Author(s): Kenneth A. Bamberger and Deirdre K. Mulligan
Year: 2013
Abstract:
As
this Article goes to press, the European Union is embroiled in debates
over the contours of a proposed new privacy regulation. These efforts,
however, have lacked critical information necessary for reform. For,
like privacy debates generally, they focus almost entirely on law “on
the books” — legal texts enacted by legislatures or promulgated by
agencies. By contrast, they largely ignore privacy “on the ground” — the
ways in which corporations in different countries have operationalized
privacy protection in the light of divergent formal laws, different
approaches taken by local administrative agencies, and other
jurisdiction-specific social, cultural, and legal forces.
Indeed,
despite the new regulation’s central goal of harmonizing privacy across
Europe by preempting today’s enormous variation in national approaches,
policymakers have been hobbled by an absence of evidence as to which
national choices about privacy governance have proven more or less
resilient in the face of radical technological and social change.
Information about the relative strengths and benefits of the alternate
regulatory approaches that have flourished in the “living laboratories”
of the European member states is largely undeveloped.
This
Article begins to fill this gap — and at a critical juncture. Our “on
the ground” project uses qualitative empirical inquiry — including
interviews with, and questionnaires completed by, corporate privacy
officers, regulators, and other actors within the privacy field in three
European countries, France, Germany and Spain — to identify the ways in
which privacy protection is implemented in different jurisdictions, and
the combination of social, market, and regulatory forces that drive
these choices. It thus offers a comparative “in-the-wild” assessment of
the effects of the different regulatory approaches adopted by these
three countries.
In the face of novel challenges to privacy,
leveraging the adaptability of distinct regulatory approaches and
institutions has never been more important. As technological and social
change has altered the generation and use of data, the definition of
privacy that has prevailed in the political sphere — individual control
over the disclosure and use of personal information — has increasingly
lost its salience. In particular, the common instruments of protection
generated by this definition — procedural mechanisms to protect
individual “choice” — have offered an inapt paradigm for privacy
protection in the face of data ubiquity and computing capacity. In
developing new metrics for protecting privacy, policymakers must take
into account a far more granular and bottom-up analysis of both
differences in national practice and the forces on the ground that
result in the diffusion — or lack thereof — of corporate structures and
institutions that research suggests are most adaptive in protecting
privacy in the face of change.
Through such comparative analysis,
this Article upends the terms of the prevailing policy debate,
revealing the ways in which different regulatory choices have shaped
corporate behavior. This analysis offers important insights for
policymakers considering reform not just in Europe, but also in United
States, where Congress, the Federal Trade Commission, and the Obama
administration have all expressed a willingness to reexamine deeply the
current regulatory structure, and a desire for new models. And, more
broadly, it underscores the importance of administrative agencies’
choices about regulatory tools and approaches, relations with those that
they regulate, and their own internal structures in shaping the mindset
and behavior of the private firms they govern to maximize public
values.
Keywords: Privacy, Data Protection, EU, Administrative Law, Comparative Law, Governance, Regulation, Technology, Europe, Qualitative Empirical Research, Corporate Compliance, Data Protection Authority, Interviews, Organizational Behavior
Link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2328877