliche Auffassungen in einigen Punkten."]

First, neither the US nor Europe will be able to completely alter the way they confront terrorism because their experiences have produced different methods and institutions to counter these threats.   (And even here we cannot lump Europe into one EU basket either.)

Second, the US and European have little choice but to get along because of the transnational nature of the terrorism.   Their differences, however, have not halted data-exchange among intelligence and police networks.  That’s also because there’s a shared sense of purpose and duty among these groups across the Atlantic. There are numerous examples of bilateral and multilateral cooperation, but the one that comes easily to my mind is the Terrorist Finance Tracking Program, TFTP.

To me, the TFTP, Safe Harbor, (and even the limited SIGINT reform) demonstrates something else – that cooperation on the collection and transfer of transatlantic data (both public and privately held) is slowly (and painfully) producing a hybrid system that takes the histories, values, and institutions of the US and EU into account.

Whatever the result, it’s going to be bumpy ride, and sure to displease everyone.

 

 

The “Weaponization of Finance” is more than Sanctions – It’s Data

I am always happy when I see people address the links between finance and security because it is so rare.

Last month, Daniel Drezner, of Tufts University and the Brookings Institute, wrote about the “hard limits of economic statecraft” regarding the use of sanctions against Russia’s actions in the Ukraine (interview here too).  This week, Ian Bremmer and Cliff Kupchan, of the Eurasia Group listed “The Weaponization of Finance” as a “Top Risk of 2015.”

Bremmer and Kupchan correctly assert that the US’s global financial position affords American policymakers powerful means to influence behaviors beyond its borders.  Specifically, they note access to capital markets and sanctions as “tools of coercive diplomacy.”  They cite the US influence on norms in international organizations, the dollar’s role as the premier reserve and investment currency, and the vulnerability of the private banking sector to cyber-attack as further evidence of its power resources.

Sanctions deserve a place in the statecraft toolbox, but as Business Insider’s @elenaholodny summarized, it is difficult to employ successfully (See also David Baldwin’s classic Economic Statecraft, Meghan O’Sullivan Shrewd Sanctions, Cortright and Lopez Smart Sanctions, and Drezner’s own Sanctions Paradox).

Restricting the use of finance to sanctions limits its value to foreign affairs. The technological revolution in banking, which has ditigialized the industry, finance’s multinational presence, and the increase in recordkeeping and reporting requirements after 9/11 and the 2008 crisis, has provided policymakers with an opportunity to harness financial data to map behaviors, networks of violence, and illicit economies across borders.

The Eurasia Group hints to this, “The United States is expanding its ability to track the financial transactions [my emphasis] of government leaders of concern, as well as their state and private sector allies, in order to close their access to capital and property.”

But governments use financial data for more than sanctions. They do it to detect weaknesses in the system and to track networks of illicit crime and political violence.

Thus, financial data’s ability to help map networks of behavior when combined with other types of information mean that finance’s role in foreign policy extends well beyond economics.

That is, of course, if government agencies can acquire that data – legally or otherwise.

I argue (briefly explained here and here) that financial data intelligence is one example of a new type of statecraft suited to the digital age; Information Statecraft – the attempt to influence through the acquisition, control, or presentation of data, information, or knowledge.

However, financial data isn’t solely held by governments; it’s held by private financial institutions, which presents numerous challenges to using financial data for sanctions or other policies.  Bremmer and Kupchan also allude to this point – “the weaponization of finance is a tool that can be use with minimal cooperation from other governments.”  While it oversimplifies the relationships involved, it does highlight the importance of private sector compliance.

Financial institutions have always treasured data for their own purposes, but now states are demanding they record, maintain, and report more of it to authorities (e.g. FATF recommendations for Politically Exposed Persons, Beneficial Ownership, Know Your Customer rules, Suspicious Action/Activity Reports, among others). For decades, and more so after 9/11, governments expect bankers to be AML/CTF sentinels, which is very far from their primary business, to make money.

The weaponization of finance is real, and has been evolving for a while.  We need to expand our views of statecraft to accommodate the new realities of the digital world, and this is especially true of the relationship between finance and foreign policy.

A Note on Extraterritoriality

“Extraterritoriality” keeps coming up in interviews and conversations, and as I write about the legalities of data sharing I find this concept has a curious pedigree.

In some instances it is exclusionary.  Diplomatic immunity is the most often cited example, where a host country cannot prosecute foreign dignitaries’ misdeeds under local law, but in certain circumstances his/her native land will waive this right.  The term can also denote inclusion, where states claim national law applies beyond its sovereign borders citing the ‘effects test.’

