• PrivCom Bermuda

Mid-Atlantic Privacy: Incentives that Operationalise our Ethics

Note: This post is part of a series on the Mid-Atlantic Privacy Compass. Over the following weeks, Commissioner White will explore each of its Compass Points in greater detail.

Abstract:

  • Incentives should be embraced at every level to ensure that persons, organisations, and economies are structured in an ethical way that encourages win-win achievements with privacy and other, complementary goals.

  • Organisations should structure their business goals to encourage employees to seek achievements related to ethical behaviour or building individual trust. Consent-based models which only incentivise getting agreement, not necessarily giving a full disclosure or receiving true buy-in, should be avoided.

  • Oversight should create an environment that focuses on the true issue of preventing harm, not punishing noncompliance. A focus on noncompliance may have the perverse effect of rewarding the unscrupulous who save time and effort by not trying to comply. Merely financial penalties make rights abuses a cost of doing business.

  • All parties should collaborate to create tools and resources to help all others comply with standards and support individuals' rights, for the sake of a level playing field and to encourage a healthy market. Small enterprises should not be punished for lack of resources to implement complex compliance programs.

One of the failings of our modern society is that we have incitivised behaviours that are antisocial. Aside from debating morality, it is a simple fact that people will often gain a material advantage from acting in a way that may be detrimental to others or society as a whole. To use the economic parlance, they are only being "rational" in this course of action, acting according to a logic.


We often see this in personal data-heavy companies, who utilise surveillance capitalism techniques to harvest data from individuals or build profiles for sales and marketing. Online platforms and other businesses have a lot to gain from acting in this way.


However, incentives can be changed, and such changes in environment result in behavioural changes by individual or organisational actors. All social stakeholders should examine the incentives in place and the behaviours that they encourage to ensure they meet the collective goals of valuing data protection and the right to privacy.


At an organisational level, entities should examine how their policies and procedures encourage employees to act. They should ask how their very business goals influence behaviour. For example, if an employee is rewarded with a bonus for sales volume, they will prioritise sales and may choose to improperly utilise personal information to make a sale - even if corporate policies state how much the organisation values privacy. Organisations should find ways to achieve and reward goals related to ethical behaviour or building individual trust.


Similarly, stakeholders should reevaluate the mechanisms involved in the collection of personal information, particularly gathering of individuals' consent. Utilising a consent-based model will create incentives for the organisations and individuals. Namely, when consent is the key to unlocking the business relationship, then the true goal and incentive is merely to complete the agreement. Or, tick the box. Or - worse still - not untick the box.


We must work to incentivise organisations to give a full disclosure of their practices, in a way individuals can truly understand, in order to receive the data subject's buy-in. This can be hard, much harder than have a one-off legalese form that whithers and wherefores its way to the length of Hamlet, and lulls the reader into consenting merely to move on. We need to develop different kinds of relationships than legalistic or oppositional.


Oversight bodies should examine the environment that we are creating as well. If we choose to focus punishment on technicalities of noncompliance, we create an environment that could miss the true focus of preventing harm to individuals. Organisations would become incentivised to create the long, legalistic statements I just described, instead of engaging in a dialogue with data subjects. We should incentivise the spirit our goals as much as technical compliance.


A focus on noncompliance may also have the perverse effect of rewarding the unscrupulous - if an organisation will be punished, and potentially heavily punished, for technical noncompliance, even despite best efforts, that entity will be in a worse position than those who did not make the attempt. The latter will have saved time, money, and effort by not even trying to comply, hoping to dodge detection.


The same can be true of the nature of the penalties that are distributed. Merely financial penalties make matters of privacy rights and abuses into an equation, a cost of doing business. Instead of focusing on the financial, my office will develop orders and other remedies to reach the heart of protecting individual rights.


Lastly, we must ensure that all parties are incentivised to participate in protecting rights. Small enterprises may feel that they cannot possibly comply. These entities should not be punished solely for lack of resources to implement complex compliance programs. A failure of incentives in this regard runs the risk of creating data monopolies, where only large, established organisations can comply and new entrants are doomed. We must take a multi-stakeholder approach to ensure that appropriate tools and resources are available to help the entire community, for the sake of a level playing field and to encourage a healthy market.


On our Privacy Compass, the Compass Point of Incentives is found between Ethics and Individuals, because incentives are the way we operationalise our ethics, the way we ensure we keep the best interest of the individuals at heart. Only by creating appropriate incentives can we ensure that our markets, and our society, functions in a healthy, beneficial way.


Alexander McD White

Privacy Commissioner


To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.

For information about how we use personal information, see our Privacy Notice.