Mary J. Culnan: Accountability as the Basis for Regulating Privacy: Can Information Security Regulations Inform a New Policy Regime for Privacy?
Comment by: Joe Alhadeff
Workshop draft abstract:
There is an emerging consensus that the current regulatory regime for privacy based on notice/choice or harm is not effective and needs to be revisited. In general, the current approaches place too much burden on individuals, frequently deal with privacy only after harm has occurred, and have failed to motivate organizations to address privacy proactively by implementing effective risk management processes. This paper adopts Solove’s view that privacy is best characterized as a set of problems resulting from the ways organizations process information. As a result, the most effective way to address privacy is for organizations to proactively avoid causing privacy problems through accountability.
First, the paper first argues why a new approach based on accountability is both necessary and appropriate. Next, the requirements of three information security laws (GLB Safeguards Rule, HIPAA Security Rule and the Massachusetts Standards for the Protection of Personal Information) were analyzed against the elements of accountability and the feasibility of adapting these requirements to privacy were assessed. These laws require organizations to develop security programs appropriate to the organization’s size, its available resources, and the amount and sensitivity of stored data. While these security laws are judged to provide a good starting point for privacy legislation, there are also additional challenges that need to be addressed for privacy and these are described. The paper concludes by reviewing arguments in favor of adopting a delegation approach to privacy regulation rather than the traditional compliance approach.