Opinion: You Say 'shameful Secret,' I Say 'privacy'

Multinationals may need to shift gears on how they talk to their employees about privacy if they want to lock down their offshored data.

Just because globalization at this point seems unstoppable doesn't mean it's going to be easy. The pitfalls awaiting companies venturing into distant lands remain very real. Take the matter of data privacy. Currently, momentum is building among Western multinationals to seek approval from the European Union for their binding corporate rules (BCR) on privacy. Once they have that approval in hand, these companies are rolling out training on the new rules around the world. But when they do so, they often find that when it comes to the topic of privacy, Westerners and the rest of the world are often talking at cross purposes.

The 25 Most Dangerous Cities for Offshore Outsourcing

Quite simply, the concept of individual privacy rights doesn't translate into the collectivist cultures where over half the people in the world live. A combination of language problems, foreign concepts and privacy values that aren't shared means PowerPoint presentations produced in New York are falling on deaf ears in Shanghai, Mumbai and Johannesburg.

Take China, for example. U.S. multinationals trying to break into the Chinese market or tap Chinese engineering talent are setting up shop in southern China. When the topic of privacy arises, they are finding that the Chinese have a very different idea of what it is. The Mandarin word for privacy -- yin si -- generally translates as "shameful secret." According to Lu Yao-Huai, a professor at Central South University in Changa City, a person asserting a need to withhold personal information could easily be seen as selfish or antisocial.

"Generally speaking, privacy perhaps remains a largely foreign concept for many Chinese people," she wrote in "Privacy and Data Privacy Issues in Contemporary China." Indeed, in 2003, just 55% of Chinese polled said privacy should be respected and protected, compared to figures topping 90% in U.S. polls at the time.

Western corporations may face similar complexities when trying to convey their corporate privacy values to a Japanese audience. In their article "Privacy Protection in Japan: Cultural Influence on the Universal Value," Yohko Orito and Kiyoshi Murata, professors at Ehime and Meiji universities, respectively, explain that Japanese citizens may not share the European view that privacy is an intrinsic right.

"[I]nsistence on the right to privacy as the 'right to be let alone' indicates a lack of cooperativeness as well as an inability to communicate with others, they wrote.

In related research, Masahiko Mizutani, professor at Kyoto University, and Dartmouth professors James Dorsey and James Moor state, "[T]here is no word for privacy in the traditional Japanese language; modern Japanese speakers have adopted the English word, which they pronounce puraibashi."

What explains this negative view of privacy?

"Much Japanese literature and thought has been infused with a thoroughly Buddhist worldview, Mizutani et. al. explained. "At the very core of this is not a connection between an everlasting soul and God, but rather the idea that the suffering of the world is linked to the desires of the ego or self& [T]he effacement of self influences privacy in that the most basic unit which privacy protects, the individual, is sublimated."

Many Western multinationals maintain data centers or call centers in India. But is their privacy training getting through to their Indian employees?

According to a survey by Carnegie Mellon researchers Ponnurangam Kumaraguru and Lorrie Cranor, Indians are markedly less concerned about privacy than Americans. Only this year did India pass a national data-protection law -- and it was more in response to EU and U.S. pressure than because of any popular outcry.

What explains the privacy gap in the subcontinent? Kumaraguru and Cranor concluded that Indians are more trusting than Americans that business and government will protect their personal information. "The Indian joint family tradition, in which it is common for households to include multiple brothers, their wives and their children (all living in a relatively small house, by US standards), results in more routine sharing of personal information among a wider group of people than is typical in the U.S." Said one survey respondent: "As an Indian mentality we always like to share things."

Commentators on the status of privacy in Africa point to similar collectivist mind-sets that may stymie Western corporate efforts to train employees there.

In their article "Western Privacy and/or Ubuntu? Some Critical Comments on the Forthcoming Data Privacy Bill in South Africa," University of Pretoria professors Hanno Olinger and Martin Olivier and University of Wisconsin-Madison professor Johannes Britz explain that ubuntu is a philosophy of living that pervades thought throughout Africa. It's characterized by "a community-based mindset in which the welfare of the group is greater than the welfare of a single individual in the group." The professors elaborate that individual members of the group "cannot imagine ordering their lives individually without the consent of their family, clan or tribe."

As a result, "Privacy as a notion does not function in African philosophical thinking." It's arguably only because of its desire to be seen by the EU as a safe place for data that South Africa is considering becoming the first country on the continent to pass a national data-protection law.

Privacy and faith

Cultural paradigms may not be the only lenses through which employees interpret and connect with corporate privacy policies. Religious beliefs may also play a role.

Take the Book of Genesis, for example, which Judaism, Christianity and Islam draw from. Says Genesis 1:26: "Then God said, Let us make man in our image, after our likeness&'" Because man is an ensouled creation of the Almighty to these 3 billion adherents, he carries a special dignity that must be respected by businesses and governments.

