Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices

Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices

Comment by: Dennis Hirsch

PLSC 2013

Workshop draft abstract:

Privacy governance is at a crossroads.  In light of the digital explosion, policymakers in North America and Europe are revisiting regulation of the corporate treatment of information privacy.  The recent celebration of the thirtieth anniversary of the Organization for Economic Cooperation and Development’s (“OECD”) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,[1] the first international statement of fair information practice principles, sparked an international review of the guidelines to identify areas for revision.  Work by national data privacy regulators reviewing the E.U. Data Protection Directive in turn have suggested alternative regulatory models oriented around outcomes.[2]  The European Commission is actively debating the terms of a new Privacy Regulation.[3]  And Congress, the FTC, and the current U.S. presidential administration have signaled a commitment to deep reexamination of the current regulatory structure, and a desire for new models.[4]

These efforts, however, have lacked critical information necessary for reform.  Scholarship and advocacy around privacy regulation has focused almost entirely on law “on the books”—legal texts enacted by legislatures or promulgated by agencies.  By contrast, the debate has strangely ignored privacy “on the ground” – the ways in which corporations in different countries have operationalized privacy protection in the light of divergent formal laws; interpretive, organizational and enforcement decisions made by local administrative agencies; and other jurisdiction-specific social, cultural and legal forces.

Since 1994, when such a study examined the U.S. privacy landscape,[5] no sustained inquiry has been conducted into how corporations actually manage privacy in the shadow of formal legal mandates.  No one, moreover, has ever engaged in such a comparative inquiry across jurisdictions.  Indeed, despite wide international variation in approach, even the last detailed comparative account of enforcement practices occurred over two decades ago.[6]  Thus policy reform efforts progress largely without a real understanding of the ways in which previous regulatory attempts have actually promoted, or thwarted, privacy’s protection.

This article is the third documenting a project intended to fill this gap – and at a critical juncture.  The project uses qualitative empirical inquiry—including interviews with and surveys of corporate privacy officers, regulators, and other actors within the privacy field—to identify the ways in which privacy protection is implemented on the ground, and the combination of social, market, and regulatory forces that drive these choices.  And it offers a comparative analysis of the effects of different regulatory approaches adopted by a diversity of OECD nations, taking advantage of the living laboratory created by variations in national implementation of data protection, an environment that can support comparative, in-the-wild assessments of their ongoing efficacy and appropriateness.

While the first two articles in this series discussed research documenting the implementation of privacy in the United States,[7] this article presents the first analysis of data of its kind from Europe, reflecting research and interviews in three EU jurisdictions: Germany, Spain, and France.

The article reflects only the first take at this recently-gathered data; the analysis is not comprehensive, and the lessons drawn at this stage are necessarily tentative.  A complete consideration of the research on the privacy experience in five countries (the US, Germany, France, Spain, and the UK) – one which more generally draws lessons for broader research on paradigms for thinking about privacy, the effectiveness of corporate practices informed by those paradigms, and organizational compliance with different forms of regulation and other external norms more generally – will appear in an upcoming book-length treatment.[8]

Yet this article offers as-yet unavailable data about the European privacy landscape at a critical juncture – the moment at which the policymakers are engaged in important decisions about which regulatory structures to expand to all EU member states, and which to leave behind; and about how those individual states will structure the administrative agencies governing data privacy moving forward; and about strategies those agencies will adopt regarding legal enforcement, the development of expertise within both the government and firms, and the ways that other participants within the privacy “field”[9]—the constellation of organizational actors participating in the construction of legal meaning in a particular domain –will (or will not) best be enlisted to shape corporate decisionmaking and ultimately privacy outcomes.

