Data Protection and International Policy-Making
Dr Gilad Rosner
Horizon Digital Economy Research Institute / Internet of Things Privacy Forum
International privacy and data protection has
always been a rather difficult challenge. This is in part a reflection of the
difficulties of international regulation generally. Even intra-national privacy
regulation is contentious: consider the tension between differing US states’
privacy laws, between German states and the federal government, or the great
variation among EU member states despite having a supranational model law. That
law, the 1995 Data Protection Directive, specified that personal data cannot be
transferred out of the EU to other countries unless their own national data
protection laws were adequate in comparison with Europe’s. While many nations
were deemed adequate, arguably the most important non-European data transfer
target – the US – would never reach an adequacy determination. To repair this
breach, the ‘Safe Harbour’ framework was created, stipulating that companies
could self-attest that they meet similar levels of data protection as in
Europe. Last year saw this problematic solution invalidated by the European
Court of Justice, in part because the revelations of mass surveillance by the
US by Edward Snowden cast deep suspicion over the possibility of adequacy envisioned
under Safe Harbour. More over, the Court saw the absence of Europeans’ ability
to seek redress in US law for violations of their privacy rights as further
complicating the US/EU data transfer relationship. The Safe Harbour
invalidation caused the EC to accelerate the genesis of its replacement, dubbed
the ‘Privacy Shield.’ This framework, too, is a self-certification regime;
indeed, it’s hard to imagine any other type of regime being created.
The issue at the heart of such transatlantic,
international policy gyrations is power
– specifically, the ability to regulate. That is, once data leaves Europe, it
and its recipient custodians are beyond the reach of the originating country’s
regulators, who are tasked with ensuring the data protection rights of their
citizens. Regulation relies upon, among other things, the ability to inspect
and sanction – these abilities stop at a country’s borders, whereas the
transport systems for the data being regulated are designed to cross borders at
extremely high speeds. So, there is a fundamental tension within the
institution of data protection between the prerogatives and powers of nations
and the architectural intentions of networked technologies. Nowhere is this
more evident than in attempts at international policy-making.
Privacy Shield, whatever its future efficacy,
cleverly relies upon co-regulation. In the US, the closest thing to a data
protection authority is the Federal Trade Commission (FTC), whose remit
includes ‘deceptive and unfair practices.’ Rather than dealing with privacy
issues directly, the FTC can sanction companies when they promise to treat data
a certain way (via, e.g., a privacy policy) and then fail to behave in line
with those promises. To participate in Privacy Shield, companies must declare
that they subscribe to several principles, including Notice, Choice,
Accountability for Onward Transfers, subject Access, and Purpose Limitation.
This public declaration serves as a promise in the FTC’s eyes, which then gives
them purchase to sanction misbehaving companies.
The subject access provision is an example of
a European data protection right that does not exist consistently in American
law, but here is being extended from Europe into US information policy and then
enforced by a US institution. Privacy rights and values, thereby, are evolving
through non-legislative means via treaties and administrative policy. While US
privacy advocates have criticized the Privacy Shield as being fatally porous[1],
its future is still being written, and at least it has the benefit of being
creative, forward-looking policy.
Privacy Shield is reliant on ‘institutional
momentum’ – over 15 years of prior established policy. Institutional theory
says that institutions – in this case, data protection – tend towards
durability and stability. Privacy Shield is a recommitment to data protection
principles, occurring in an international context. This is a positive
evolutionary step; what neo-institutionalist scholar Ronald Jepperson[2]
might call “institutional development.” Still, the criticisms of Privacy Shield
and those yet to come are reflective of other scholars’ view of institutions as
“contested terrains contoured by variation, struggles and relatively temporary
truces[3].”
[1] O’Brien,
D. and Reitman, R. (2016). The Privacy Shield is Riddled with Surveillance
Holes. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2016/03/privacy-shield-riddled-surveillance-holes
[2] Jepperson, R. (1991). Institutions, Institutional Effects, and
Institutionalism. In W. Powell & P. DiMaggio (Eds.), The New Institutionalism in Organizational Analysis (pp. 143-163).
Chicago: University of Chicago Press.
[3] Greenwood, R., Oliver, C., Sahlin, K. and Suddaby, R. (2008).
Introduction. In R. Greenwood, C. Oliver, K. Sahlin & R. Suddaby (Eds.), The SAGE Handbook of Organizational
Institutionalism (pp. 1-46). London: SAGE.
No comments:
Post a Comment