Governance & Risk Management , Privacy

Privacy Trends and Laws: J. Trevor Hughes of the IAPP

What have been the biggest privacy issues of 2009, and what emerging trends should you watch heading into 2010?

We posed these questions to J. Trevor Hughes, Executive Director of the International Association of Privacy Professionals (IAPP). In an exclusive interview, Hughes discusses:

The role of the IAPP;
Key legislation in the U.S. and internationally;
Where organizations need to improve privacy protection.

Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as Executive Director of the IAPP, Hughes leads the world's largest association of privacy professionals.

Hughes has provided testimony before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission, and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals (CIPPs) and is co-author (with D. Reed Freeman, Jr.) of "Privacy Law in Marketing" (CCH Wolters Kluwer, 2007).

TOM FIELD: Trevor, just to set things up for people that might not know as much as they should about the organization, would you tell us a bit about the organization and your role there?

TREVOR HUGHES: Sure, the International Association of Privacy Professionals is the world's largest organization representing people working in the relatively new fields of privacy and data governance.

Our website is and we have been around for nine years. I serve as the Executive Director for the organization.

FIELD: So, Trevor, what have been the biggest privacy concerns that your group has been tracking this year?

HUGHES: You know, it is a good question and a challenging question because there is not one thing that we have been tracking. One of the interesting things about privacy is that it is a multifaceted issue and many, many topics go under the broad headline of privacy.

So in 2009 our organization has certainly seen areas flare up, but generally I would remark on the broad rise of privacy across industries, across jurisdictions, online/offline. We have seen this wave grow and grow and grow across all of those areas.

There have been a few flashpoints though: certainly online advertising and behavioral targeting; smart grid technologies, as utilities try to put more data functionality into the provision of those utilities; GPS and location-based targeting has been very hot; employee privacy has been very hot; and then of course cloud computing, as more and more data moves into the cloud that raises enormous privacy issues for our members.

FIELD: What would you say, Trevor, are the biggest trends that you are tracking as we go into 2010, which frighteningly enough is about six weeks away?

HUGHES: It is coming quickly. There are a number of trends that we see. I think the mega trends, if you will, are that there is more data and more uses for data every single day. It is almost cliché to reference Moore's Law these days, but Moore's Law is in fact in operation. We see processing power increase every single day, and Moore's Law doesn't tell us the processing power just increases; it also suggests to us that more data flows through all of those chips, all of those systems. So we are seeing more and more data used in more and more ways every day. We are also seeing more and more data stored and maintained and kept for longer periods of time.

All of that adds up to greater privacy concerns, greater risks and bigger risk management issues for organizations. And it certainly has been the case that every day we open the paper we see a privacy story right now, whether it is an organization that has done something wrong, a breach that has occurred, some new technology that is challenging our norms, our expectations with regard to data.

So without answering a specific single trend for 2010, I think the big trend, the very broad perspective that I see is that that the use of data will continue to increase, the amount of data will continue to increase and the privacy issues therefore will also continue to increase.

FIELD: You know, it occurs to me, Trevor: I have asked you your perspective on what these issues are, but I haven't really asked you what the organization's role is in tracking these issues and following up on them. So you have outlined the concerns of 2009 and what you are looking at in 2010, but what really is the Association's role in these issues?

HUGHES: Sure. So one of the things that is important to know about the IAPP, we are a not for profit professional association, and we are also not an advocacy organization. So we don't take positions on the policy debates that currently occur on privacy. There are many organizations that fill those roles. What we do is serve as a big tent where those issues can be debated. So we are agnostic, if you will, on privacy issues.

What we try to do is educate our members on the emerging technologies, the privacy issues associated with those technologies, and we do that in ways that most professional associations do that. We have very large conferences -- the IAPP Global Privacy Summit occurs in April next year in Washington and we are expecting up to 2,000 people at that event. We publish a daily email newsletter for all of members that goes out to about 13,000 people every day. We publish a monthly newsletter. We do many, many things to try and keep our members on top of these issues.

One of the really exciting things is that we are always on the leading edge of these issues because privacy is usually the first public policy issue to flare up, the first real risk to flare up as a new data driven technology emerges in the information economy. So we have a lot of fun being able to work right on the front lines of some of these issues without actually having to pick up weapons and fight the public policy battle.

FIELD: Now interesting that you mention public policy because one of the things that we have seen over the life of your organization is a number of individual states have an active privacy legislation, and then that number grows each year. There is a lot of discussion about privacy legislation nationally. What do you envision happening on the national scale, if anything?

HUGHES: It is difficult to predict what will happen, but I can certainly predict that something will happen. I think it is fair to say that privacy is an unsettled area of law, particularly in the United States. In other areas of the world, while not completely settled, there are broad-based privacy laws that at least attempt to apply to broad marketplace uses of data. We don't have that in the United States. We have a more sectoral approach to privacy and that has opened the door for the states to be very active incubators on privacy laws.

A really good example of that is the entire class of privacy laws related to notice of security breach. That started in California in 2003, a Bill, FB1386, was our first notice of security breach law and that idea has really caught across the country. We now have over 45 state laws focusing on notice of security breach. There has been a significant federal debate as to whether we need a federal law that would pre-empt those state laws or supplement those state laws, and we have seen in some specific areas 00 healthcare, financial services -- where notice of security breaches actually have been implemented at a federal level.

But as to a broad federal privacy bill, that is a really heavy lift, I think, for Congress. As we all know, Congress is a bit focused right now on the financial crisis and healthcare. So certainly through the remainder of 2009 I think it is unlikely that we would see broad-based privacy legislation in the United States emerge.

