Managing Global Data Privacy
Privacy Clearinghouse reports that over 341 million records of sensitive personal information have been leaked, hacked, or otherwise compromised since 2005. It lists data leaks by the responsible entity and total number of released records. Most recently, on December 17, 2009, the North Carolina Library System’s central server in Raleigh suffered a security breach, resulting in the release of 51,000 drivers license numbers and Social Security numbers. On December 18, 2009, the Dickinson School of Law discovered that a computer containing 261 Social Security numbers from an archived class list had been “infected with malware that enabled it to communicate with an unauthorized computer outside the network.”
Privacy Clearinghouse helps us identify easy privacy breach cases, i.e., those involving easily identifiable, static sources such as infected computers, hacked servers or centralized databases, stolen flash drives, and the like. Yet as privacy scholar Paul Schwartz highlights in an important new study entitled Managing Global Data Privacy: Cross-Border Information Flows in a Networked Environment, privacy problems increasingly involve a much more complex set of circumstances.
As Schwartz’s study explains, in the recent past, companies largely maintained localized data sets and processes. A data transfer usually occurred at a predictable moment and into databases controlled by a single entity. In the present, however, international data flows occur continuously in a “multi-directional fashion” through the globe and involve a multitude of entities. As Schwartz thoughtfully explores, networked technologies, such as cloud computing, change a firm’s Coasean “make or buy” decisions in innovative ways. Functions and operations can now be “packaged as modular units that can be pulled apart and re-assembled.” Data flows can be “de-aggregated and de-coupled to allow companies to develop novel business approaches to operations and activities.”
Exciting as these developments may be, they complicate privacy and security protections afforded dynamic data flows. Schwartz’s case studies reflect that firms take data privacy and security seriously. We have seen a professionalization of corporate data protection. Companies now have Chief Privacy Officers and Chief Information Officers. Although the study offers a number of important insights, it emphasizes the adoption of accountability principles to protect privacy and data security of global data flows. This seems a wise move and one worth tracking.