In both, boundaries are defined and crossed.  They perfectly illustrate the legal and physical dichotomies in the world(s) of information communications technologies, finance, and data, which may be geographically and legally defined, yet transnational in their virtual and physical existence.  As I have been told, “Banking is local” – regulations, attitudes about money and investing reflect local expectations, but in the last 40 years the technologies and many of the staffing and services on which we depend to facilitate these relationships, are not.  This is also a problem for international organizations like the IMF that worry about interstate cooperation and enforcement in a regulatory world – “How are they [the G20] going to deal with extraterritoriality?” The suggested answer – “They only cooperate when they are scared.”  The danger is that instead of compromise and adaptation, states and corporations will resort to a tug of war mentality of interests based on strict definitions and boundaries.

Extraterritoriality asks, “Whose rules apply, to whom, and when?” It addresses setting standards and enforcing them.   In the end, I do not think that that the corporate world or governments will be entirely successful in avoiding a battle of territorialities, but I do hope that there is enough ‘fear’ to motivate them to recognize the importance of compromise to everyone’s interests. Too often, in the aftermath of crisis (whether it be the national security or financial kind) policy-makers and practitioners fall into a lull of comfort, lose sight of the big picture, and start aggressively pushing politics into areas that desperately demand practical solutions.

Next post:  Qualifying and Quantifying “Big Data” (a buzz word that I’m increasingly beginning to loathe)

 

The Tension between the Private Individual and Technology

The recent hacking of celebrity iCloud accounts (which happens to others) and the Home Depot data breach, has the media once again chirping about the importance of secure data systems.    There’s a lot of talk about how these events bring privacy issues into the light, but I think it is safe to say that most of us live in a digital spotlight now. Long gone are the days where data security and privacy issues reside in darkness.

However, these events are reminders of two realities in the digital world; 1) technological advances are both freeing and limiting to individuals; and directly applicable to 2) the evolution and expectations of personal spaces.

As I’ve been writing about business and governmental viewpoints on data, I haven’t really touched up the individual.  The individual, you and I, are at the very core of data – we provide it to banks and governments when we use services.   But we use communications technology for personal reasons in ways that are not meant to be public or seen/used by others, or at least no one outside of our choosing. Intimate thoughts and pictures obviously fall under this umbrella.

The expectation of privacy in personal spaces is not new, but technology has altered how we must think about personal space and our expectations of privacy and who is ultimately responsible for protecting privacy.

What is the difference between an envelope containing a private letter stashed in a drawer, and a personal email with its code held on a server or your home computer?  The letter could be intercepted in the mail or stolen from our homes or briefcase, but there was a sense of privacy in those spaces.  The email though could be held on a home pc, on the cloud, accessed from work, or on a mobile phone via public or private network.  Is there an expectation of privacy in all these spaces?

The digital word has physically separated us from our data and made interception easier from people we will never know or meet.  The expectation of what constitutes private spaces has been expanded, which is why it is so difficult to control  our data, or to prosecute those who steal it.  The account might be managed by a multinational corporation with offices and servers in several countries, where anyone can access it.  Having what we want or need at any time and anywhere is a wonderful convenience, but it challenges us to think about how we maintain those parts of ourselves we do not want others to see.

Recently we have seen a barrage of headlines asking “Can you trust the cloud?” This question really suggests many things - Can you trust technology to care as much as you do about your data?  Can you trust that you own and control your data? Can you trust that you will be the only one to access your data (Insert a million links to the importance of authentication here)?

Technology is not full-proof.  Like the locks on your front door, there are services that are more difficult to get into (but still vulnerable), while others are there to keep people honest.  It is important to keep these limitations in mind because whether we like it or not, we are not in control of them, there are inherent weaknesses (just like the lock on the door can be picked), and a data breach can impinge on how others see us.

Simply speaking, as individuals we present ourselves in certain ways to certain people.  We tell them things we want them to know, and withhold other details for various reasons. (The Germans call it Persönlichkeit, add Recht to it and you get the legal basis for privacy – “the right to personality”). In a professional atmosphere talking about your home life might not be acceptable so you don’t share it.  You also might feel more comfortable talking about one part of your life with a friend, and another person not so much.  Your relationships are constructed by the type of information that people know about you.

When someone steals your private information and puts it on the web, or controls who has access to it, they are also shaping others’ perceptions about you.  Using technology to store or transmit our thoughts can make data, or behaviors, our view, our beliefs, and our bodies, vulnerable to exposure when others maliciously break into our accounts and steal our data – the bits of information that compose the multifaceted existence of our identities.   They are in control of our personas, not us.

