Some European privacy enthusiasts have been through the hype of inflated GDPR expectations, fallen into the trough of GDPR enforcement disillusionment and then, jaded to their core, have turned against each other and against the very institutions whose job is to disseminate and enforce privacy principles.
As the US, India and other jurisdictions look set to pass more privacy laws in 2020, there is hope that a new wave of privacy colleagues from those countries will fare much better at managing the emotional side of privacy advocacy.
Seven golden habits will help keep the oncoming privacy conversation level-headed and effective:
1) Value and defend all privacy institutions
2) Disagree without being disagreeable
3) Persist and help others persist in the privacy mindset
4) Stop clamoring for fines: they are not the final answer
5) Don’t be a one-trick pony
6) Welcome privacy newbies
7) Share what you know, credit those who share, verify everything
Value and defend all privacy institutions
It always takes repeated attempts for political consensus to crystallize enough to produce a privacy oversight body: never take for granted that one exists at all.
Be it the U.S. Federal Trade Commission, the European Data Protection Board, the anticipated Indian Data Protection Authority or any other national privacy regulator, cut it some slack: it will not make the right call every single time; it will not always have the technical, human and intellectual resources to grasp problems and produce solutions in time; it will not necessarily manage to carve its own perfect independence from the political majority of the day.
Don’t make it your marketing strategy to shame privacy institutions – or their employees – on social media for what you perceive as failings: propose solutions. Privacy bodies almost always welcome volunteers and experts on secondment and have channels for feedback. High-quality feedback marks you as a thought leader: trolling does not.
Disagree without being disagreeable
Laws are never perfect or self-evident: working through grey areas, legal gaps, conflict of laws, unintended consequences, over- or under-inclusiveness of legal semantics is an integral part of the legal process. Take up the challenge of making this “privacy debugging” part of your day-to-day job: respond to consultations; accept that others are impacted differently by the same legal provision; be aware that privacy changes business models and puts livelihoods at stake; encourage every professional profile to have their say on privacy. There is no such thing as the right background to grasp privacy problems, solutions and paradoxes.
Consider replacing “yes, but” or “actually, no” with “and also” every time you disagree with another privacy commentator: 99% of the time sentences work even better. Your overarching goal is not to overwrite their point of view with yours, but to add another voice to a very complex conversation.
Persist and encourage others to persist in the privacy mindset
Don’t be so naïve to think that a single law or legal framework can change the world by being in force. Laws cannot enforce themselves: laws are routinely ignored, disapplied, willfully fudged, hollowed out by multiple exemptions, sabotaged, circumvented, repealed, eroded by bad precedents. It’s a fact.
The real privacy battle takes place outside of courtrooms and feels a lot more like a hard-to-kick habit, than a rugby tackle. It’s always much easier to look away than to persist in seeing privacy implications in any professional action and interaction.
The privacy mindset will get you in trouble, will make your line managers want to sack you, and risks making you horribly antisocial: the hardest part is to devise strategies to persist – and encourage others to persist – without being a bore or an absolute nightmare to work with. If you can’t make privacy a happy space to be in, you’ve already lost the fight.
Describe what a world with privacy looks like compared to a world without it. So called privacy trade-offs are only temporary limitations to our technological abilities: your privacy job is to imagine alternatives.
Stop clamoring for fines: they have a place but are not the final answer
Fines won’t solve all privacy violations. Due process allows them to be challenged through the courts, and businesses with the means to do so will litigate them into insignificance: when a privacy provision threatens the very survival of companies, they will go to the mat.
Consider whether consumer or grass-roots activism might be more effective than privacy complaints on certain issues: destroying a privacy-averse business model is, after all, in the hands of individual users and consumers.
Don’t be a one-trick pony
Talk about privacy in a specific context and for different audiences. Children, parents, employers, venture capitalists, investors, insurance companies, start-ups, teachers, database administrators, marketeers, app developers: they will all need to grasp the different implications of the same legal principle. Rather than discuss GDPR profiling in the abstract, for instance, start calling it what it’s actually called by the people who deploy it: ad personalization, dynamic pricing, responsive design, content tailoring, user scoring, loyalty programs, voter microtargeting.
Analyse the many different drivers for corporates’ privacy stance: reputational risk, value chain risk, cybersecurity, funding requirements, insurance premiums, valuations at exit, market competition. Compliance obligations are only one of the several components of corporate decision-making: be conversant in all the others, too.
If you only think like a privacy activist, you’ll never really grasp the privacy nettle.
Think like a CEO who can’t pivot business model until the market is ready; think like NATO’s Secretary General, who must lead the Alliance’s defense in cyberspace; think like the head of your country’s security services, who must have a way to access terrorist communications before it’s too late.
Welcome privacy newbies
Enthusiasm for privacy will give way to jaded discouragement: change is slow. New generations of privacy enthusiasts are to be treasured and encouraged. There are new waves of professionals ready to learn new laws; new privacy-aware users discovering for the first time the magnitude of personal data misuse; new scores of consumers feeling angry and cheated.
Don’t tell them you’ve seen and heard it all before even if you’ve been in privacy a long time: they may well ask you why your generation didn’t do a better job of it.
Don’t berate new colleagues who come to privacy from non-legal backgrounds: privacy laws were not passed to give lawyers a job for life as interpreters.
Don’t dismiss someone as opportunistic for making a career transition to privacy: when innovating, there is nothing more valuable than cross-pollination from different professional experiences.
When talking to someone new to privacy don’t presume incompetence: listen out for a fresh take on old conundrums.
Share what you know, credit those who share, but verify everything before you do either
Privacy laws are hard, but don’t take shortcuts.
Read the actual case law, not just the summaries offered by law firms or others. Read the actual legal texts, not just the Wikipedia summary available online. Check that links point to genuine published documents, not just journalists’ articles about those documents. Check the URL of anything you share belongs to official sites publishing formal sources of law. Verify the binding value in the hierarchy of sources of law of what you are sharing. Verify the jurisdictional reach of the source of law you are sharing.
Credit your sources: it is only fair; it makes lineage for that item of information easier; it feeds more high-quality sharing as errors and misleading statements can be clarified, and broken links can be mended.
A tweet is never a valid source of law: check before you re-tweet.
Welcome to privacy: we all look forward to hearing your voice!