Setting the context for this analysis, Part I of this Article describes the dominant narratives regarding the regulation of privacy in the United States and the Europe Union – accounts that have occupied privacy scholarship and advocacy for over a decade. Part II summarizes our project to develop more granular accounts of the privacy landscape, and the resulting scholarship’s analyses of privacy “on the ground” in the U.S.  Informed by these analyses, Part III presents the results of our research regarding corporate perception and implementation of privacy requirements in three European jurisdictions, Germany, Spain and France, and placing them within the theoretical framework regarding emerging best practices in the U.S.  Not surprisingly for those familiar with privacy protection in the Europe, these results reveal widely varying privacy landscapes, all within the formal governance of a single legal framework: the 1995 EU Privacy Directive.   More striking, however, are the granular differences between the European jurisdictions and the similarities in both the language in which privacy is discussed, and the particular mandates and institutions shaping privacy’s governance, the architecture for privacy protection and decisionmaking between German and U.S. firms. This Part then seeks to understand the construction of the privacy “field” that shapes these differing country landscapes.  Such inquiry includes the details of national implementation of the EU directive – including the specificity and type of requirements placed on regulated parties, the content of regulation, with particular attention to the comparative focus on process-based as opposed to substantive mandates, and the use of ex ante guidance as opposed to prosecution and enforcement – as well as the structure and approach of the relevant data protection agency, including the size and organization of the staff, the level to which they rely on technical and legal “experts” inside the agency, rather than inside the companies they regulate; the use of enforcement and inspections; and the manner in which regulators and firms interact more generally.  Yet it also includes an understanding of factors beyond privacy regulation itself, including other legal mandates, elements characteristic of national corporate structure, and societal factors, such as the roles of the media and other citizen, industry, labor, or professional organizations that determine the “social license” that governs a corporation’s freedom to act.

Finally, the Article’s Part IV outlines two elements of a new account of privacy’s development, informed by comparative analysis.  First, based on the data from four jurisdictions, it engages in a preliminary analysis regarding which elements of these privacy fields our interviews and other data suggest have fostered, catalyzed and permitted the most adaptive responses in the face of novel challenges to privacy.  Second, it suggests something important about the role of professional networks in the diffusion of practices across jurisdictional lines in the face of important social and technological change.  The adaptability of distinct regulatory approaches and institutions in the face of novel challenges to privacy has never been more important.  Our comparative analysis provides novel insight into the ways that different regulatory choices have interacted with other aspects of the privacy field to shape corporate behavior, offering important insights for all participants in policy debates about the governance of privacy.

[1] See The 30th Anniversary of the OECD Privacy Guidelines, OECD, (last visited Jan. 22, 2013).

[2]   See, e.g., Neil Robinson et al., RAND Eur., Review of the European Data Protection Directive (2009).

[3]   See, e.g., Konrad Lischka & Christian Stöcker, Data Protection: All You Need to Know about the EU Privacy Debate, Spiegel Online (Jan. 18, 2013, 10:15 AM),

[4]   See, e.g., Adam Popescu, Congress Sets Sights On Fixing Privacy Rights, readwrite (Jan. 18, 2013),; F.T.C. and White House Push for Online Privacy Laws, N.Y. Times, May 10, 2012, at B8, available at; Fed. Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 2012), available at

[5] See H. Jeff Smith, Managing Privacy: Information Technology and Corporate America (1994).

[6]   See David H. Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, & the United States (1989).

[7] See Kenneth A. Bamberger & Deirdre K. Mulligan, New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States: An Initial Inquiry, 33 Law & Pol’y 477 (2011); Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 Stan. L. Rev. 247 (2011).

[8] Kenneth A. Bamberger & Deirdre K. Mulligan, Catalyzing Privacy: Lessons From Regulatory Choices and Corporate Decisions on Both Sides of the Atlantic (MIT Press: forthcoming 2014)

[9].     See Paul J. DiMaggio & Walter W. Powell, The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields, 48 Am. Soc. Rev. 147, 148 (1983) (defining an organizational field as “those organizations that, in the aggregate, constitute a recognized area of institutional life: key suppliers, resource and product consumers, regulatory agencies, and other organizations that produce similar services or products.”); Lauren B. Edelman, Overlapping Fields and Constructed Legalities: The Endogeneity of Law, in Private Equity, Corporate Governance and the Dynamics of Capital Market Regulation 55, 58 (Justin O’Brien ed., 2007) (defining a legal field as “the environment within which legal institutions and legal actors interact and in which conceptions of legality and compliance evolve”).

