Last week, I was interviewed by a professor who was researching the 'economics of privacy'. He wanted to know why organizations invest in privacy protection. Are there economic drivers for establishing privacy policies? Or is privacy just a 'Lawyers Paradise'?
It is an interesting question. In her PhD-thesis, professor Overkleeft -a Dutch law professor- stated that "privacy is a mandarin science" (G. Overkleeft-Verburg, De Wet Persoonsregistraties; Norm, Toepassing en Evaluatie, 1995). What she meant with that remark is, that there are only a handful of people (lawyers, commissioners, academics) who are privvy to the details of privacy theory and privacy practice. For everybody else, privacy is just a vague feeling, a buzz word, that is often misunderstood and sometimes misused or inappropriately applied. More than 10 years later, it is a safe bet that privacy still is a Mandarin science.... at least, in Europe.
In Europe, privacy is considered a fundamental right, which is laid down accordingly in the EU Charter of Fundamental Rights. But Europe's fundamental problem is its inability to turn the fundamental right of privacy into a people's issue. Europe claims that it has the best privacy laws in the world. Or at least, the eurocrats in Brussels and the Data Protection Authorities in Europe think so. This belief is even enshrined in article 25 of Directive 95/46. The "Digital Fortress Europe"-rule prohibits data export to countries that do not have an "adequate level of protection". Europe fiercely protects the personal data of its citizens, both in Europe and abroad. But in Europe's streets nobody knows those laws, and worse..... hardly anybody cares. The bureaucrats have reduced privacy protection to a legal compliance problem. For the average man, it is hardly an issue. But in the Information Age, privacy should be a matter of concern to everybody, not only to a "happy few", such as the data protection authorities, the lawyers, and a handful of privacy-rights activists. Privacy should not be something driven by law and supervisory authorities, but something driven by internal values of organizations and governements and the need to earn the trust of their stakeholders. Privacy should be something that people care about.
Take for instance The Netherlands. There are no privacy rights groups anymore. Bits of Freedom, a small Dutch digital rights movement, decided to liquidate itself a few years ago. Even worse, the "Dutch People" got the Big Brother Award 2007 because of their lack of interest in privacy. The average Dutchman likes to say that he has "nothing to hide (except his PIN-code)". On the other hand, there are plenty of law firms around that have some sort of a privacy practice. And an increasing number of organizations, companies as well as government agencies, are appointing privacy officers, or have some other form of in-house privacy expertise.
So, the professor's question seems to be a valid one. WHY do organizations invest in privacy if their stakeholders don't seem to care much about it? The answer is probably a complex one. Some organizations seem to have a privacy progam because they want to be seen as acting responsibly towards society. They invest in privacy because of their internal values. For others, it is an issue that they think may give them a comptetitive edge in the market. They invest in privacy to win, but are probably willing to drop it, if it doesn't pay off. And for many others it is just a matter of compliance with a set of very difficult and vague laws, and they do their best to be compliant. They invest in privacy because of risk avoidance and legal compliance.
However, I am also afraid that for most organizations it is just another law with which they -consciously or unconsciously- do not to comply. They don't invest in privacy simply because their stakeholders -internal or external- don't care about it. So why bother....?
So what did I tell the professor in the end? I told him that as long as we don't have good privacy metrics that enable us to show how much organizations lose if they don't protect the privacy of their customers and employees (either in actual cost, in opportunity cost or in lost sales because of lack of trust), the primary reason for investing in privacy is legal compliance and avoidance of legal risk. As long as people remain indifferent about their privacy, there will be no incentive to invest in stronger privacy protection in organizations. Thus, privacy will remain the problem of the legal department. It is seen as a cost rather than a benefit.
When we think of how to shape Privacy 2.0 in the 21st century, we also have to figure out how to make privacy a people's issue.