Privacy in Europe: Initial Data on Governance Choices and Corporate Practices

Kenneth A. Bamberger

University of California, Berkeley - School of Law

Deirdre K. Mulligan

University of California, Berkeley - School of Information

September 20, 2013

George Washington Law Review, Vol. 81, p. 1529, 2013
UC Berkeley Public Law Research Paper No. 2328877

As this Article goes to press, the European Union is embroiled in debates over the contours of a proposed new privacy regulation. These efforts, however, have lacked critical information necessary for reform. For, like privacy debates generally, they focus almost entirely on law “on the books” — legal texts enacted by legislatures or promulgated by agencies. By contrast, they largely ignore privacy “on the ground” — the ways in which corporations in different countries have operationalized privacy protection in the light of divergent formal laws, different approaches taken by local administrative agencies, and other jurisdiction-specific social, cultural, and legal forces.

Indeed, despite the new regulation’s central goal of harmonizing privacy across Europe by preempting today’s enormous variation in national approaches, policymakers have been hobbled by an absence of evidence as to which national choices about privacy governance have proven more or less resilient in the face of radical technological and social change. Information about the relative strengths and benefits of the alternate regulatory approaches that have flourished in the “living laboratories” of the European member states is largely undeveloped.

This Article begins to fill this gap — and at a critical juncture. Our “on the ground” project uses qualitative empirical inquiry — including interviews with, and questionnaires completed by, corporate privacy officers, regulators, and other actors within the privacy field in three European countries, France, Germany and Spain — to identify the ways in which privacy protection is implemented in different jurisdictions, and the combination of social, market, and regulatory forces that drive these choices. It thus offers a comparative “in-the-wild” assessment of the effects of the different regulatory approaches adopted by these three countries.

In the face of novel challenges to privacy, leveraging the adaptability of distinct regulatory approaches and institutions has never been more important. As technological and social change has altered the generation and use of data, the definition of privacy that has prevailed in the political sphere — individual control over the disclosure and use of personal information — has increasingly lost its salience. In particular, the common instruments of protection generated by this definition — procedural mechanisms to protect individual “choice” — have offered an inapt paradigm for privacy protection in the face of data ubiquity and computing capacity. In developing new metrics for protecting privacy, policymakers must take into account a far more granular and bottom-up analysis of both differences in national practice and the forces on the ground that result in the diffusion — or lack thereof — of corporate structures and institutions that research suggests are most adaptive in protecting privacy in the face of change.

Through such comparative analysis, this Article upends the terms of the prevailing policy debate, revealing the ways in which different regulatory choices have shaped corporate behavior. This analysis offers important insights for policymakers considering reform not just in Europe, but also in United States, where Congress, the Federal Trade Commission, and the Obama administration have all expressed a willingness to reexamine deeply the current regulatory structure, and a desire for new models. And, more broadly, it underscores the importance of administrative agencies’ choices about regulatory tools and approaches, relations with those that they regulate, and their own internal structures in shaping the mindset and behavior of the private firms they govern to maximize public values.

Number of Pages in PDF File: 136

Keywords: Privacy, Data Protection, EU, Administrative Law, Comparative Law, Governance, Regulation, Technology, Europe, Qualitative Empirical Research, Corporate Compliance, Data Protection Authority, Interviews, Organizational Behavior

JEL Classification: L20, M14, O33, K23, K39, K42

Open PDF in Browser Download This Paper

Date posted: September 23, 2013  

Suggested Citation

Bamberger, Kenneth A. and Mulligan, Deirdre K., Privacy in Europe: Initial Data on Governance Choices and Corporate Practices (September 20, 2013). George Washington Law Review, Vol. 81, p. 1529, 2013; UC Berkeley Public Law Research Paper No. 2328877. Available at SSRN: https://ssrn.com/abstract=2328877

Contact Information

Kenneth A. Bamberger (Contact Author)
University of California, Berkeley - School of Law ( email )
Boalt Hall NA446
Berkeley, CA 94720-7200
United States
(510) 643-6218 (Phone)
HOME PAGE: http://www.law.berkeley.edu/faculty/profiles/facultyProfile.php?facID=5701

Deirdre K. Mulligan
University of California, Berkeley - School of Information ( email )
102 South Hall
Berkeley, CA 94720-4600
United States
Feedback to SSRN

Paper statistics
Abstract Views: 2,657
Downloads: 590
Download Rank: 34,574