Corporate Approaches to Data Protection & Privacy Driving Factors Behind Technology Companies’ Privacy Strategies In a Post-Snowden, Post-Safe Harbor Era

Abstract

As data flows increase exponentially by the day, and as online hacks and breaches have become commonplace, individuals, governments and corporations have all been forced to confront the challenge of maintaining data privacy in an information-rich society. As a result of ongoing tensions between the United States’ libertarian view and the European Union’s dignitarian view of privacy, which have resulted in an incoherent and complex transnational privacy regime, as well as the invalidation of the Safe Harbor Agreement, even information technology companies formerly focused only on profits and innovation have had to take up the mantle of protecting their customers’ data privacy. In this study, I explore different companies’ approaches toward protecting privacy, and seek to answer: What factors drive companies to adopt certain privacy practices? Based on interviews with data privacy experts and a case study analysis of the company traits and legal, technical, structural and public relations privacy initiatives of five technology companies (Google, Microsoft, Apple, Mozilla and Uber), I conclude that a company is more likely to be proactive and comprehensive about its privacy practices when: (1) its primary service is not the collection and selling of information, (2) it explicitly prioritizes privacy or customer trust in its mission statement or company values, or (3) it is a probable target for legal enforcement. In addition, a company’s non-profit status seems to be associated with a more active pro-privacy public profile, but is not necessarily correlated with more thorough technical, legal or structural privacy measures. Lastly, larger companies are more likely to have the resources to adopt significant or a greater number of privacy initiatives compared to start-ups and smaller companies. Regarding the debate on the appropriate definition of privacy in the context of data protection and information technology, I argue for a combination of both the U.S. and EU views of privacy.