Deirdre Mulligan & Ken Bamberger, From Privacy on the Books to Privacy on the Ground: the Evolution of a New American Metric
Comment by: Jeff Sovern
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1568385
Workshop draft abstract:
The sufficiency of U.S. information privacy law is the subject of heated debate. A majority of privacy scholars and advocates contend that the existing patchwork of U.S. regulation fails to ensure across-the-board conformity with the standard measure of privacy protection: Fair Information Practice Principles (FIPPS) first articulated in the early 1970s. U.S. law, they argue, further falls far short of the EU’s omnibus privacy regime thereby failing to protect against a variety of privacy based harms. A smaller group of scholars similarly fault the U.S. for latching onto a watered-down version of FIPPS that emphasizes the procedural requirements of notice and individual choice to the exclusion of a substantive consideration of the harms and benefits to society as a whole that result from flows of personal information, and in the process created bureaucracy in lieu of privacy protection.
These critiques’ positive claims regarding U.S. law’s departure from FIPPS are largely true. Yet, we argue, these debates generates far more heat than light as to the question of what laws provide meaningful privacy protection. The emphasis on measuring U.S. privacy protection by the FIPPS metric simply misses the mark, focusing on a largely procedural standard offers limited utility in guiding corporate decisionmaking to protect privacy. It thus ignores important shifts in the conception of privacy—and therefore, perhaps, how the success of its protection should be assessed—in the United States.
This initial effort to inquire as to how the form and oversight structure of information privacy law influences its implementation and effect illustrates the value of “holistic evaluation(s) of privacy protection systems” recommended by Charles Raab. Looking at rights and obligations on paper is insufficient to guide policy: better privacy protection requires analysis of how law works in the wild.