Monday, March 28, 2016

Seminar 5 Position Statement: Dr Gilad Rosner

Data Protection and International Policy-Making

Dr Gilad Rosner

Horizon Digital Economy Research Institute / Internet of Things Privacy Forum



International privacy and data protection has always been a rather difficult challenge. This is in part a reflection of the difficulties of international regulation generally. Even intra-national privacy regulation is contentious: consider the tension between differing US states’ privacy laws, between German states and the federal government, or the great variation among EU member states despite having a supranational model law. That law, the 1995 Data Protection Directive, specified that personal data cannot be transferred out of the EU to other countries unless their own national data protection laws were adequate in comparison with Europe’s. While many nations were deemed adequate, arguably the most important non-European data transfer target – the US – would never reach an adequacy determination. To repair this breach, the ‘Safe Harbour’ framework was created, stipulating that companies could self-attest that they meet similar levels of data protection as in Europe. Last year saw this problematic solution invalidated by the European Court of Justice, in part because the revelations of mass surveillance by the US by Edward Snowden cast deep suspicion over the possibility of adequacy envisioned under Safe Harbour. More over, the Court saw the absence of Europeans’ ability to seek redress in US law for violations of their privacy rights as further complicating the US/EU data transfer relationship. The Safe Harbour invalidation caused the EC to accelerate the genesis of its replacement, dubbed the ‘Privacy Shield.’ This framework, too, is a self-certification regime; indeed, it’s hard to imagine any other type of regime being created.

The issue at the heart of such transatlantic, international policy gyrations is power – specifically, the ability to regulate. That is, once data leaves Europe, it and its recipient custodians are beyond the reach of the originating country’s regulators, who are tasked with ensuring the data protection rights of their citizens. Regulation relies upon, among other things, the ability to inspect and sanction – these abilities stop at a country’s borders, whereas the transport systems for the data being regulated are designed to cross borders at extremely high speeds. So, there is a fundamental tension within the institution of data protection between the prerogatives and powers of nations and the architectural intentions of networked technologies. Nowhere is this more evident than in attempts at international policy-making.

Privacy Shield, whatever its future efficacy, cleverly relies upon co-regulation. In the US, the closest thing to a data protection authority is the Federal Trade Commission (FTC), whose remit includes ‘deceptive and unfair practices.’ Rather than dealing with privacy issues directly, the FTC can sanction companies when they promise to treat data a certain way (via, e.g., a privacy policy) and then fail to behave in line with those promises. To participate in Privacy Shield, companies must declare that they subscribe to several principles, including Notice, Choice, Accountability for Onward Transfers, subject Access, and Purpose Limitation. This public declaration serves as a promise in the FTC’s eyes, which then gives them purchase to sanction misbehaving companies.

The subject access provision is an example of a European data protection right that does not exist consistently in American law, but here is being extended from Europe into US information policy and then enforced by a US institution. Privacy rights and values, thereby, are evolving through non-legislative means via treaties and administrative policy. While US privacy advocates have criticized the Privacy Shield as being fatally porous[1], its future is still being written, and at least it has the benefit of being creative, forward-looking policy.

Privacy Shield is reliant on ‘institutional momentum’ – over 15 years of prior established policy. Institutional theory says that institutions – in this case, data protection – tend towards durability and stability. Privacy Shield is a recommitment to data protection principles, occurring in an international context. This is a positive evolutionary step; what neo-institutionalist scholar Ronald Jepperson[2] might call “institutional development.” Still, the criticisms of Privacy Shield and those yet to come are reflective of other scholars’ view of institutions as “contested terrains contoured by variation, struggles and relatively temporary truces[3].”




[1] O’Brien, D. and Reitman, R. (2016). The Privacy Shield is Riddled with Surveillance Holes. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2016/03/privacy-shield-riddled-surveillance-holes
[2] Jepperson, R. (1991). Institutions, Institutional Effects, and Institutionalism. In W. Powell & P. DiMaggio (Eds.), The New Institutionalism in Organizational Analysis (pp. 143-163). Chicago: University of Chicago Press.
[3] Greenwood, R., Oliver, C., Sahlin, K. and Suddaby, R. (2008). Introduction. In R. Greenwood, C. Oliver, K. Sahlin & R. Suddaby (Eds.), The SAGE Handbook of Organizational Institutionalism (pp. 1-46). London: SAGE.

No comments:

Post a Comment