Over the last forty years, a strong and principled argument that privacy is a fundamental human right deserving special protection in an age of high technology has confronted more pragmatic considerations from a variety of interests. The messy twists and turns of this international struggle have produced a sort of consensus on what it means for an organization to process personal data responsibly. But it is an uneasy consensus, hedged by exemptions and qualifications, and regularly shaken by monumental shifts in the processing powers of technology, and by game changers like the 9/11 attacks.
This conflict is now being played out again with respect to a new Draft Regulation on privacy protection from the European Union. We have heard that this Regulation is too burdensome, that it will block innovation, that it will cost jobs, trade, and investment, that it will kill the online advertising industry, that it will unreasonably extend the reach of European law beyond European borders and exacerbate the transatlantic divide between a more protectionist and regulatory Europe and a more open and innovative United States.
These views are simplistic and misleading. The same fears were expressed twenty years ago when the first set of European privacy rules were proposed. The Internet developed and flourished since that time, and within that framework of national and international privacy law. Privacy protection did not constrain innovation then, and it will not do so today.
Information Privacy and the Geopolitics of Personal Data
Personal data protection, or information privacy law, is all about giving individuals more control over the information that relates to them. It gives certain rights to individuals and also imposes important obligations on organizations. The early laws, introduced mostly in Europe in the 1970s, reflected the technology of the time, and were framed in order to regulate the mainframe “database” and the more discrete, and less networked, systems of records that characterized the early computing era. “Big Brother” was the fear.
As use of the Internet and other digital communication technologies have proliferated, the accessibility of information has grown exponentially, fueling individual empowerment and democratic participation. At the same time, the Internet makes it much easier for organizations to capture, process, and disseminate information about individuals. A wide variety of entities can now observe online behavior by monitoring the network, by tapping into the vast quantity of data collected about individual Internet usage, or by installing spyware directly on individual computers. For as long as individuals have been using the Internet to communicate, shop, apply for services, and network, there has been significant anxiety about the capture and processing of personal information.
However, the processing of personally related information online is not just about privacy. It is also fundamental to the very business models through which the Yahoos, Googles, and Facebooks of the world actually make money. Advertising is the lifeblood of the Internet economy. To the extent that companies can discover more detailed and extensive information about personal preferences and behaviors, they will make more money. Privacy laws constrain that ability. Rules about notification, informed consent, access and correction of personal data and so on, are not just an important constraint on the ability of an organization to monitor consumers, they also have profound economic consequences.
Privacy has, therefore, risen in importance as an economic and political issue. It is increasingly discussed at the highest diplomatic levels. The “geopolitics” of personal data processing far exceeds the scale of the issue since it first gained prominence in the 1960s and 1970s.
The International Privacy Rules
Various agreements from international organizations have been crucial in the spread of privacy protection rules. Some, such as the 1981 Guidelines from the Organization for Economic Cooperation and Development, or the 1981 Convention 108 from the Council of Europe have acted more as models or exemplars for national legislation. Others are more coercive. Most notably, the European Union’s 1995 Data Protection Directive (95/46/EC) mandated all countries of the EU to translate its provisions into national legislation. It also had an extra-territorial effect, imposing an obligation on data controllers to restrict flows of personal data outside Europe to countries with “adequate levels of protection.”
Over time, a combination of factors has meant that most countries do not want to be seen to be outside the club of countries that has one of these laws. Having a privacy or data protection law is one mark of advanced democracy. The more jurisdictions that acquire them, the more difficult is it for a country to contend that it should stand outside this club. A recent study by Graham Greenleaf of the University of New South Wales counted around 89 national statutes based on this “information privacy” or “personal data protection” model. Some of these laws are not seriously implemented. Some were introduced for trade-related, rather than rights-related reasons. Nevertheless the extent and scope of the diffusion in recent years is noteworthy.