So we have choice I suppose.  We can stop using technology because we cannot be certain that we are protected.  That seems like an unfair and unnecessary option.  Free flow of information can be a good thing and it can expose fraud or ill-intent.  However, I’ve been thinking about how security, or the lack thereof, also has the power to limit my ability to utilize technology in a manner of my choosing.  “If you don’t want something to get in the hands of someone not intended to see it, then don’t post it to the cloud.” Individuals, and companies then, are faced with a dilemma which involves a calculation of risk.  I want to use this service, but by doing so I’m exposing myself too.

A recent interviewee commented that my knowledge about privacy issues was unique and that most people  were fine with allowing others (government, corporate etc.) to control and use their data for the sake of convenience.  While this might be true, he also mentioned that this made me a lucrative niche market for innovation – providers will create services to cater to people like me. As I wrote in Harvard Business Review, I agree with this, but I wonder how much of this is a constraint on my access to technology.

We love technology but our decision to use it and the consequences of doing so increasingly fall under the discretion of others who may not hold our personal interests in mind.  Why should anyone have to find a special service in order to feel safe from prying eyes no matter who that might be? I do not pretend to have these answers, but it is something that should make everyone a little uncomfortable.  It’s a choice, of course. In the meantime, I’d suggest to keep those intimate records a little closer to home because there are few protections.

 

Finance, Secure Systems, Regulatory Compliance, and Data Protection are Not the Same

I’ve been reading a lot about privacy and financial data (including studying for the CIPP/US and EU exams) since returning from Europe for a new book I’m writing about the politics and practice of financial data in transatlantic counter-terrorism cooperation, which I will write about in future posts.

Most people do not think about money and data surveillance. It’s more common to talk about how governments monitor our emails, phone calls, Facebook entries, or mobile data because they are communications technologies in their unambiguous forms, but we don’t put much thought into what makes money tick.  The reality is that money is data and we have to view it as more than an instrument of wealth. 

Financial data is money, and it reveals behaviors.

Banks run entirely on information technologies for everything they do no matter what type of transaction or industry, and they are keen to use that data (or Big Data) as a commodity onto itself to sell you things, create market strategies, and to get ahead of their competition.  If a bank’s IT systems are down for 48 hours, that bank is gone, gone, gone.

And the dawn of a digital currency is not new either (e.g. Bitcoin). The anchor of the international monetary system, Special Drawing Rights (SDRs or XDRs, its formal currency code), were created by the G10 governments in the 1960s and have never existed except in digital form.

It’s time to focus on how money is data because financial institutions and governments certainly do so, since our spending habits reveal our behaviors and intentions.  As the old saying goes – “put your money where your mouth is.”  We tend to invest when we believe in things or people, and not much happens without at least a little money changing hands.

Which brings me to financial data protection and privacy.

The common refrain I heard from regulators and those in the financial services was that “finance is already heavily regulated so privacy isn’t much of an issue.” This is false logic.  Assuring client data confidentiality, compliance with record-keeping and accountancy guidelines, or ensuring sound security protocols does not automatically guarantee data privacy.  It’s a mistake to assume that because banks make sure that their data systems are not hackable, or that they are regulatory compliant, that the privacy of client data naturally follows.

My own bank failed to do this, and I offer this narrative as a small example of the disconnect among these concepts.   My visa application to Belgium required a bank letter stating that my accounts were in good standing.  I was not required to provide amounts, but in the end the bank gave me no choice but to disclose this information to 3rd parties.  I received a letter from corporate (after I tried to obtain the letter at the local branch I was told that they did not have that information – so you can decide to give me a loan, but this is too much?) with all the amounts of my accounts incuded.

The legal disclaimer was priceless:

 “Our response is commensurate with the purpose and amount of your inquiry. The information provided is strictly confidential and intended for use solely by the requesting party and in reliance on your statement of intended purpose or use.”

No, the letter was not generated to the “purpose and amount” of my inquiry, and it certainly exceed my intended purpose and use.  I specifically asked for no amounts to be listed in the letter.  The customer service representative said that it was a form letter, they could not alter it, and it “was generated by our lawyers.”

  “The information is furnished as a matter of courtesy without a duty to do so and without responsibility, liability or warranty, express or implied, on the part of ________________ to you to any third party. Information is obtained from electronic data sources, which may not contain all information in _____________ possession’ information is not guaranteed to be accurate and may be a matter of opinion. We do not accept any responsibility for errors, omissions or alterations after delivery. The information is constantly changing and therefore subject to change without notice.  _______________ will not update this response unless another written inquiry is received. This information applies to the name of the subject of the inquiry as styled in your request and does not include any indirect or related accounts or obligations, unless expressly specified in our response. _______________ encourages you to contact more than one credit reference prior to making any credit decision. If you received this response by FAX and you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of the information contained in this message is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the message to us by mail.”