Professor Dennis Hirsch, Dutch Treat? The Collaborative Dutch Approach to Privacy Regulation and the Lessons it Holds for U.S. Privacy Law and Policy

Professor Dennis Hirsch, Dutch Treat?  The Collaborative Dutch Approach to Privacy Regulation and the Lessons it Holds for U.S. Privacy Law and Policy

Comment by: Nikolaus Peifer

PLSC 2012

Workshop draft abstract:

In 2010, I served as a Fulbright Senior Professor at the University of Amsterdam.  I studied a cooperative Dutch form of privacy regulation known as “enforceable codes of conduct” in which industry and government negotiate and agree upon the rules that will govern business behavior.  As I explain below, the U.S. Congress is currently considering privacy legislation that would build a similar approach into U.S. law.  In my paper I will, for the first time, report the findings from my research.  I will then draw on these findings to shed light on and develop recommendations for the U.S. legislative proposals.

The Dutch “code of conduct” approach to privacy regulation (also called the “safe harbor” approach) begins with a statute, the Data Protection Act.  This law creates broad requirements applicable to all commercial entities.  Industry associations then draft implementing rules—the codes of conduct—that spell out how these broad requirements apply to their particular sector, and submit these rules to the Data Protection Authority.  The Authority reviews the rules, negotiates them with the industry and, when it is comfortable that they correctly implement the statutory requirements, approves them.  Firms that follow an approved set of rules are deemed to be in compliance with the statute and enjoy a legal safe harbor (hence the other name for this regulatory method).   The code of conduct approach differs significantly from traditional, administrative rulemaking because it intentionally allows industry, not regulators, to draft the rules and then requires government and industry to negotiate and reach an agreement on them.

Proponents of this approach maintain that getting industry directly involved in the drafting process can yield rules that are more tailored to business realities, more workable, and ultimately more effective at protecting personal information than traditional, government-designed regulations.  They argue that industry-government collaboration is especially needed in areas such as privacy regulation where technologies and business models change so rapidly that regulators often cannot keep up on their own.  Critics, on the other hand, contend that industry will write rules that favor its interests over the public’s; that the agency approval process will not sufficiently check this tendency; and that the approach will accordingly yield lenient rules that fail to protect personal information adequately.  In my research on the Dutch program, I conducted face-to-face interviews with industry representatives and government officials who drafted and negotiated the codes, and with privacy advocates and academics who have lived with and studied them.  I sought to learn what the Dutch experience could teach us about the merits of this regulatory method, and about the best practices for program design.

My Fulbright research is directly relevant to current developments in U.S. privacy law.  In 2010, the Department of Commerce published an important Green Paper on Internet privacy regulation that proposed using “enforceable, FTC-approved codes of conduct” to flesh out broad statutory requirements.[1]  Congress is headed in the same direction.  Currently, three bills propose comprehensive regulation of private sector use of personal information.  All three would give the code of conduct/safe harbor approach an important place in the regulatory scheme.[2] These developments suggest that negotiated, enforceable codes of conduct may soon become a central component of U.S. privacy regulation.  As the privacy bills make their way through the legislative process, those involved in the field should know something about the merits and realities of this regulatory approach and about the best practices for program design.  The Dutch pioneered this form of privacy regulation and their twenty-two year experience with it provides a wealth of information about it.

My paper will publish the results of my research on the Dutch codes of conduct.  It will explore whether the Dutch experience provides reason to be optimistic, or pessimistic, about the enforceable code of conduct approach and will identify lessons for program design.  Based on these findings, it will make normative recommendations as to whether U.S. privacy legislation should employ the code of conduct approach and, if so, how it should structure such a program.   It is my hope that this paper will inform and ultimately influence the crucial policy debate on how best to protect personal information.

[1] Department of Commerce, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework 41-44 (2010).

[2] See Commercial Privacy Bill of Rights Act, S. 799, 112th Cong., tit. V, §§ 501, 502 (2011); Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (“BEST PRACTICES” Act), H.R. 611, 112th Cong. tit. 4, §§ 401-404 (2011); Consumer Privacy Protection Act, H.R. 1528, 112th Cong. § 9 (2011).