Priscilla M. Regan, Privacy and the Common Good: Revisited

Priscilla M. Regan, Privacy and the Common Good: Revisited

Comment by: Kenneth Bamberger

PLSC 2013

Workshop draft abstract:

In Legislating Privacy: Technology, Social Values, and Public Policy (1995), I argued that privacy is not only of value to the individual but also to society in general and I suggested three bases for the social importance of privacy. First that privacy is a common value in that all individuals value some degree of privacy and have some common perceptions about privacy. Second that privacy is a public value in that it has value to the democratic political process. And, third that privacy is a collective value in that technology and market forces are making it hard for any one person to have privacy without all persons having a similar minimum level of privacy.

In this paper, I will first reflect briefly on the major developments that have affected public policy and philosophical thinking about privacy over the last fifteen plus years. Most prominently, these include: (1) the rather dramatic technological changes in online activities including social networking, powerful online search engines, and the quality of the merging of video/data/voice applications; (2) the rise of surveillance activities in the post-9/11 world; and (3) the rapid globalization of cultural, political and economic activities.  As our everyday activities become more interconnected and seemingly similar across national boundaries, interests in privacy and information policies more generally tend also to cross these boundaries and provide a shared public and philosophical bond.

Then, I will turn attention to each of the three bases for the social importance of privacy reviewing the new literature that has furthered philosophical thinking on this topic, including works by Helen Nissenbaum, Beate Roessler, and Valerie Steeves.

Finally, I will revisit my thinking on each of the three philosophical bases for privacy – expanding and refining what I mean by each, examining how each has fared over the last fifteen years, analyzing whether each is still a legitimate and solid bases for the social importance of privacy, and considering whether new bases for privacy’s social importance have emerged today. In this section, I am particularly interested in developing more fully both the logic behind privacy as a collective value and the implications for viewing privacy from that perspective.

Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices

Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices

Comment by: Dennis Hirsch

PLSC 2013

Workshop draft abstract:

Privacy governance is at a crossroads.  In light of the digital explosion, policymakers in North America and Europe are revisiting regulation of the corporate treatment of information privacy.  The recent celebration of the thirtieth anniversary of the Organization for Economic Cooperation and Development’s (“OECD”) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,[1] the first international statement of fair information practice principles, sparked an international review of the guidelines to identify areas for revision.  Work by national data privacy regulators reviewing the E.U. Data Protection Directive in turn have suggested alternative regulatory models oriented around outcomes.[2]  The European Commission is actively debating the terms of a new Privacy Regulation.[3]  And Congress, the FTC, and the current U.S. presidential administration have signaled a commitment to deep reexamination of the current regulatory structure, and a desire for new models.[4]

These efforts, however, have lacked critical information necessary for reform.  Scholarship and advocacy around privacy regulation has focused almost entirely on law “on the books”—legal texts enacted by legislatures or promulgated by agencies.  By contrast, the debate has strangely ignored privacy “on the ground” – the ways in which corporations in different countries have operationalized privacy protection in the light of divergent formal laws; interpretive, organizational and enforcement decisions made by local administrative agencies; and other jurisdiction-specific social, cultural and legal forces.

Since 1994, when such a study examined the U.S. privacy landscape,[5] no sustained inquiry has been conducted into how corporations actually manage privacy in the shadow of formal legal mandates.  No one, moreover, has ever engaged in such a comparative inquiry across jurisdictions.  Indeed, despite wide international variation in approach, even the last detailed comparative account of enforcement practices occurred over two decades ago.[6]  Thus policy reform efforts progress largely without a real understanding of the ways in which previous regulatory attempts have actually promoted, or thwarted, privacy’s protection.

This article is the third documenting a project intended to fill this gap – and at a critical juncture.  The project uses qualitative empirical inquiry—including interviews with and surveys of corporate privacy officers, regulators, and other actors within the privacy field—to identify the ways in which privacy protection is implemented on the ground, and the combination of social, market, and regulatory forces that drive these choices.  And it offers a comparative analysis of the effects of different regulatory approaches adopted by a diversity of OECD nations, taking advantage of the living laboratory created by variations in national implementation of data protection, an environment that can support comparative, in-the-wild assessments of their ongoing efficacy and appropriateness.