More than any other instrument, the 1995 European Union Data Protection Directive has shaped the conditions under which personal data might be collected, processed, stored, and disseminated internationally. To carry legal force, it needed to be transposed into the legal systems of 27 member states, arguably causing inevitable discrepancies and unnecessary costs for businesses operating in different countries. Furthermore, the so-called “adequacy regime” (the principle that data should not flow out of the EU unless there is an adequate level of protection in the receiving jurisdiction) never worked as originally intended, despite the fact that it continues to motivate non-European countries to line up for the European Commission’s stamp of approval. The process of determining adequacy has been too slow, too secretive, too legalistic, and based on the flawed assumption that “adequate law” means “adequate protection.” There are “adequate” organizations in “inadequate” jurisdictions, just as there are “inadequate” organizations in “adequate” jurisdictions.
The New European Draft Regulation
For these and other reasons, the European Commission has seen fit to update its rules through a new Draft Regulation, designed to harmonize European law, make the process of regulating international data flows more predictable, and be more compatible with the more networked, complex, and interactive realities of communication in the 21st century, in which so much personal data is user-generated through social networking platforms.
The new Data Protection Regulation is supposed to be a ‘one-size-fits-all’ legal instrument, with some limited scope for differing approaches in a few areas. It is designed to save in administrative costs; companies with operations in more than one EU Member State will no longer have to deal with several national data protection agencies (DPAs), but will be subject only to the jurisdiction of the DPA of its main place of establishment. DPAs must also communicate proposed measures they intend to take following regulatory investigations to a new independent European Data Protection Board designed to check that laws are being applied the same way across the EU. Interoperability is the new goal: if a company can obey the rules of the authority in its principal place of business, then it can operate legally throughout the EU. There is much in these proposals for business to cheer.
The Regulation also tries to strengthen consumer protection rights in some key respects. It broadens the definition of personal data to cover all circumstances where any person, and not just the controller of the data, could identify the data subject. So it would then embrace location data, or online identifiers such as IP addresses. The Regulation also expands the requirements when explicit, rather than implied, consent is necessary for personal data processing. It reinforces the rights of notification of the purposes for which personal data are collected. It establishes a new right of data portability, intended, for instance, to allow individuals to take user-generated data supplied to one social-networking service and transfer it to another. And it requires parental consent where children under the age of 13 are asked to provide personal data.
More controversial is the proposal for a “right to be forgotten” that will generally enable individuals to force organizations to delete personal data stored about them “without delay.” Organizations that have made the data public will be liable for the data published by third parties and will be required to “take all reasonable steps, including technical measures” to inform those parties to delete that information. Organizations will be able to oppose the deletion of information if they can show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.
Proponents argue that this is merely an extension of the requirement that organizations only keep relevant information. And what really is wrong with requiring companies to delete all information related to a user, if that person wishes to have no further dealings with that organization? Opponents contend that the “right” will be open to mischievous complaints, to attempts to erase embarrassing personal histories, and will be extremely costly to implement, especially for “hosting platforms” like Google. At the moment, there are around 100 different “right to be forgotten” lawsuits pending in Spain alone. Some of these cases have now reached the European Court of Justice.
The Draft Regulation also provides DPAs with increased enforcement powers, and enhances individuals’ access to administrative and judicial remedies when data protection safeguards are infringed. DPAs will be able to impose fines on organizations that violate the data protection rules up to EUR 1,000,000 or up to 2 percent of their worldwide annual turnover. Organizations that handle data will also have greater obligations in the event of data breaches: they will have to notify data protection authorities as soon as possible, preferably within 24 hours, a requirement that many, including the British DPA, have already declared unenforceable.
This new Regulation also imports some new ideas which have originated outside Europe, and which are premised on the assumption that top-down regulation is insufficient. For example, Data Protection Impact Assessments, called Privacy Impact Assessments (PIAs) elsewhere, are mandated in case of the more risky forms of data processing, especially in cases involving sensitive personal information. In accordance with the new concept of “privacy by design,” data controllers will have to implement technical and organizational measures in such a way that the data processing will meet the requirements of the draft Regulation. And products and services will have to be designed in such a way that privacy-friendly settings are activated by default when they are used. Codes of conduct, and privacy certification mechanisms, are encouraged. And all organizations with more than 250 employees must nominate a responsible data protection officer. The new regulation embraces all the contemporary instruments for the protection of personal data.
