The Governance Of PrivacyThe Governance Of Privacypolicy instruments in globalpolicy instruments in globalperspectiveperspectiveColin J. Bennet and Charles D. RaabColin J. Bennet and Charles D. Raab1
Part one- policy goals2
The Privacy ParadigmSociety as comprising relativelyautonomous individuals3
The Privacy Paradigm“..The democratic society relies onpublicity as a control overgovernment, and on privacy as a shieldfor group and individual life.."(Westin)4
The Privacy ParadigmPrivacy is described in the literature as aneroding, dying right.5
The Privacy Paradigm-Four AssumptionsFirst assumption:Privacy is a highly subjective value-concerns vary over time, place, gender andso on.6
The Privacy Paradigm-Four AssumptionsSecond assumption:Personal information cannot be easilyregarded as a property right.Third assumption:Data security is a necessary but not asufficient condition for information privacy.7
The Privacy Paradigm-Four AssumptionsFourth assumption:The focus of protection should be theindividual, rather than some other entity.8Those shared assumptions havehad widespread policyimplications.
The "Fair InformationPrinciples" DoctrineData controllers norms for thecollection, retention, use and disclosureof personal information.Appear either explicitly or implicitly withinall national data protection laws, voluntarycodes, and international agreements.9
The "Fair InformationPrinciples" Doctrine10
The "Fair InformationPrinciples" Doctrine11
The "Fair InformationPrinciples" DoctrineAn Organization….Must be Accountable for all personalinformation within its possession.Should identify the purposes for whichthe information is processed.Should only collect information with theknowledge and consent of the individual.12
The "Fair InformationPrinciples" DoctrineAn Organization….Should limit the collection ofinformation to that which is necessary.Should not use or disclose information forpurposes other than those identified.Should retain information only as longas necessary.13
The "Fair InformationPrinciples" Doctrine:An Organization….Should ensure that the information iskept accurate, complete and up todate.Should protect personal information withappropriate security safeguards.Should be open about its policies andpractices and maintain no secretinformation system.14
The "Fair InformationPrinciples" Doctrine:An Organization….Should allow data subjects to accesstheir personal information, with anability to amend it.15These principles are relative andmust be balanced.
Major Critiques Of The PrivacyParadigmPosner: who wants to be left alone?The ones who have most to hide..Democratic theory - the test of democracyis the degree of participation andcommunity consciousness.16
Privacy Protection As SocialPolicyBy failing to consider the socialdistribution of privacy (“who gets whatprivacy”)the conventional discourse has produced agap in both understanding of privacyprotection and the ability of public policyto be applied effectively.17
Privacy Protection As SocialPolicyThe privacy paradigm and the“data subject”: Conceives of people asundifferentiated “data subjects“.The distribution of privacy and thepolicy agenda: Distribution method -privacy "haves" and "have-nots".18
Privacy Protection As TrustPromotion And Risk ManagementThe contemporary status : privacy isonly seen as one value among others.It can be balanced against competingvalues an interests.19
Privacy Protection As TrustPromotion And Risk ManagementTrust and the use of personal data:There is an emerging internationalconsensus on the importance of trust inmodern information technologies.20
Privacy Protection As TrustPromotion And Risk ManagementConclusion - trust, risk and policy:the writers still cant fully understand therelationship between privacy protectionand the management of risk.21
Policy Instruments in the DataProtection Landscape:• Transnational• Legal *much of the domestic policy has been a responseto transnational initiatives.• Self-regulatory• Technological
Transnational Policy Instruments:• Intense activity at the beginning of the21st century.• Impact on the development of policiesand practices of public and privatesector.• Process of policy convergence.• Elite network of experts in pioneeringstates.
1960s Committee of Experts1970 Resolutions1980 Convention for the Protection of Individuals with Regardto Automatic Processing of Personal DataModel Contract Data Flow(obligations of licensor & licensee)1981 Guidelines on the Protection of Personal Privacy andTransborder Flows of Personal Data1985 Declaration on Transborder Data Flows1992 Guidelines on Security of Information Systems1997 Guidelines for Cryptography Policy1995 Directive on the Protection of Personal Data withRegard to the Processing of Personal Data and on the FreeMovement of Such Data2003 Asia Pacific Privacy Charter Council2004 Privacy Framework
International Standards Arena•Gap in enforcement process= response by standard setting andcertification bodies.•Quality Management.•Experience in "levels of compliance"•Registration to a standard = regular auditing and more certainty.•Canadian Influence- "Model Code for the Protection of PersonalInformation" CSA 1996•ISO 17799 (2000)•CEN/ISSS (2000) three paths: compliance with EU directives, Sector-specific (e.g. Health) & HR.•Wroclaw Resolution (2004) standard = tool for compliance to legalrequirements.•High level of resistance by businesses.
Privacy protection became a traderelated issue, therefore arena is mostlikely to be addressed in the future.Extraterritorial provisions in EUdirective could be seen as non-tarifftrade barriersArgument that EU firms would feelmore comfortable dealing withdomestic companiesGATS : equal treatmentArena is relevant since most countrieshave trans-border data flow policiesand disputes could arise between tradepartners.World Trade Organization
Level of policy convergenceLevel of policy convergence..Fundamental principlesAlternatives to implementationRole of supervising authoritiesDistinct visions of democratic governanceRole of the state in protecting the rights of citizensAbility of market to assure fair treatment
OOverlapping functions of Internationalverlapping functions of InternationalInstruments.Over time they have acted asInstruments.Over time they have acted as::Instruments ofharmonizationInstruments ofharmonizationExemplars/pressure toother nonadoptersExemplars/pressure toother nonadoptersPenetrative force:economicconsequences & influenceon business andgovernments to protectdomestic industries.Penetrative force:economicconsequences & influenceon business andgovernments to protectdomestic industries.
