Privacy officers at higher education institutions are in a unique position to go beyond data protection legal requirements and provide privacy management education and tools to the people we serve today, so they can demand more privacy protection from the world outside academia tomorrow.
When I was growing up in communist Bulgaria, privacy was not a thing. Come to think of it, we did not even have a word for it. Everyone knew about the government surveillance, and we adjusted our lives accordingly: no flaunting of possessions, no going to church, no telling political jokes outside a trusted circle, no associating with "questionable subjects." When the Berlin Wall fell in November 1989, the country started on the long road to democracy. There was too much chaos for any systematic tracking, but many of us continued to live as if we were still being watched. We'd been conditioned.
When I came to America in the late 1990s, the internet was already ubiquitous in homes and offices. It was fascinating to see millions of people gleefully creating online accounts and oversharing on public forums, seemingly without fear of observation or judgment. The trend was global, of course, and if a country like Bulgaria lagged behind in those years, it was because of the limited access to a reliable internet service rather than any sort of privacy mindset.
Some of you who have been privacy scholars and advocates for decades may have recognized where this trend was heading. I, along with many other people around the world, was oblivious to the big picture. As an IT professional, I knew my data was being collected when I was online. I also knew that companies were monetizing that data by pushing targeted products and services to me. That felt intrusive and annoying but not explicitly harmful to me. I exercised whatever privacy rights I knew I had by joining the national do-not-call registry and opting out of marketing emails. With those measures taken, I called it a day.
Then, a little over two years ago, I was assigned to coordinate the University of Michigan's General Data Protection Regulation (GDPR) compliance efforts. As I was researching the regulation and compliance requirements, the Cambridge Analytica-Facebook scandal broke. Suddenly, privacy became an issue for me. I realized that my data is collected not only to profile me and enrich companies, but it could also be used to manipulate my thoughts and actions. I had experienced that before in the authoritarian regime of my youth. The infuriating difference was that technology had enabled these privacy violations to such an extent that they were happening without my knowledge, in a democratic society, by actors I didn't even know existed.
I cannot say that I have radically changed my behavior as a consumer in the last couple of years because what I can do as a consumer in the United States to protect my privacy is mostly the same. I still opt out and adjust my privacy settings, where available. I try to read the lengthy privacy notices that pop up on my screen, and like the majority of Americans suffering from digital resignation,1 I accept them—because, really, would I disable my Gmail account over Google's questionable use of my data? What has changed is that I understand the consequences of my actions, I better know my rights (or lack thereof, as the case may be), and I am beginning to voice my opinion about what needs to change. I have found a mission: to educate the diverse community at the University of Michigan about privacy and to empower students, faculty, and staff to take action when something is not right.
The time is ripe for this work. At the start of the third decade of the 21st century, privacy is a thing for the majority of Americans. According to a recent Pew Research Center report,2 more than 80 percent of people in the United States feel that they have very little or no control over the data that government and companies collect about them. Moreover, the majority of people in the United States are concerned about the use of that data, yet they have little-to-no understanding of data protection laws.
At higher education institutions, privacy officers and those with privacy-supporting roles are in a unique position to go beyond what is mandated by law and to do what is right. The mission of such institutions is to educate and challenge in service to society. This mission is in direct opposition to the repressive environment and conditioned behaviors I experienced years ago in another life.
So let's engage our respective communities with compelling privacy outreach, modern privacy notice interfaces,3 personalized privacy assistant technology,4 and other solutions that enable people to actively understand and protect their privacy. After all, we are here to set a higher standard, so that the people we serve today can demand the same from the world outside academia tomorrow.
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional data privacy resources through the EDUCAUSE Library.
Notes
- Nora A. Draper and Joseph Turow, "The Corporate Cultivation of Digital Resignation," New Media & Society 21, no 8 (2019): 1824–1839. ↩
- Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, research report (Washington, DC: Pew Research Center, November 2019). ↩
- Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor, "Design Space for Effective Privacy Notices," paper presented at the Eleventh Symposium on Usable Privacy and Security (SOUPS), Ottowa, Canada, July 2015. ↩
- Bin Liu et al., "Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions," paper presented at the Twelfth Symposium on Usable Privacy and Security (SOUPS), Denver, CO, June 2016. ↩
Svetla Sytch is Assistant Director of Privacy and IT Policy at the University of Michigan.
© 2020 Svetla Sytch. The text of this work is licensed under a Creative Commons BY-SA 4.0 International License.