As far as international data transfers are concerned, the draft Regulation does try to clarify the various means for legitimizing a transfer of personal data from the EU to a non-EU country. The “adequacy” of the laws in the receiving jurisdiction is just one test. Transfers are also permissible if there are contracts, or Binding Corporate Rules (BCRs) which allow intra-group transfers beyond EU borders, and make it easier for companies to establish a single set of legally binding corporate practices within the EU. In order to target non-EU companies that operate on the Internet, the draft Regulation will apply also to enterprises not established in the EU if they process personal data in relation to either the offering of goods or services to EU residents or to the monitoring of their behavior – indeed any website that may capture personal data from a device located within the EU.
This Regulation is also accompanied by a separate Proposal for a Directive on “ Police and Criminal Justice Data Protection.” The intent is to separate privacy issues related to law enforcement from the more general regulation. The less obvious interpretation is that this separate directive, providing significant concessions to law enforcement, was the price that had to be paid for the new provisions in the Regulation. It has been very controversial with privacy advocates and some DPAs.
The Regulation must be approved by both the European Parliament and Council of Ministers before it can come into effect. And that is likely to take at least two years. It would then be effective unilaterally across the EU two years and 20 days after it is published in the Official Journal of the EU.
A Continuing Policy Convergence?
This Draft Regulation is a complicated legal instrument. And as with many complex policies, there are some who are in favor of it, some against it, and then there are the few who have actually read it!
But on the face of it, the Europeans have done a good job responding to the genuine concerns of business, in strengthening and updating consumer rights, and in consolidating and reinforcing the powers of the DPAs. Many of the provisions have counterparts in the existing Directive or in some, but not all, national legislation. Further, the new Draft tries to integrate the full range of policy instruments necessary to promote privacy in the contemporary digitized world. It borrows from the toolkits of non-European states. As Charles Raab and I contended in The Governance of Privacy (MIT Press, 2006), law itself is not sufficient; it must be supplemented with a full range of more self-regulatory, organizational, and technological measures, many of which have originated outside the EU.
Nevertheless, the battle lines are already being drawn up and initial opposition is being marshaled. Rarely is that opposition blatant – nobody, after all, is against the protection of privacy. To the contrary, the strategies are more subtle and collegial, designed to promote privacy in the abstract, insist that it is always in consumer (and therefore business) interests, but also nibble away at the privacy rules to minimize costs and inconvenience.
Some of the business concerns are genuine and there will be legitimate debate about the data breach rules, about the permissible fines, about data portability and about the right to be forgotten. But there has also already been an extraordinary amount of unnecessary fear-mongering, especially from American corporate interests. We have heard that this “overly prescriptive” Regulation will be burdensome and costly, both financially and in terms of employment. Others argue that it would be stifle innovation, hobble the direct marketing industry, and pass high and unpredictable costs along to consumers.
The same arguments were made when the original European Directive was debated within the early 1990s. The Internet, and all the economic and social activity it has generated, has developed since then and within the framework of national and international privacy law. Privacy rules do not prevent innovation. On the contrary, to the extent that they build consumer trust, they should promote it.
Furthermore, some of the more controversial provisions have explicitly been introduced because prior policies clearly have not worked and have not been taken seriously enough by business. Data breaches occur with a depressingly regularity. So why not increase the fines? Why not insist that the reporting be immediate?
Inherent in much of this kind of rhetoric is also an assumption that US approaches are inherently different from those in Europe. The European formulation of law – “data protection” – sounds inherently protectionist, reflecting a more interventionist and regulatory posture. In contrast, the freer and more innovative climate in the United States, protected by a First Amendment and a Supreme Court that interprets it liberally, permits an environment where more personal data is within the public realm, in which more opportunities arise for the processing of those data, and where technological innovation can flourish.