1970s1970s 1980s1980s 1990s1990s 2000s2000sWesternWesternEuropeEuropeSwedenW. GermanyDenmarkAustriaFranceNorwayLouxembourgIcelandUKFinlandIrelandNetherlandsPortugalSpainSwitzerlandBelgiumMonacoItalyGreeceEast &East &CentralCentralEuropeEuropeSlovenia,Hungary, CzechRepublic,Russia, Estonia,Lithuania,Poland, SlovakRepublic, LatviaNorth AmericaNorth America United States Canada CanadaSouthSouthAmericaAmericaChile ArgentinaAustralasiaAustralasia AustraliaMiddle East &Middle East &AsiaAsiaIsraelJapanSouth KoreaHong KongTaiwanThailandJapan
32What is regulation?Regulation does not only include governmentcommand and control but also legal requirements,application and other tools.Privacy Principles to Privacy LawsPrivacy Principles that Empower (access,knowledge, correct, take action)Principles that impose obligations to controllers(notifications, registers, etc)Overview of Data Protection (various countriesdifferent approaches)Sectoral Data ProtectionOversight and Enforcement (ombudsmen, auditors,consultants, educators, negotiators, enforcers)
Influence of EU directive on local legislation“SafeHarbor Privacy Principles”US companies can opt in as long as they adhereto 7 principles: Notice, Choice, OnwardTransfer, Security, Data Integrity, Access,Enforcement.
Privacy codes of practicePrivacy codes of practice
Privacy standardsPrivacy standards
Privacy SealsPrivacy Seals
The safe harbor aggrementThe safe harbor aggrement
IMPACT EVALUATIONIMPACT EVALUATIONEvaluation of regimes ofprivacy protection(international instruments,laws, codes,commitments,technologies + other(Evaluation of their impact,i.e. their effects onprotecting individualprivacy (individually andtogether(
Currently used methods of evaluationCurrently used methods of evaluationComparison acrossregimes and instruments)Germany/France - strongvs United States – weak(Data protection laws arebetter than allowing themarket to regulate itIncreasingly important for: data controllers,individuals, regulatory officials,variety of interest groups who have a stake inthe control of information systems
MAIN ISSUESMAIN ISSUES1. Why evaluate data protection?2. What are the fundamental goals of data protectionpolicy?3. By what criteria should these processes be evaluated?4. On what functions and actors should evaluation focus &with what measures?5. What facilitates and obstructs evaluation?
Why evaluate data protectionWhy evaluate data protection1. Public accountability2. Making comparisons3. A tool for management and policy4. A tool for policy analysis and formation
Fundamental goals of dataFundamental goals of dataprotectionprotection1. Protecting privacy2. Promoting good computing practices3. “Balance” between the two
What criteriaWhat criteria??
Functions/actors/measuresFunctions/actors/measures1. The law2. Performance of the implementation machinery3. Performance of data controllers4. Performance of data subjects5. Data protection system as a whole
FacilitatorsFacilitators ObstructorsObstructorsDominant policy and legalclarityDominant regulatory agencyExplicit agency activitiesDeveloping tradition ofaccountabilityUnclear and multiple policyobjectivesConflicting interestsUnclear time frame & targetsMultiple issues & blurredboundariesUncertainty about who shoulddo the evaluation
International privacy protectionInternational privacy protectionWhy bother?
Theories of impact of globalizationTheories of impact of globalizationon government regulationon government regulation1. Race to the bottom2. Race to the bottom, but…3. Race to the top (Trading-Up)
Race to the bottomRace to the bottomHigher investment inthe local economy;employment<Public good that couldbe achieved viaregulations, e.g.: cleanair, higher workplacestandards, greaterprotection forpersonal privacy of thecitizensNecessary conditions:1.MOBILITY2.DIVERISTY OF REGULATIONS
Evidence for race to bottomEvidence for race to bottom• Canada faced with the dilemma whether to align with the EUDirective or weaker protection standards of the US (Canada’sgreatest trading partner); Manitoba vs Dept. of Industry – requestfor an independent study on the impact of the stricter loss on theUS-Canada trade and more• Move of some industries to the Caribbeans – tax-related! notprivacy No R2B, no escape from the advanced industrial states for privacy-related reasons!
Race to the bottom, butRace to the bottom, but……… conditionalDepends on domestic political and economic constraints:Internal structure and dynamics of various industriesStructure of international economy (size and openness)Political and social activism
Race to the top (trading-upRace to the top (trading-up((• Compatible regulations facilitate trade & access to markets• Harmonized regulations lower the production costBUT Process standards are harder to enforce outside of borders(eg. privacy protection)
Evidence for trading-upEvidence for trading-up• EU Data Protection Directive led by Germany and France(+ collective memory of the totalitarian and/or authoritarian regimeenhances the value for privacy to the public = emotional appeal)• Strength of EU market helps EU authority (even vs US)• