Global Data Privacy in a Networked World
University of New South Wales, Faculty of Law
October 14, 2011
RESEARCH HANDBOOK ON GOVERNANCE OF THE INTERNET, I. Brown, ed., Edward Elgar, 2012
UNSW Law Research Paper No. 2011-38
This article analyses the global growth of data privacy (‘data protection’) laws over 40 years from a number of perspectives. After outlining the extent of global expansion, the influence of international agreements concerning privacy is identified as one reason for their relative consistency and stability. The nature of United States exceptionalism is discussed briefly, as is the failing APEC alternative. The fundamental elements of data privacy principles, and data privacy enforcement, as seen through these agreements and national legislation, is summarized. The points on which the European Union is proposing to strengthen both principles and enforcement are noted. The extent to which these principles and enforcement mechanisms can cope with the new challenges of a networked world are illustrated through two examples: social networking systems (SNS) and cloud computing.
Bennett and Raab (2006), in the most systematic global review of data privacy regulation, presented their ‘main research question’ as whether there was a ‘race to the bottom’, a ‘race to the top’, or something else, in the global development of data privacy protection. They correctly caution that the existence and formal strength of a data privacy law is only one factor by which we should measure data privacy protection in a country, and two other key dimensions are the effectiveness of enforcement and the extent of surveillance (discussed below). Therefore, globally, there is more than one race to the top or bottom. They concluded that the most plausible future scenario (the Bennett-Raab thesis) was ‘an incoherent and fragmented patchwork’, ‘a more chaotic future of periodic and unpredictable victories for the privacy value’. So Bennett and Raab found some ‘upward’ global trajectory influenced significantly by the EU Directive, but sufficiently weak in the mid-2000s that the countervailing weakness of the APEC approach was enough to make the future quite unpredictable.
Half a decade later, it can be argued that there is now a clearer ‘upward’ global trajectory than Bennett and Raab found, provided we keep clear that we are only talking about the existence and formal strength of data privacy laws, not the other factors. The article shows that by mid-2011 there are 27 data privacy laws outside Europe (as many as there are EU member states), and a handful of further Bills expected to be enacted soon. Of course, the number of data privacy laws can only be part of the measure, but in Africa, Latin America and even in Asia the European Directive has become the single most significant influence on the content of those laws, and leads to them embodying a relatively high standard of data protection principles. The lower standards of the APEC Privacy Framework have not served to ‘slow or even reverse’ this trend as Bennett and Raab and others (myself included) feared. A handful of new data privacy laws across the globe each year, with EU-influenced privacy principles, and revisions of some existing weaker laws to strengthen them, does not constitute a ‘race’ in most uses of the term, but nor does it any longer look like such a ‘halting and meandering walk’ as Bennett and Raab found. It may not be a race, but data privacy laws do have a global trajectory, namely expansion at an increasing rate with principles more commonly influenced by the EU Directive than any other source.
But as Bennett and Raab conclude, there is not one race to the top or bottom that we must consider. It is better to say that the various dimensions on which we must measure the health of privacy as a value, including data privacy principles, their enforcement, and surveillance practices. These dimensions, as they say, differ from place to place and time to time, and are not readily ‘balanced’ into one overall measure. Nevertheless, considered solely on the dimension of the global spread of EU-like data privacy laws, the Bennett-Raab thesis no longer appears correct. On the other dimensions of effective enforcement and limiting surveillance, there are no obvious global trajectories which could give rise to similar optimism.
Number of Pages in PDF File: 29
Date posted: November 4, 2011 ; Last revised: March 11, 2014