While the first two articles in this series discussed research documenting the implementation of privacy in the United States,[7] this article presents the first analysis of data of its kind from Europe, reflecting research and interviews in three EU jurisdictions: Germany, Spain, and France.

The article reflects only the first take at this recently-gathered data; the analysis is not comprehensive, and the lessons drawn at this stage are necessarily tentative.  A complete consideration of the research on the privacy experience in five countries (the US, Germany, France, Spain, and the UK) – one which more generally draws lessons for broader research on paradigms for thinking about privacy, the effectiveness of corporate practices informed by those paradigms, and organizational compliance with different forms of regulation and other external norms more generally – will appear in an upcoming book-length treatment.[8]

Yet this article offers as-yet unavailable data about the European privacy landscape at a critical juncture – the moment at which the policymakers are engaged in important decisions about which regulatory structures to expand to all EU member states, and which to leave behind; and about how those individual states will structure the administrative agencies governing data privacy moving forward; and about strategies those agencies will adopt regarding legal enforcement, the development of expertise within both the government and firms, and the ways that other participants within the privacy “field”[9]—the constellation of organizational actors participating in the construction of legal meaning in a particular domain –will (or will not) best be enlisted to shape corporate decisionmaking and ultimately privacy outcomes.

Setting the context for this analysis, Part I of this Article describes the dominant narratives regarding the regulation of privacy in the United States and the Europe Union – accounts that have occupied privacy scholarship and advocacy for over a decade. Part II summarizes our project to develop more granular accounts of the privacy landscape, and the resulting scholarship’s analyses of privacy “on the ground” in the U.S.  Informed by these analyses, Part III presents the results of our research regarding corporate perception and implementation of privacy requirements in three European jurisdictions, Germany, Spain and France, and placing them within the theoretical framework regarding emerging best practices in the U.S.  Not surprisingly for those familiar with privacy protection in the Europe, these results reveal widely varying privacy landscapes, all within the formal governance of a single legal framework: the 1995 EU Privacy Directive.   More striking, however, are the granular differences between the European jurisdictions and the similarities in both the language in which privacy is discussed, and the particular mandates and institutions shaping privacy’s governance, the architecture for privacy protection and decisionmaking between German and U.S. firms. This Part then seeks to understand the construction of the privacy “field” that shapes these differing country landscapes.  Such inquiry includes the details of national implementation of the EU directive – including the specificity and type of requirements placed on regulated parties, the content of regulation, with particular attention to the comparative focus on process-based as opposed to substantive mandates, and the use of ex ante guidance as opposed to prosecution and enforcement – as well as the structure and approach of the relevant data protection agency, including the size and organization of the staff, the level to which they rely on technical and legal “experts” inside the agency, rather than inside the companies they regulate; the use of enforcement and inspections; and the manner in which regulators and firms interact more generally.  Yet it also includes an understanding of factors beyond privacy regulation itself, including other legal mandates, elements characteristic of national corporate structure, and societal factors, such as the roles of the media and other citizen, industry, labor, or professional organizations that determine the “social license” that governs a corporation’s freedom to act.

Finally, the Article’s Part IV outlines two elements of a new account of privacy’s development, informed by comparative analysis.  First, based on the data from four jurisdictions, it engages in a preliminary analysis regarding which elements of these privacy fields our interviews and other data suggest have fostered, catalyzed and permitted the most adaptive responses in the face of novel challenges to privacy.  Second, it suggests something important about the role of professional networks in the diffusion of practices across jurisdictional lines in the face of important social and technological change.  The adaptability of distinct regulatory approaches and institutions in the face of novel challenges to privacy has never been more important.  Our comparative analysis provides novel insight into the ways that different regulatory choices have interacted with other aspects of the privacy field to shape corporate behavior, offering important insights for all participants in policy debates about the governance of privacy.

[1] See The 30th Anniversary of the OECD Privacy Guidelines, OECD, (last visited Jan. 22, 2013).

[2]   See, e.g., Neil Robinson et al., RAND Eur., Review of the European Data Protection Directive (2009).

