The sentence got stuck in my head and it stayed there all weekend. It was said by a woman who’s been in the law business her entire career.
I heard it during Privacy Space Live, a community of data protection professionals who come together to share ideas under Chatham House Rules in Leamington, UK. By the way, if you ever have the chance to go, you should. It’s a warm, welcoming place to share everything data protection.
The sentence that got stuck was:
“Law matters. Other things matter more.”
For the past couple of years, I’ve been talking about the fact that privacy compliance needs to go from legal thinking to strategic involvement. I was talking about privacy becoming part of the business, not an outsider only looking at whether something is legal or not..
“Law matters. Other things matter more,” broadens that perspective further to me.
In his book: “Fundamentals of Regulatory Design,” Malcolm K. Sparrow has this illustration:
The question to me now becomes: When confronted with a practice that is harmful but not illegal, what does the data protection professional do?
Let’s turn to a couple of examples from the Privacy Space discussions.
--- Want more like this? Subscribe to our newsletter ---
Workplace monitoring is about trust
Workplace monitoring was on the agenda.
As one of the suppliers of software for monitoring says on its website.
“Why do I need it? (the monitoring software)”
And answers:
“Who are my most productive employees?
Is anyone looking for a new job?
What are my employees posting on Facebook?
How much time does this employee waste surfing sites that are not permitted?
Who is steaming cat videos and blocking the company network?”
The law matters… And according to the law, workplace monitoring is not prohibited. It needs to be justified, proportionate, and have a lawful basis. But in many, many cases, companies can monitor their employees - digitally, physically and socially.
Other things matter more… Like trust. I am convinced that trust and productivity are connected.
A speaker talked about the vicious cycle of monitoring.
You set-up monitoring of employees. Some employees become dissatisfied because they feel distrusted. They react deviantly by doing some of the things the workplace monitoring software supplier warns against. In response to deviant behavior, the company sets up even more monitoring.
I think this vicious cycle is intuitively correct. We might even have some research to back it up.
However, what do you do when HR comes a-knocking and wants monitoring? How do you make the vicious cycle and ethics be as important as what the law says?
Another example.
Online tracking is about safety
During Privacy Space there was a panel discussion on online tracking.
The law matters… Again online tracking is not illegal. It is regulated by law, but it’s not illegal.
During the panel discussion some thought provoking examples came up.
A young woman looking for information about MS on a patient support website, a couple of days later getting ads for adult diapers.
Google Analytics being active on a Police website for reporting abuse.
Other things matter more… Like safety and not being violated by advertisers.
I know, the tracking in these examples was not set up maliciously. However, no one within the organisations challenged that it was.
We should challenge business models
Now, back to what that means to data protection professionals.
When something is harmful, yet not illegal, we basically have two options.
We can go: “Yes! One down.”
Or we can take the opportunity to challenge the business thinking behind the practice.
I know lots of data protection people who would say. “If it’s not illegal it’s not in my job description to do anything about it. I might talk to politicians about making it illegal, but at the end of the day, it’s their job. Not mine.”
And… that is a perfectly valid point of view.
I just come to a different conclusion. I think we should broaden our perspective and make other types of arguments and assessments too.
Is it ethical?
Is it harmful?
Is it right?
Attending Privacy Space and being with a community of data protection professionals is a great catapult for stepping back a bit and thinking about our profession and what we do.