You have to understand your key groups: employees and customers. What does each group consider private? How much do they care about each area? Is there anything that would make them surrender that particular privacy? You're going to find out that different employees (and customers) have very different concerns.
Then you have to review all of your privacy policies. For your employees, this would include your ability to access all company emails and phone calls (and, presumably, texts and Twitter exchanges and any other communication mechanism). Do you really need that information? If you do, is there a less intrusive way of getting it? You might conclude that less intrusion could prove to be a useful recruiting/retention tool, especially for developers and engineers. Examine your culture and have that discussion — in a 2014 context — with senior management.
3. Subpoenas and search warrants
An email vendor called Lavabit was a small player in the aftermath of Edward Snowden's revelations about the National Security Agency. When hit with a court order to turn over encryption keys, the company complied — sort of. It delivered an 11-page printout in four-point type. Prosecutors complained, saying that the printout was illegible.
"To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data," prosecutors wrote, according to Wired. The court eventually forced Lavabit to give the government the key in an electronic form. Lavabit then took an unusual move: It told its customers that it could no longer protect such communications and then shut down the service to prevent any more of its customers from unintentionally sharing data with government investigators.
It might make sense for some companies. The standard disclaimer today states that the vendor will hand over anything that anyone can get a judge to sign off on. I'd guess that's the way 95% of companies should go, but for a few, taking a stand could be good for business. Certainly it's something that businesses should discuss.
The way most companies present their privacy policies is a joke. They're in tiny type, with page after page of unintelligible legalese. Typically, they can be summed up as, "We can do anything we want, and there's nothing you can do about it. Just click on the Accept box, which will bind you to everything in here. Your only other option is to not use our site or app."
Sign up for CIO Asia eNewsletters.