Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices
Comment by: Dennis Hirsch
Workshop draft abstract: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2328877
Privacy governance is at a crossroads. In light of the digital explosion, policymakers in North America and Europe are revisiting regulation of the corporate treatment of information privacy. The recent celebration of the thirtieth anniversary of the Organization for Economic Cooperation and Development’s (“OECD”) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the first international statement of fair information practice principles, sparked an international review of the guidelines to identify areas for revision. Work by national data privacy regulators reviewing the E.U. Data Protection Directive in turn have suggested alternative regulatory models oriented around outcomes. The European Commission is actively debating the terms of a new Privacy Regulation. And Congress, the FTC, and the current U.S. presidential administration have signaled a commitment to deep reexamination of the current regulatory structure, and a desire for new models.
These efforts, however, have lacked critical information necessary for reform. Scholarship and advocacy around privacy regulation has focused almost entirely on law “on the books”—legal texts enacted by legislatures or promulgated by agencies. By contrast, the debate has strangely ignored privacy “on the ground” – the ways in which corporations in different countries have operationalized privacy protection in the light of divergent formal laws; interpretive, organizational and enforcement decisions made by local administrative agencies; and other jurisdiction-specific social, cultural and legal forces.
Since 1994, when such a study examined the U.S. privacy landscape, no sustained inquiry has been conducted into how corporations actually manage privacy in the shadow of formal legal mandates. No one, moreover, has ever engaged in such a comparative inquiry across jurisdictions. Indeed, despite wide international variation in approach, even the last detailed comparative account of enforcement practices occurred over two decades ago. Thus policy reform efforts progress largely without a real understanding of the ways in which previous regulatory attempts have actually promoted, or thwarted, privacy’s protection.
This article is the third documenting a project intended to fill this gap – and at a critical juncture. The project uses qualitative empirical inquiry—including interviews with and surveys of corporate privacy officers, regulators, and other actors within the privacy field—to identify the ways in which privacy protection is implemented on the ground, and the combination of social, market, and regulatory forces that drive these choices. And it offers a comparative analysis of the effects of different regulatory approaches adopted by a diversity of OECD nations, taking advantage of the living laboratory created by variations in national implementation of data protection, an environment that can support comparative, in-the-wild assessments of their ongoing efficacy and appropriateness.
While the first two articles in this series discussed research documenting the implementation of privacy in the United States, this article presents the first analysis of data of its kind from Europe, reflecting research and interviews in three EU jurisdictions: Germany, Spain, and France.
The article reflects only the first take at this recently-gathered data; the analysis is not comprehensive, and the lessons drawn at this stage are necessarily tentative. A complete consideration of the research on the privacy experience in five countries (the US, Germany, France, Spain, and the UK) – one which more generally draws lessons for broader research on paradigms for thinking about privacy, the effectiveness of corporate practices informed by those paradigms, and organizational compliance with different forms of regulation and other external norms more generally – will appear in an upcoming book-length treatment.
Yet this article offers as-yet unavailable data about the European privacy landscape at a critical juncture – the moment at which the policymakers are engaged in important decisions about which regulatory structures to expand to all EU member states, and which to leave behind; and about how those individual states will structure the administrative agencies governing data privacy moving forward; and about strategies those agencies will adopt regarding legal enforcement, the development of expertise within both the government and firms, and the ways that other participants within the privacy “field”—the constellation of organizational actors participating in the construction of legal meaning in a particular domain –will (or will not) best be enlisted to shape corporate decisionmaking and ultimately privacy outcomes.
