Privacy, Technology

The Future Of Privacy Law: A Conversation With Rita Heimes

Our relationship as Americans with privacy? It's complicated.

By  
on

(Getty Images)

Privacy law is a hot area of law — and it will only get hotter in the years ahead. At last week’s Global Privacy Summit of the International Association of Privacy Professionals (IAPP), the excitement of the 3,500-plus attendees was palpable.

While at the Summit, I had the pleasure of sitting down for a conversation with a leading expert in privacy law: Rita Heimes, Research Director at the IAPP. Prior to joining the IAPP, Rita was a law professor and academic dean at the University of Maine School of Law, where she directed the Center for Law + Innovation and developed the nation’s first Privacy Pathways program; worked in private practice, with law firms in Seattle, Boulder and Portland (Maine); and clerked for the Ninth Circuit.

Heimes has lived and worked all over the country, including in two leading tech hubs, Seattle and Boulder. But interestingly enough, Maine and New Hampshire now make up a thriving area for privacy law.

The University of Maine School of Law, known for its Privacy Pathways program and three-week, intensive summer institute in privacy law, is based in Portland. The IAPP’s global headquarters, with more than 100 employees, is less than an hour away, in Portsmouth, New Hampshire. The Networking Advertising Initiative, another leading non-profit organization focused on data privacy issues, was also headquartered in Maine for many years, and it still maintains an office in Portland.

Although the IAPP has its headquarters in New Hampshire, it has chapters and training sessions all over the country and even the world. As IAPP’s president and CEO, J. Trevor Hughes, said in kicking off the Summit, “Privacy is now a global profession.”

Although many privacy professionals are focused intensely on Europe right now, with the GDPR about to take effect, interesting developments in privacy law are happening around the world (and new tools are emerging to keep track of them). In our conversation, Heimes mentioned Canada, “which has been way ahead of the pack on privacy, for a very long time”; Israel, which has strict privacy laws, including criminal provisions; and Japan, with important new regulations forthcoming.

Sponsored

“Each country has a different cultural perspective on privacy, and this gets reflected in their privacy laws, regulations, and data protection authorities,” Heimes said. “How closely does government work with industry on privacy issues? How much in education, tools, and advice does it offer about privacy?”

“For Europeans, privacy is a fundamental human right,” she noted. “The GDPR is taking everyone by storm, and some European data protection authorities are less patient when it comes to holding the hands of industry through compliance.”

The IAPP does not engage in policy work or lobbying, but I did ask Heimes, in her capacity an expert in privacy law, whether we might see some sweeping, federal regulation like the GDPR in the United States someday. Currently there are many federal and state laws and regulations that touch upon specific aspects of privacy, but nothing approaching the GDPR in sope.

“There’s no comprehensive omnibus law on privacy in the U.S., and we are probably a long way off from any,” Heimes said. Instead, in the United States, privacy is very much viewed through a contractual lens — e.g., the privacy policies on the different websites we use.

But we could see more comprehensive privacy legislation at some point in the future. Heimes referred me to the recent NPR interview of Senator Richard Blumenthal (D-Conn.), in which he commented on the recent controversy over Cambridge Analytica’s use (or misuse) of Facebook data.

Sponsored

“Hearing him talk about consumers consenting to the use of their data felt like a lightbulb moment,” Heimes said. “He raised questions and issues that could signal an interest in greater regulation of how Facebook and other companies utilize user data.”

Of course, here in the United States we have a very different relationship with privacy compared to Europeans. Many Europeans are haunted by memories of governments violating the privacy of citizens in terrible ways, while in the United States, we seem willing to give up our privacy for all sorts of reasons, whether to show off on social media or to get free access to a news website.

At the same time, we do see public anger from time to time over incursions into privacy, whether by Facebook or the NSA. I asked Heimes: are Americans pro- or anti-privacy, and how is that changing over time?

“We’re both,” she said. “When data sharing helps us get what we want, we all say yes. When it’s disadvantageous, we want the ability to retract our yes, or to say no in the moment. This is why I admire the GDPR: it’s about you, the data subject, being able to decide how your information gets used. It emphasizes user control, and it requires entities that deal with personal data to be flexible.”

“The GDPR reminds us that there’s a human being at the other end of that data set, and that person has the right to control how her data gets used,” Heimes said. “Privacy is about retaining or regaining control over one’s data — and dignity.”

Earlier:

DBL square headshotDavid Lat is editor at large and founding editor of Above the Law, as well as the author of Supreme Ambitions: A Novel. He previously worked as a federal prosecutor in Newark, New Jersey; a litigation associate at Wachtell, Lipton, Rosen & Katz; and a law clerk to Judge Diarmuid F. O’Scannlain of the U.S. Court of Appeals for the Ninth Circuit. You can connect with David on Twitter (@DavidLat), LinkedIn, and Facebook, and you can reach him by email at dlat@abovethelaw.com.

CRM Banner

Topics

, , , , , , ,