This dignitary approach to privacy is the foundation of Article 12 of the 1948 UN Universal Declaration of Human Rights, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation."

Even though religious practice has waned in Europe since 1970, this same dignitary-based view of privacy is arguably the principal influence in the EU's landmark 1995 Directive on Data Protection. But unless Western corporations become more comfortable speaking the language of faith -- less fearful of giving offense -- their appeals to toe the privacy line may fall on deaf ears.

When you consider the historic attitude toward privacy rights in the Judaic tradition, Israel's position at the forefront of privacy protection is not surprising. In his book The Unwanted Gaze: The Destruction of Privacy in America, George Washington University professor Jeffrey Rosen writes that hezzek re'iyyah is a concept in Jewish law meaning "the injury caused by seeing."

Quoting the Encyclopedia Talmudit, Rosen says, "Even the smallest intrusion into private space by the unwanted gaze causes damage, because the injury caused by seeing cannot be measured." He explained that Jewish law since the Middle Ages gives you the right to stop a neighbor from building a window that looks into your courtyard, because the uncertainty about whether or not you're being watched may cause you to lead a more restricted life.

To this end, Omer Tene, a member of the Israeli Ministry of Justice Committee for reform of data protection law, says that Israel in 1981 passed the Privacy Protection Act, one of the first data-protection statutes in the world. In 1992, Israel elevated the right to privacy to constitutional status in Section 7 of Basic Law: Human Dignity and Liberty.

And what about Islam? Among Arab countries, Dubai in 2007 became the first to pass a national data-protection law, and it remains alone in that accomplishment. But one would be mistaken to conclude that Islam is silent on privacy.

According to Malaysia-based attorney Abdul Raman Saad, the Quran contains several imperatives to protect privacy. In his article "Information Privacy and Data Protection: A Proposed Model for the Kingdom of Saudi Arabia," Saad points to Sura Al-Hujurat, Verse 12 ("spy not on each other behind their backs"), Sura An-Nur, Verse 27 ("enter not houses other than your own, until ye have asked permission and saluted those in them") and Sura Al-Hujurat, Verse 11 ("Let not some men among you laugh at others & Nor defame nor be sarcastic to each other, nor call each other by offensive nicknames").

Saad also cites the 1994 Arab Charter of Human Rights as a sign of Islamic respect for privacy. Its Article 21 mirrors the UN declaration: "No one shall be subjected to arbitrary or unlawful interference with regard to his privacy, family, home or correspondence, nor to unlawful attacks on his honour or his reputation."

For its part, the Catholic Church -- whose St. Thomas Aquinas is seen by many as a founder of Western jurisprudence -- proposes many aspects of privacy in common with Judaism and Islam. Its articulation of those concepts, however, may be more familiar to the Western ear. The Catechism of the Catholic Church echoes the modern need-to-know principle ("No one is bound to reveal the truth to someone who does not have a right to know it" (#2489), the restricted-sharing principle ("Private information prejudicial to another is not to be divulged without a grave and proportionate reason" (#2491), and the minimum-use principle ("Everyone should observe an appropriate reserve concerning persons' private lives. Those in charge of communications should maintain a fair balance between the requirements of the common good and respect for individual rights." (#2492).

If a person sins, in the church's view, he damages his relationship with God as well as the rest of society, even if his thought or action caused no tangible harm to others.

And all three monotheistic faiths link privacy to personal modesty, as manifested most visibly in the burqa, nun's habit and traditional Jewish woman's garb.

Solutions for multinationals?

Companies pursuing BCRs and needing employees around the world to connect with and adhere to their new privacy policy can't wait for world peace and understanding. So how can they navigate through the multicultural labyrinth of privacy?

One obvious way is to translate privacy-training materials from English into local languages. Another is to try other words besides "privacy." We have a hard enough time in English-speaking countries deciding what privacy means, so why impose our problem on others? Similar concepts that may carry the water include modesty, solitude, anonymity and personal safety, in addition to the EU's preferred "data protection" construct.

Another way is to express privacy as an instrumental good for the larger group rather than an individual right. For example, "Protecting data privacy is good for our company because it gives us access to new markets"; or, "Privacy is good for society because it elevates the level of respect and decency"; or, "Privacy is good for our country because it increases our respect around the world."

The good news is that global change and convergence is already under way. In many of the collectivist countries profiled above, economic progress is expanding the average person's living space and creating more opportunities for solitude. News of data breaches is also sensitizing citizens who previously trusted their larger groups to the dangers of information sharing. The emergence of breach-notification laws in these countries could accelerate popular demand for enhanced data-protection laws.

And whatever we call it, knowing about what is happening to our personal data is something everyone can sign up for.

Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president ofMinnesota Privacy Consultants. You can reach him atcwprivacy@computerworld.com.

This story, "Opinion: You Say 'shameful Secret,' I Say 'privacy'" was originally published by Computerworld.

Copyright © 2009 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act