In 2019, a group of legal academics and practitioners in the field of privacy law sent a letter to the deans of all U.S. law schools about privacy law education in law schools. The letter dated 11th November 2019, among others, states:
Privacy has become one of the principal frames that the law (and legal practice) have used to grapple with the digital revolution and the opportunities and threats it has presented for every consumer of legal services in the world. The field of privacy law has been growing at a staggering rate over the past two decades. For many years, privacy has been one of the most active areas of legislation and regulation in the U.S. and worldwide.
According to Professor Daniel Solove, the founder of TeachPrivacy and one of the signatories of the letter, although the field of privacy law grown dramatically in past two decades, education in law schools about privacy law has significantly lagged behind. Most U.S. law schools lack a course on privacy law. Of those that have courses, many are small seminars, often taught by adjuncts. Of the law schools that do have a privacy course, most often just have one course. Most schools lack a full-time faculty member who focuses substantially on privacy law.
The letter states, “We are a group of privacy law academics and practitioners who are writing to you and other law school deans to raise awareness about the importance of privacy law in modern legal practice and the need to educate students in this rapidly growing field.”
The underlying basis of the call was based on four important points: (i) Privacy law is this century’s IP law, (ii) Privacy law is a large and rapidly growing field with nearly boundless job opportunities, (iii) Law schools that offer real and deep education in privacy law are reaping important competitive advantages, and (iv) The is a clear path forward.
On point (ii), according to the letter, even during the legal market slowdown, jobs in privacy expanded at an astounding pace. There are plentiful career opportunities for law graduates in law firms, consulting firms, government agencies, public interest organizations, and in-house legal departments. For example:
- 96 of the AmLaw top 100 firms have privacy and cybersecurity practices. Many have 30+ attorneys. There are entire boutique law firms that specialize in privacy.
- Most large organizations employ many full-time privacy professionals, including many lawyers. In many private sector companies, the Chief Privacy Officer has become a C-level position and part of upper management.
- Most executive branch agencies have a Chief Privacy Officer as well as a team of lawyers working on privacy. There are numerous lawyers in regulatory agencies who focus on privacy enforcement and rulemaking.
- The International Association of Privacy Professionals has 50,000 members, and it is growing by 25-30% or more each year.
- Privacy law is one of just 15 specialty areas accredited by the ABA.
In relation to point (iv), the privacy law academics and practitioners recommended that at minimum, every law school should offer at least one 3+ credit privacy law survey course. Privacy is too vast a field to be covered in just one course, however. A deeper curriculum might include courses such as those listed below:
- Cybersecurity Law
- Consumer Privacy Law
- Health Privacy Law
- Financial Privacy Law
- International/Comparative Privacy Law
- Computer Crime
- Privacy Compliance Counseling
- Data Breach Response
In 2000 when the IAPP was established, the privacy profession was nascent. A handful of practitioners, hailing mainly from adjacent legal fields, began working to define, promote and improve the privacy profession globally. Twenty years later, the IAPP’s membership has soared to more than 70,000 members globally, and demand for privacy pros has never been higher. Today, there are hundreds of privacy and data protection regulations around the globe, thousands of new data driven products and services launched daily, and millions of existing applications to which billions of individuals have entrusted their data. The global digital economy and internet ecosystem is built on data, its use and its protection. As a result, the need for privacy pros with multidisciplinary expertise in law, business and technology is on the rise.
Just one year after the EU General Data Protection Regulation entered effect, IAPP research showed approximately 500,000 organizations had registered data protection officers with EU data protection authorities. Recognizing the benefits privacy pros can bring to organizations, individuals and regulators, policymakers around the world introduced DPO requirements in new data protection bills. The IAPP recently catalogued 53 countries whose privacy and data protection laws require organizations to designate a DPO to translate legal protections into practical reality. These requirements and organizations’ need to protect the valuable data they collect will continue to increase the demand for well-educated privacy and data protection professionals.
In Asia, countries such as Singapore, Korea, China, the Philippines, Thailand, require the appointment of a DPO. Malaysia plans to amend its law to require the same. More importantly, the Indonesian draft law (RUU) has a similar condition.
As the IAPP puts it – “Today, demand for qualified privacy professionals is surging. Soon, societal, business and government needs for practitioners with expertise in the legal, technical and business underpinnings of data protection could far outstrip supply.”
Wrote on his experience two years ago, Professor Solove said,
I am constantly approached by students and graduates from law schools across the country who are wondering how they can learn about privacy law and enter the field. Many express great disappointments at the lack of any courses, faculty, or activities at their schools. After years of hoping that the legal academy would wake up and respond, I came to the realization that this wasn’t going to happen on its own.
Honestly, I am experiencing the same thing – people want to learn and study about privacy and data protection law. This is the fundamental factor that incite me to establish the APPDI.
However, while training and certification help, new educational opportunities will be crucial for the growth and maturity of the profession of privacy and data protection. Academic privacy and data protection programs will play a critical role in developing the next-generation privacy professionals.
On this special occasion of celebrating of its 97th anniversary, I am making this special request for the Faculty of Law, Universitas Indonesia to consider giving due consideration in introducing privacy and data protection law into its program.
As we know, data protection is high on international agenda. This is reflected by the following initiatives and developments:
- The United Nations in 2015 appointed a Special Rapporteur on the right to privacy.
- The United Nations Development Group has issued Data Privacy, Ethics and Protection – Guidance Note on Big Data for Achievement of the 2030 Agenda (SDG).
- The United Nations General Assembly has adopted Resolutions on The Right to Privacy in the Digital Age.
- Data protection has been included in several international trade agreements, i.e., RCEP, TPP, etc.
- Data protection regulation has been considered in several high profile cases, i.e., FTC fined Facebook USD 5 Billion, the highest fine.
- Numerous countries are drafting new data protection laws or are reviewing existing ones.
- Several global and regional organizations have issued (or are developing) multiparty agreements and/or guidelines on data protection – UNICEF has issued a Guideline called The Case for Better Governance of Children’s Data: A Manifesto in 2021, WHO has issued Contact tracing in the context of COVID-19.
Hence, let’s put data protection and training of the data protection professionals on the agenda of the Law Faculty.
THANK YOU.
Adj. Prof. Abu Bakar Munir
Adjunct Professor of Faculty of Law Universitas Indonesia