Setting the context for this analysis, Part I of this Article describes the dominant narratives regarding the regulation of privacy in the United States and the Europe Union – accounts that have occupied privacy scholarship and advocacy for over a decade. Part II summarizes our project to develop more granular accounts of the privacy landscape, and the resulting scholarship’s analyses of privacy “on the ground” in the U.S. Informed by these analyses, Part III presents the results of our research regarding corporate perception and implementation of privacy requirements in three European jurisdictions, Germany, Spain and France, and placing them within the theoretical framework regarding emerging best practices in the U.S. Not surprisingly for those familiar with privacy protection in the Europe, these results reveal widely varying privacy landscapes, all within the formal governance of a single legal framework: the 1995 EU Privacy Directive. More striking, however, are the granular differences between the European jurisdictions and the similarities in both the language in which privacy is discussed, and the particular mandates and institutions shaping privacy’s governance, the architecture for privacy protection and decisionmaking between German and U.S. firms. This Part then seeks to understand the construction of the privacy “field” that shapes these differing country landscapes. Such inquiry includes the details of national implementation of the EU directive – including the specificity and type of requirements placed on regulated parties, the content of regulation, with particular attention to the comparative focus on process-based as opposed to substantive mandates, and the use of ex ante guidance as opposed to prosecution and enforcement – as well as the structure and approach of the relevant data protection agency, including the size and organization of the staff, the level to which they rely on technical and legal “experts” inside the agency, rather than inside the companies they regulate; the use of enforcement and inspections; and the manner in which regulators and firms interact more generally. Yet it also includes an understanding of factors beyond privacy regulation itself, including other legal mandates, elements characteristic of national corporate structure, and societal factors, such as the roles of the media and other citizen, industry, labor, or professional organizations that determine the “social license” that governs a corporation’s freedom to act.
Finally, the Article’s Part IV outlines two elements of a new account of privacy’s development, informed by comparative analysis. First, based on the data from four jurisdictions, it engages in a preliminary analysis regarding which elements of these privacy fields our interviews and other data suggest have fostered, catalyzed and permitted the most adaptive responses in the face of novel challenges to privacy. Second, it suggests something important about the role of professional networks in the diffusion of practices across jurisdictional lines in the face of important social and technological change. The adaptability of distinct regulatory approaches and institutions in the face of novel challenges to privacy has never been more important. Our comparative analysis provides novel insight into the ways that different regulatory choices have interacted with other aspects of the privacy field to shape corporate behavior, offering important insights for all participants in policy debates about the governance of privacy.
 See, e.g., Neil Robinson et al., RAND Eur., Review of the European Data Protection Directive (2009).
 See, e.g., Konrad Lischka & Christian Stöcker, Data Protection: All You Need to Know about the EU Privacy Debate, Spiegel Online (Jan. 18, 2013, 10:15 AM), http://www.spiegel.de/international/europe/the-european-union-closes-in-on-data-privacy-legislation-a-877973.html.
 See, e.g., Adam Popescu, Congress Sets Sights On Fixing Privacy Rights, readwrite (Jan. 18, 2013), http://readwrite.com/2013/01/18/new-congress-privacy-agenda-unvelied; F.T.C. and White House Push for Online Privacy Laws, N.Y. Times, May 10, 2012, at B8, available at http://www.nytimes.com/2012/05/10/business/ftc-and-white-house-push-for-online-privacy-laws.html?_r=0; Fed. Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 2012), available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.
 See H. Jeff Smith, Managing Privacy: Information Technology and Corporate America (1994).
 See David H. Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, & the United States (1989).
 See Kenneth A. Bamberger & Deirdre K. Mulligan, New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States: An Initial Inquiry, 33 Law & Pol’y 477 (2011); Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 Stan. L. Rev. 247 (2011).
 Kenneth A. Bamberger & Deirdre K. Mulligan, Catalyzing Privacy: Lessons From Regulatory Choices and Corporate Decisions on Both Sides of the Atlantic (MIT Press: forthcoming 2014)
. See Paul J. DiMaggio & Walter W. Powell, The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields, 48 Am. Soc. Rev. 147, 148 (1983) (defining an organizational field as “those organizations that, in the aggregate, constitute a recognized area of institutional life: key suppliers, resource and product consumers, regulatory agencies, and other organizations that produce similar services or products.”); Lauren B. Edelman, Overlapping Fields and Constructed Legalities: The Endogeneity of Law, in Private Equity, Corporate Governance and the Dynamics of Capital Market Regulation 55, 58 (Justin O’Brien ed., 2007) (defining a legal field as “the environment within which legal institutions and legal actors interact and in which conceptions of legality and compliance evolve”).