In-House Counsel Go to Privacy Boot Camp
On the first day of classes last week at the Information Privacy Summer Institute (IPSI) in Portsmouth, New Hampshire, Omer Tene, a leading scholar in the privacy field and one of the professors, wasn’t planning to lecture on government surveillance in a course that’s designed for private-sector professionals. But the news leading up to the two-week institute, a collaboration between the International Association of Privacy Professionals (IAPP) and University of Maine School of Law, not surprisingly, altered the Day One lesson plan.
As a National Security Agency contractor’s leaks to media outlets about surveillance programs involving U.S. telephone and Internet companies dominated news coverage, well, everywhere, Tene says he decided to go “a bit off-script,” discussing the legal basis for such programs, per the FISA Amendments Act, the USA Patriot Act, and the Electronic Communications Privacy Act.
“For lawyers, that’s probably the first issue that we address,” Tene tells CorpCounsel.com. “Of course, there are some broader policy, or perhaps moral, or ethical issues here, but as lawyers we first look for the legal underpinning.”
If that sounds like a simple truism, it is one that is becoming ever-more complex in a field of changing technology, regulations, and customer expectations around digital privacy. Hence, the IPSI, which has drawn 30 students—a combination of in-house counsel and Maine Law students—in its second year, for courses on the foundations of global privacy law, and advanced practice issues on data privacy, security, and management.
On one hand, the program is meant to offer “actionable, relevant” lessons for law departments, says Trevor Hughes, IAPP’s CEO and president (and a Maine Law graduate). “This is a boot camp to beat all boot camps” on the topic of privacy, he adds.
At the same time, the institute’s founders see it as an entrée to the field for lawyers in training, particularly as law grads across the country struggle to find jobs. While IAPP’s membership of 13,000 has been growing by leaps and bounds, up 3,000 people in the past 12 months, “We’ve also recognized that we need an onramp to the profession,” says Hughes.
Maine Law, one of the smallest law schools in the country with about 85 to 90 students per graduating class, views information privacy as a major prospect for its graduates. Any time there’s regulatory, technical, and professional disruption, explains professor Rita Heimes, director of the school’s Center for Law and Innovation, “it always creates opportunities for lawyers.”
Heimes credits Maine Law alumni such as Hughes and Justin Weiss, senior director for international policy and privacy at Yahoo, with telling her the school needed to jump on the burgeoning job prospects in the privacy field. So three years ago, the school decided to be “much more strategic” in its approach to privacy, and now, she says, “We’re on it.”
The school offers a three-credit course on Information Privacy Law, which is taught by Hughes and Andrew Clearwater, a fellow at the Center for Law and Innovation who has been charged with enhancing Maine Law’s outreach in the privacy community. Students have had privacy externship opportunities with IAPP and Monster.com, as well as internships at IAPP, Digital Policy Group, Phillips Electronics, and CVS/Caremark.
For motivated students who already know they want to specialize in privacy, Heimes says Maine Law’s relationship with IAPP is giving them “a unique pathway” directly to that career. But the vocabulary of cybersecurity and privacy is also important to those handling transactional work, according to Heimes.
“Someone who may have been a generalist needs to know about information and data security in order to do their jobs well,” she says.
At the summer institute, students are learning just how dynamic the attendant legal principles are. Across the Asia-Pacific region, Europe, and the United States, “all of the frameworks are currently in flux, and they are being reformed and changed in the U.S. and Europe,” explains Tene, an associate professor at Israel’s College of Management School of Law, and a visiting fellow at the Berkeley Center for Law and Technology.
Meanwhile, companies are dealing with novel issues such as data storage and analysis by cloud-service providers, the increasing use of social media by corporations to engage with consumers, and even the concept of analyzing a customer’s movements in brick-and-mortar stores. In that case, the challenge, says Tene, is “whether you can do it without identifying a person, therefore implicating their privacy.”
The risk of a public-opinion backlash driven by privacy issues—and therefore the stakes for brand reputation—are high, Tene points out. So confronting privacy ahead of time, by making privacy controls and features part of products and services from the outset, should be a priority. Think of it as “privacy by design, rather than privacy by disaster—after the fact,” says Tene.
In-house counsel also have to make sure compliance is “under control,” says Tene, given the complex (and evolving) regulatory map. But legal compliance alone isn’t enough. “You can sometimes fully comply with the law, and yet create a terrible impression if you do something without bringing the consumers along,” he says—even if it’s something seemingly innocuous, like altering an online interface that consumers interact with.
Companies need to work to avoid surprises and be transparent about privacy issues. “I think when people see a value proposition, they are much more willing, and often even happy, to part with their personal information,” Tene says. “It’s when things are done in the dark and people don’t’ understand exactly what’s going on that they can be alarmed.”