I could comment about a lot of this, but the last part is precious.  So if you send this to someone by mistake, just let us know.  No damage done.

I hope that my bank’s data systems are secure.  I hope they comply with regulations.  But I also know that US law gives me little control of how my data is handled, and corporate procedures imbue precious little concern about my financial privacy into their practices. So my financial data, my financial behavioral data, gets compromised more than I’d like to believe.

Companies, and the law, need to stop thinking of privacy, security, and compliance as mutually inclusive.  They do overlap, but one does not necessarily represent another, and these systems and safeguards need to be developed in tandem.

p.s. I did write to complain and I received a mundane corporate response claiming that they could not do anything about it. They did thank me for bringing it “to their attention” which is corporate speak for telling me to fly off a building.

 

 

Google, Innovation & Trust

Today a piece I wrote for Harvard Business Review hits the “virtual” stands.  There are times when researching a hot topic is a curse (Mr. Snowden made privacy and surveillance touchy) but there are other times when it is a blessing.  The Google European Court of Justice’s (ECJ) decision  or “Right to be Forgotten” case has given me a chance to showcase the importance of privacy and data protection in the business world.

I have written a few pieces about data as it pertains to the financial services (here and here), and on the clash of US and EU privacy cultures and its impact on transatlantic counter-terrorism cooperation. The HBR piece focuses on how privacy can lead to profit and it draws heavily upon my interviews with the IT and corporate communities while I was in Europe.

In the popular imagination, the internet exists as a borderless world. In reality, there are many internets, and the rules that govern each of them reflect local beliefs about the role and responsibility of technology within society. The ECJ ruling classified Google as a data controller, and therefore under obligation to remove certain links to personal data upon an individual’s request, and it is a prime example of how localized privacy cultures and laws can assert themselves beyond their sovereign borders.  Although it specifically mentions search engines, it has implications for multinationals as well.

I think that the IT world was shocked by the ECJ decision because it holds the borderless internet view, it sees any curb on the free flow of information as censorship and a threat to its business model, and it is accustomed to the US-based view of data as property where corporations self-regulate data collection and usage.  Also, the Judge Advocate’s opinion, which concluded Google was not a data controller, set expectations for the final outcome of the case.

As the EU itself has been trying to figure out the legalities of balancing human rights with good commerce, the legislative ambiguities of the EU Data Protection Directive have in the past provided businesses, including European companies, with some wiggle room.  The ECJ verdict tightened the space to wiggle in some instances, but legal instruments are notoriously difficult to rely upon for definitions or guidelines for enforcement when applied in practice.

Problems of balance remain.  There is the balance of responsibilities between controllers and processors (are these distinctions even the way forward? One interviewee said we need to think of this in terms of accountability), the balance between human rights and national security, and human rights and the economy, the balance among differing views of privacy, and the realities that the physical structures in which the internet operates are transnational, which make it difficult to restrict the flow of data to certain transmission paths, let alone implement regional or national standards when doing so.  “You shouldn’t, and can’t, make Europe an island.”

No, the ECJ ruling does not mean you can be completely forgotten once you are on the global information superhighway, but it does mean that there are opportunities for government and business to innovate how data is managed, transferred, and used.  In short, legal instruments are not enough, the private sector needs to take privacy beyond compliance because its clients are demanding protections even when the law doesn’t require it.  In the HBR piece, I assert that this is part of a growing trend, spearheaded by consumers themselves (in the US, they talk about consumers, in the EU they speak of individuals) who believe that corporations feel entitled to use every bit of information they can find as part of a ‘big data’ marketing plan to endlessly feed algorithms for their own profit.  American IT firms did not help this image either.   EU legislators and privacy activists were not accustomed to the aggressive nature of US style K-Street lobbying in Brussels as IT firms campaigned against aspects of the new EU Data Protection Regulation.  The Snowden revelations only added fuel to their ire.  But this disgust has not been confined to the EU, Americans are increasingly suspicious of where their information flows end up too.

I have spoken about trust on this blog before regarding regulatory-corporate relations, but it applies here as well.  Corporations have to maintain the trust of their clients to keep them, whether they refer to them as individuals or consumers, and treat their data with respect. Individuals have a strong sense of ownership over their data because it reflects their personal choices, and while some consumers love the convenience that data analytics provides, some do not.  So I ask (somewhat rhetorically because I know there are some efforts, but will tackle them in later posts) businesses to consider services for those who want (and legally demand) more control over their data.

The HBR article touches upon some fundamental issues and I hope to follow up with another piece that connects data privacy to data security.  Unfortunately it is often treated as a separate issue, but privacy, security, and trust are endemic to any business relationship and when done right, they are, again, profitable.