Privacy Professionals of the World, Unite!

It’s that time of year and more than 2000 privacy professionals are descending on Washington DC for the grandest of all grand privacy conferences: the IAPP Global Privacy Summit. Government and corporate Chief Privacy Officers (CPOs), data and consumer protection regulators, academics, lawyers and technologists participate in an endless array of professional and social activities in a networking “hop until you drop”.

IAPP has seen astounding growth over the past decade. With over 8000 members, an increasing number of them from outside the US, IAPP has revolutionized the privacy profession (indeed, “invented it” may be more accurate). It has done so under the leadership of the undisputed high priest of the privacy, Trevor Hughes, who picked up a small professional organization in 2002 and made it into a global powerhouse. Trevor, who continues to run IAPP from York, Maine, was formerly head of the Network Advertising Initiative, and is a privacy professional, entrepreneur, diplomat, social connector and leader – all rolled into one. He also teaches at the University of Maine School of Law and has lectured on privacy at Harvard, MIT, LSE and Georgetown, to name a few institutions.

IAPP events are always meticulously planned and immaculately executed. Trevor is aided by a group of highly professional staff members, who not only deliver a top notch experience but also do so with a smile and constant can-do spirit. (It must be something in the York, Maine, diet! Lobster?)

The other big, annual international privacy conference, the Data Protection Commissioners’ event, which I had the good fortune to help organize last year, stands in stark contrast. The event’s hosts rotate each year, without a permanent organizing committee, thus requiring them to constantly “reinvent the wheel”. While I hope we succeeded in doing so last year in Jerusalem, this is clearly not an efficient game plan. In a way, it demonstrates the differences between private and public sector undertakings.

The IAPP Summit draws a host of side events, some of which could be central stand alone conferences in their own right, such as the APEC Privacy Framework meetings (aka the Pathfinder Project) and the accountability event organized by the Hunton & Williams Centre for Information Policy Leadership and hosted this year by the FTC.

But the name of the game is networking and meeting people from all avenues of the profession and every corner of the world. During the week, the main topic for discussion is “which dinner to go to”. Every day, participants must choose among numerous networking dinners, cocktails, lunches, even breakfasts (yes – networking at 7am!). ”Are you going to Google”? “Facebook”? “EY”? “DHS”? – that’s the question. And then there are the occasional conversations about the main topic for discussion – privacy. And what a topic it is. It seems that every year brings an exponential growth in cutting edge, exciting issues – online behavioral advertising, mobile apps, smart grid, personalized medicine, government surveillance, privacy and corporate governance, privacy and antitrust, and on and on.

I find the Deirdre Mulligan and Kenneth Bamberger paper, Privacy on the Books and on the Ground, eye opening in this respect. In what is surely one of the most important and influential papers on privacy over the past decade, the authors identify stark differences between the development of the profession on both sides of the Atlantic. Whereas in Europe, privacy has been imposed top-down by regulation and implemented by bureaucratic supervisory authorities, low-to-mid level functionaries (called Data Protection Officers; DPOs) in organizations, and outside counsel; in the US the practice grew bottom-up, absent a comprehensive privacy statute, but has become a senior level C-suite strategic function. What’s better? I leave it for the DC participants to discuss.

Suffice it to say that it is by no means clear that there is more privacy awareness, compliance and enforcement in the EU than in the US, despite the comprehensive nature of the EU Privacy Directive. To be sure, some areas such as data warehousing, remain relatively unregulated in the US while being outright illegal in Europe. But in most sectors of activity, the US, with FTC oversight, industry engagement, cutting edge academic research, and of course the IAPP, is clearly paving the way.

One way or another – if you have anything to do with the privacy ecosystem, I urge you not to miss next week in DC. Hope to see you there!

[I moderate a panel on review of the EU Privacy Directive at the IAPP Summit with Peter Hustinx, European Data Protection Supervisor; Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party and President, Dutch Data Protection Authority; and Artemi Rallo Lombarte, Director, Spanish Data Protection Authority and Vice-Chairman of the Article 29 Data Protection Working Party. Hope you can attend.]