[3]   See, e.g., Konrad Lischka & Christian Stöcker, Data Protection: All You Need to Know about the EU Privacy Debate, Spiegel Online (Jan. 18, 2013, 10:15 AM),

[4]   See, e.g., Adam Popescu, Congress Sets Sights On Fixing Privacy Rights, readwrite (Jan. 18, 2013),; F.T.C. and White House Push for Online Privacy Laws, N.Y. Times, May 10, 2012, at B8, available at; Fed. Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 2012), available at

[5] See H. Jeff Smith, Managing Privacy: Information Technology and Corporate America (1994).

[6]   See David H. Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, & the United States (1989).

[7] See Kenneth A. Bamberger & Deirdre K. Mulligan, New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States: An Initial Inquiry, 33 Law & Pol’y 477 (2011); Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 Stan. L. Rev. 247 (2011).

[8] Kenneth A. Bamberger & Deirdre K. Mulligan, Catalyzing Privacy: Lessons From Regulatory Choices and Corporate Decisions on Both Sides of the Atlantic (MIT Press: forthcoming 2014)

[9].     See Paul J. DiMaggio & Walter W. Powell, The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields, 48 Am. Soc. Rev. 147, 148 (1983) (defining an organizational field as “those organizations that, in the aggregate, constitute a recognized area of institutional life: key suppliers, resource and product consumers, regulatory agencies, and other organizations that produce similar services or products.”); Lauren B. Edelman, Overlapping Fields and Constructed Legalities: The Endogeneity of Law, in Private Equity, Corporate Governance and the Dynamics of Capital Market Regulation 55, 58 (Justin O’Brien ed., 2007) (defining a legal field as “the environment within which legal institutions and legal actors interact and in which conceptions of legality and compliance evolve”).

Deirdre Mulligan & Ken Bamberger, From Privacy on the Books to Privacy on the Ground: the Evolution of a New American Metric

Deirdre Mulligan & Ken Bamberger, From Privacy on the Books to Privacy on the Ground: the Evolution of a New American Metric

Comment by: Jeff Sovern

PLSC 2009

Published version available here:

Workshop draft abstract:

The sufficiency of U.S. information privacy law is the subject of heated debate.  A majority of privacy scholars and advocates contend that the existing patchwork of U.S. regulation fails to ensure across-the-board conformity with the standard measure of privacy protection: Fair Information Practice Principles (FIPPS) first articulated in the early 1970s.  U.S. law, they argue, further falls far short of the EU’s omnibus privacy regime thereby failing to protect against a variety of privacy based harms.  A smaller group of scholars similarly fault the U.S. for latching onto a watered-down version of FIPPS that emphasizes the procedural requirements of notice and individual choice to the exclusion of a substantive consideration of the harms and benefits to society as a whole that result from flows of personal information, and in the process created bureaucracy in lieu of privacy protection.

These critiques’ positive claims regarding U.S. law’s departure from FIPPS are largely true.  Yet, we argue, these debates generates far more heat than light as to the question of what laws provide meaningful privacy protection.   The emphasis on measuring U.S. privacy protection by the FIPPS metric simply misses the mark, focusing on a largely procedural standard offers limited utility in guiding corporate decisionmaking to protect privacy.  It thus ignores important shifts in the conception of privacy—and therefore, perhaps, how the success of its protection should be assessed—in the United States.

This paper—the first in a series drawing on a qualitative empirical study of privacy practices in U.S. corporations—argues instead that FIPPS no longer represents either the exclusive goal of U.S. privacy policy or the sole metric appropriate for assessing privacy protection.  By contrast, this article demonstrates that U.S. information privacy policy over the last decade, as understood by both regulators and those firms implementing privacy measures through regulatory compliance, evidences a second—and very “American”—definition of informational privacy.  As demonstrated both by the institutional choices regarding privacy regulation and by qualitative data regarding corporate privacy practices, informational privacy protection in the U.S. today is rooted, not in fair notice and process, but in substantive notions of consumer expectations and consumer harm.  The corporate practices resulting from the “expectations and harm” definition of privacy, in turn, often offer the promise of far greater substantive privacy protection than any FIPPS regime could provide.

This initial effort to inquire as to how the form and oversight structure of information privacy law influences its implementation and effect illustrates the value of “holistic evaluation(s) of privacy protection systems” recommended by Charles Raab.  Looking at rights and obligations on paper is insufficient to guide policy: better privacy protection requires analysis of how law works in the wild.