The first conference was sponsored by Zero Knowledge Systems and took place outside of Montreal, Quebec. The title of the conference, Privacy by Design, was well-chosen. Privacy *must* become a design element, a key component embedded into a company's business practices and culture.

Fortunately, as the ZKS conference proved, "Privacy by Design" is no mere slogan. The legal and regulatory consequences of privacy and data protection laws in EU and Canada have resulted in an abundance of resources to help businesses comply with the new regulatory climate. The "revolving door" phenomenon for which Washington is notorious seems to be playing out in Canada and Europe as well: former government officials (and their minions) are setting up consulting practices in which they help companies deal with the data protection commissions.

Since Canadian and European businesses have been dealing with privacy issues for years, there is a substantial infrastructure -- in both the public sector and the private sector -- surrounding compliance. The *meaning* of privacy is well developed and spelled out[1]. Practical guidance abounds; the bureaucracies responsible for administering data protection laws are doing everything possible to simplify compliance.

It should be no surprise that financial institutions are at the front lines of dealing with privacy issues. They realized that privacy was a fundamental concern for their customers. Rather than treat this as a burden, however, they set about using it as an opportunity to revitalize their customer relations. Banks followed a strategy that had proven successful in the US time and time again: Give the Customer What He Wants.

And what customers want is privacy, not just at financial institutions, but throughout their online *and* offline lives. Fortuitously, meeting this need is good for business in a number of ways. Aside from the obvious benefits of meeting demands of the market, there are benefits arising from the discipline imposed by running a business based on "privacy by design".

The excitement at the ZKS conference was palpable. Everyone sensed we were on the threshold of a new era, but there was also a strong sense of confidence and competence. The challenges of compliance were large, but they could be managed. The excitement at the Privacy & American Business Conference was also palpable, but it was a more nervous energy than the confidence prevalent at the ZKS conference. American businesses by and large have been caught short by the "sudden" interest in privacy issues. They are now scrambling to get up the learning curve the Canadians and Europeans have been traversing for years, and
many of the companies at the P&AB conference were sweating.

Even though the P&AB conference took place in Washington DC only four blocks away from the Capitol Building, it was just as much an international privacy conference as the one in Quebec. American business is acutely aware of the European and Canadian privacy laws, and they are concerned about protecting their markets and their employees abroad.

An unexpected case in point: administrative and staffing expenses of American businesses with offices in EU countries. The EU privacy laws are so strict that even the transfer of expense reports to the home office in the US invokes application of the data protection laws. Consequently, even though businesses thought they could ignore the legal situation in Canada and Europe, they are suddenly finding that they cannot.even pay the payroll in foreign offices, or transmit sales and marketing data to the states without taking steps to comply.

Hence the great deal of attention paid to "Safe Harbor". Safe Harbor is an arrangement the US Department of Commerce reached with the EU data protection commissioners. Safe Harbor sets out a plan for US companies to be deemed in compliance with EU data protection regulations so long as they follow a simple series of four steps. *Any* US company making transfers *any* personal data of an EU citizen is obligated to comply with Safe Harbor; otherwise they will be required to follow the far more burdensome requirements of each of the 15 EU data protection commissions.

Again, the financial services companies such as American Express have made the most progress in dealing with privacy issues. They are particularly strong in employee training programs, some of which are quite slick with professionally produced videos and training binders.

Key themes I would like identify by way of summary.

1. Privacy is huge and is going to get even bigger.
2. Businesses will be transformed; the very way of doing business will be transformed.[2]
3. This change is one that will benefit consumers and businesses.
4. Rule 1: Privacy programs must be thoroughly embedded into a company's culture and practices.
5. Our friends in Canada and Europe, as well as savvy businesses in the US, have helped pave the way on what would otherwise be a very rocky road.
   

NOTES

[1] The ten core principles of fair information practices are:

1. The purpose for which personal information is collected shall be identified at or before the time the information is collected.
2. The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information
3. No information shall be collected or used with respect to consumers which is not necessary and relevant to the services provided. Information shall be collected by fair and lawful means.
4. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
5. Personal information shall be retained only as long as necessary for the fulfillment of the purposes disclosed. Personal information which is no longer needed shall be disposed of as required by law, regulation, or contract.
6. A company shall take all reasonable steps to ensure the integrity of personal information it collects, and shall maintain personal information in a manner as accurate, complete, and up-to-date as is necessary for the purposes for which it is used.
7. All information collected from consumers shall be protected during transmission by appropriate security protocols. All personal information collected from consumers and in the possession of a company shall be stored in a physically and electronically secure location, and protected by security safeguards appropriate to the sensitivity of the information.
8. A company shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information in the possession of a company and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. An individual who wishes to challenge company's compliance with its privacy principles, policies or practices may submit a complaint to a company's Chief Privacy Officer who shall then investigate such complaint.

[2] It is estimated that there are approximately 75 chief privacy officers in the US currently. It is also estimated that, by the end of this decade, *every* company that handles personal information will have a CPO.

[Published in CPSR PING! 1:4, p. 11. May, 2001]

Please use the links below to reach other areas of this site:

• Life
• Conferences
• Education
• Media
• Writings
• Interests
• Links

Last revised: June 5, 2015.