We may see bills emerge in areas related to online advertising or online privacy more broadly, and in 2010 I certainly think that the debate will occur. We know that there are hearings coming up just this week on privacy and those sorts of things, hearings, roundtables with the Federal Trade Commission -- those will certainly be happening as well next year.

But as to whether we will see a national privacy legislation, I would have to say the crystal ball is pretty cloudy on that, and it is a little unclear whether something like that would actually gain traction.

FIELD: Now you mentioned legislation elsewhere in the world, and I think that is an interesting point. What types of privacy legislation have emerged that we in the United States really should take note of?

HUGHES: That's a very good question, and I would start my answer by saying one of the dynamics that has emerged over the past 10 years has been a collision of sorts between globalization and the rise of the information economy. Those two things have put enormous strains on our prior jurisdictional approaches to law.

So if you think about the internet, let's say, data can flow anywhere at any time with very, very few limitations. Add to that the idea that in a globalized economy it is just as easy for me to visit a UK website or a South African website or a Japanese website as it is any other website in the world, and I may in fact do business with any of those websites. Add to that the fact that when I call customer service I may be talking to someone in India or Eastern Europe or Arkansas. We are seeing real strains on our traditional legacy-based approaches to national jurisdiction and the application of national law.

That has raised a number of issues for us around the world. So I think the United States is finding that our lack of broad-based privacy legislation is serving as a barrier to data flows around the world. In fact, in the European Union, data flows are restricted out of the European Union unless the country to which the data is flowing is deemed to be adequate under European Union privacy law standards. Well guess what? The United States is not deemed to be adequate because we don't have a national privacy law.

That has resulted in us needing to create many, many patches or bridges for data to flow from Europe to the United States, and certainly that is a very big topic for our members at all of our conferences and in our publications. So I think things like that, those bridges, those patches, the ways to resolve jurisdictional challenges will continue to emerge as we look around the world. I think we will also see flare-ups on certain issues. It has been curious; you know the United States, I would say, is ahead of the rest of the world in dealing with online advertising. So much of the world looks to the United States for leadership on privacy issues with online advertising. Similarly, the United States introduced notice of security breach legislation, so it has been a model for the rest of the world on that.

We have seen, however, Canada take a real interest in social networking sites and really put pressure on the privacy tools on those social networking sites. We have seen Switzerland just recently look at things like Google Street View and challenge the use of Google Street View from a privacy perspective. So we will continue to see those flashpoints around the world where individual jurisdictions show some leadership, but at a broad level I think the big trend is that we will continue to see tension with privacy standards that differ in various jurisdictions.

FIELD: Trevor, just a couple more questions for you. One, just going in a different direction all together, as you look at businesses and government agencies and institutions within the United States, where do you find them currently to be most deficient when it comes to protecting privacy?

HUGHES: You know, it's a tough question. Companies are, I think, desperately trying to do the right thing. The challenge that we face, particularly in the United States, is that this is not a stable area or a predictable area. So it is difficult to know sometimes exactly what the right thing is.

One of the interesting things about out members, we have 6,300 members in 51 countries around the world, is that they are not all lawyers, they are not all compliance professionals, in fact they have got to have other skills, really utility infielder-type skills because there are enormous amounts of gray areas out there right now. Not only do we not have good solutions to the technologies and business models that exist today, but every new technology, every new business model, every new use of data creates even more challenges and more unanswered questions for us. So I would say that it is not so much a deficiency, it is just the nature of the marketplace today that the issue of privacy is incredibly in flux, and it is difficult for organizations to manage that risk without professionals who actually are on top of the debates, on top of the laws, on top of the discussions that are happening around the world. So if there was any deficiency, it is those organizations that have not put professionals in place to start dealing with this. Companies that think they can just slap a privacy policy onto a website and call it a day are woefully ill informed of the needs of our current environment with regards to privacy.

FIELD: Well, that is a great segue into my final question, which was: Certainly there are growing opportunities for professionals in privacy. What advice would you give to somebody that is looking to enter this field today and focus on privacy in their career?

HUGHES: Well, it is a bit of a softball, so thank you, Tom. I think the first thing is they should become part of the community that is the profession, and certainly in the United States that is the IAPP, the International Association of Privacy Professionals.

But you know more than that, I would say that understanding that being a privacy professional or working in the field of privacy doesn't necessarily have to mean that you leave your current role. If you are in the IT industry, you are going to be a smarter IT professional, you are going to be more mobile, better paid, more valuable to your organization, if you understand privacy.

In many ways this is like information security 10 to 15 years ago, when people were talking about baking it into systems as opposed to bolting it on after the fact. Well. if you have got enough privacy knowledge in your head to ask the right question, you are going to be able to bake those solutions into whatever it is you are working on. Whether or not you are the chief privacy officer of an organization is not necessarily the right question; it is 'Do you have enough knowledge of privacy so that you can add value to the processes, the business models, to the business development cycle, the product development cycle that your organization is in so that you stay out of trouble in the future?'

I think there are some very, very clear ways to do that and get your self trained. You can consider certifications, Certified Information Privacy Professional (CIPP), and there is even an IT version of that certification. Really diving into the flow of information that exists on privacy today will help increase someone's awareness and whether they want a full blown career in the field. We are still adding about 100 members a month, and even in the last 12 months with the terrible financial crisis that we have gone through, we grew by over 20 percent in membership numbers.

Whether or not you are going to be a full blown privacy professional is almost beside the point. Understanding privacy, I think, is increasingly going to become a business imperative for just about everybody out there.

FIELD: Well, Trevor, you have been an eloquent spokesperson, and I appreciate your time and your insight today.

HUGHES: Thanks so much, Tom. It was great.

FIELD: We have been talking with Trevor Hughes, the Executive Director of the International Association of Privacy Professionals. For Information Security Media Group, I'm Tom Field. Thank you very much.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.