Privacy in Europe: Initial Data on Governance Choices and Corporate Practices

136 Pages Posted: 23 Sep 2013

See all articles by Kenneth A. Bamberger

Kenneth A. Bamberger

University of California, Berkeley - School of Law

Deirdre K. Mulligan

University of California, Berkeley - School of Information

Date Written: September 20, 2013

Abstract

As this Article goes to press, the European Union is embroiled in debates over the contours of a proposed new privacy regulation. These efforts, however, have lacked critical information necessary for reform. For, like privacy debates generally, they focus almost entirely on law “on the books” — legal texts enacted by legislatures or promulgated by agencies. By contrast, they largely ignore privacy “on the ground” — the ways in which corporations in different countries have operationalized privacy protection in the light of divergent formal laws, different approaches taken by local administrative agencies, and other jurisdiction-specific social, cultural, and legal forces.

Indeed, despite the new regulation’s central goal of harmonizing privacy across Europe by preempting today’s enormous variation in national approaches, policymakers have been hobbled by an absence of evidence as to which national choices about privacy governance have proven more or less resilient in the face of radical technological and social change. Information about the relative strengths and benefits of the alternate regulatory approaches that have flourished in the “living laboratories” of the European member states is largely undeveloped.

This Article begins to fill this gap — and at a critical juncture. Our “on the ground” project uses qualitative empirical inquiry — including interviews with, and questionnaires completed by, corporate privacy officers, regulators, and other actors within the privacy field in three European countries, France, Germany and Spain — to identify the ways in which privacy protection is implemented in different jurisdictions, and the combination of social, market, and regulatory forces that drive these choices. It thus offers a comparative “in-the-wild” assessment of the effects of the different regulatory approaches adopted by these three countries.

In the face of novel challenges to privacy, leveraging the adaptability of distinct regulatory approaches and institutions has never been more important. As technological and social change has altered the generation and use of data, the definition of privacy that has prevailed in the political sphere — individual control over the disclosure and use of personal information — has increasingly lost its salience. In particular, the common instruments of protection generated by this definition — procedural mechanisms to protect individual “choice” — have offered an inapt paradigm for privacy protection in the face of data ubiquity and computing capacity. In developing new metrics for protecting privacy, policymakers must take into account a far more granular and bottom-up analysis of both differences in national practice and the forces on the ground that result in the diffusion — or lack thereof — of corporate structures and institutions that research suggests are most adaptive in protecting privacy in the face of change.

Through such comparative analysis, this Article upends the terms of the prevailing policy debate, revealing the ways in which different regulatory choices have shaped corporate behavior. This analysis offers important insights for policymakers considering reform not just in Europe, but also in United States, where Congress, the Federal Trade Commission, and the Obama administration have all expressed a willingness to reexamine deeply the current regulatory structure, and a desire for new models. And, more broadly, it underscores the importance of administrative agencies’ choices about regulatory tools and approaches, relations with those that they regulate, and their own internal structures in shaping the mindset and behavior of the private firms they govern to maximize public values.

Keywords: Privacy, Data Protection, EU, Administrative Law, Comparative Law, Governance, Regulation, Technology, Europe, Qualitative Empirical Research, Corporate Compliance, Data Protection Authority, Interviews, Organizational Behavior

JEL Classification: L20, M14, O33, K23, K39, K42

Suggested Citation

Bamberger, Kenneth A. and Mulligan, Deirdre K., Privacy in Europe: Initial Data on Governance Choices and Corporate Practices (September 20, 2013). George Washington Law Review, Vol. 81, p. 1529, 2013, UC Berkeley Public Law Research Paper No. 2328877, Available at SSRN: https://ssrn.com/abstract=2328877

Kenneth A. Bamberger (Contact Author)

University of California, Berkeley - School of Law ( email )

Boalt Hall NA446
Berkeley, CA 94720-7200
United States
(510) 643-6218 (Phone)

HOME PAGE: http://www.law.berkeley.edu/faculty/profiles/facultyProfile.php?facID=5701

Deirdre K. Mulligan

University of California, Berkeley - School of Information ( email )

102 South Hall
Berkeley, CA 94720-4600
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
751
Abstract Views
4,532
Rank
66,256
PlumX Metrics