Yet, the European theory of data protection is not essentially different from the US theory of information privacy. Both were developed at around the same time (the late 1960s and early 1970s), and both drew lessons from the other. And the “fair information principles” upon which virtually every personal data protection statute is based are, to some extent, of US origin. Furthermore, “Europe” is not one place. And those same comprehensive rules for the processing of personal data have been adopted in many other non-European countries, including Canada, Australia, New Zealand and an increasing number of countries in Asia and Latin America.
There is also plenty of evidence that US business is beginning to see what consumer advocates have been saying for a long time; that is, that the complex patchwork of state and federal statutes is inadequate within a complicated, networked environment where it is getting impossible to see the difference between one sector and another. One further step towards comprehensive protection was taken by the Obama Administration in February of this year with the publication of its White Paper on “Consumer Data Privacy in a Networked World,” which recommends a baseline legislated set of privacy principles implemented in different sectors through tailored codes of practice, and enforced through the Federal Trade Commission.
In taking this action, the Administration is recognizing the need for a more seamless and harmonized set of rules. The implementation and enforcement of these rules will differ because of the different constitutional and administrative system. And the existing mess of statutory, tort, and constitutional law cannot be swept away, but creates legal and institutional legacies that have to be taken into account. In a way, however, those realities exist in every country. The United States is “different” – but such is the case everywhere else. The question is whether those differences should make a difference.
Ultimately, I see this new European Regulation as a continuation of the broad process of policy convergence, and as a continuation of the trends that were set in motion in the 1970s. The global nature of personal data communications pushes that convergence. The international policy community, increasingly more sophisticated in its understanding of what works and what does not work, pushes that convergence. Transnational standards push that convergence. And the interests of big business push that convergence: the more companies that follow the rules, the more exposed are the free-riders that do not, and the greater incentive for common rules to control market access. I have written about these processes since my first book twenty years ago, Regulating Privacy (Cornell University Press, 1992). In many ways these convergence trends are complementary, and I see them still continuing.
This is the view from 30,000 feet, of course – the geo-political level. It is a view that yields a picture of a continuing convergence and strengthening of privacy standards around the world advanced by a broad cross-national community of experts and officials from government, international agencies, NGOs and indeed business, all ostensibly interested in this value called “privacy.”
The view from the ground affords observers a rather different picture. Here privacy means one thing in the abstract – “your privacy is important to us” – and another thing when translated into practice. It means one thing when the corporate privacy officers are promoting privacy-friendliness at international conferences, and another when they are lobbying behind the scenes for an exemption to a privacy bill. We must remember that there are the real differences and conflicts about these issues. People do not mean the same thing when they speak about privacy. Scratch the surface of the vague rhetoric and ask penetrating questions about what words like “accountability,” “consent,” “access,” “security” and so on, actually mean and you get very different answers. The broad values are mired in complexity and qualification. For all organizations, “your privacy is important to us”– sometimes.
Those conditions and qualifications, according to some, mean that privacy law does not prevent the capture and processing of personal data, it just manages the conditions under which those data are processed. More personal information, of increasing sensitivity and scope is collected and stored on more and more people, by more and more organizations than at any time in human history. Privacy law has not stemmed that trend. Perhaps we are sleep-walking into a “surveillance society”, as the former UK Information Commissioner once said. Perhaps we have less privacy today, even though we have more privacy laws, more privacy regulators, more privacy professionals, more privacy impact assessments, and more public attention.
Over the next two or three years, this same conflict between principle and pragmatism will be fought out over the European Union’s Draft Regulation. What it will look like after it has emerged from the extensive European parliamentary process, and been subjected to lobbying from all and sundry is anybody’s guess. However, the result is likely to shape the rules for international personal privacy protection, and by translation, the “geo-politics” of personal data for many years to come.
COLIN BENNETT is Professor of Political Science at the University of Victoria with a focus on comparative public policy. He has published five books on data surveillance and privacy protection policy and has contributed to reports for the Canadian and UK governments and the European Commission.