Professor Dennis Hirsch, Dutch Treat? The Collaborative Dutch Approach to Privacy Regulation and the Lessons it Holds for U.S. Privacy Law and Policy
Comment by: Nikolaus Peifer
Workshop draft abstract:
In 2010, I served as a Fulbright Senior Professor at the University of Amsterdam. I studied a cooperative Dutch form of privacy regulation known as “enforceable codes of conduct” in which industry and government negotiate and agree upon the rules that will govern business behavior. As I explain below, the U.S. Congress is currently considering privacy legislation that would build a similar approach into U.S. law. In my paper I will, for the first time, report the findings from my research. I will then draw on these findings to shed light on and develop recommendations for the U.S. legislative proposals.
The Dutch “code of conduct” approach to privacy regulation (also called the “safe harbor” approach) begins with a statute, the Data Protection Act. This law creates broad requirements applicable to all commercial entities. Industry associations then draft implementing rules—the codes of conduct—that spell out how these broad requirements apply to their particular sector, and submit these rules to the Data Protection Authority. The Authority reviews the rules, negotiates them with the industry and, when it is comfortable that they correctly implement the statutory requirements, approves them. Firms that follow an approved set of rules are deemed to be in compliance with the statute and enjoy a legal safe harbor (hence the other name for this regulatory method). The code of conduct approach differs significantly from traditional, administrative rulemaking because it intentionally allows industry, not regulators, to draft the rules and then requires government and industry to negotiate and reach an agreement on them.
Proponents of this approach maintain that getting industry directly involved in the drafting process can yield rules that are more tailored to business realities, more workable, and ultimately more effective at protecting personal information than traditional, government-designed regulations. They argue that industry-government collaboration is especially needed in areas such as privacy regulation where technologies and business models change so rapidly that regulators often cannot keep up on their own. Critics, on the other hand, contend that industry will write rules that favor its interests over the public’s; that the agency approval process will not sufficiently check this tendency; and that the approach will accordingly yield lenient rules that fail to protect personal information adequately. In my research on the Dutch program, I conducted face-to-face interviews with industry representatives and government officials who drafted and negotiated the codes, and with privacy advocates and academics who have lived with and studied them. I sought to learn what the Dutch experience could teach us about the merits of this regulatory method, and about the best practices for program design.
My Fulbright research is directly relevant to current developments in U.S. privacy law. In 2010, the Department of Commerce published an important Green Paper on Internet privacy regulation that proposed using “enforceable, FTC-approved codes of conduct” to flesh out broad statutory requirements. Congress is headed in the same direction. Currently, three bills propose comprehensive regulation of private sector use of personal information. All three would give the code of conduct/safe harbor approach an important place in the regulatory scheme. These developments suggest that negotiated, enforceable codes of conduct may soon become a central component of U.S. privacy regulation. As the privacy bills make their way through the legislative process, those involved in the field should know something about the merits and realities of this regulatory approach and about the best practices for program design. The Dutch pioneered this form of privacy regulation and their twenty-two year experience with it provides a wealth of information about it.
My paper will publish the results of my research on the Dutch codes of conduct. It will explore whether the Dutch experience provides reason to be optimistic, or pessimistic, about the enforceable code of conduct approach and will identify lessons for program design. Based on these findings, it will make normative recommendations as to whether U.S. privacy legislation should employ the code of conduct approach and, if so, how it should structure such a program. It is my hope that this paper will inform and ultimately influence the crucial policy debate on how best to protect personal information.
 Department of Commerce, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework 41-44 (2010).
 See Commercial Privacy Bill of Rights Act, S. 799, 112th Cong., tit. V, §§ 501, 502 (2011); Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (“BEST PRACTICES” Act), H.R. 611, 112th Cong. tit. 4, §§ 401-404 (2011); Consumer Privacy Protection Act, H.R. 1528, 112th Cong. § 9 (2011).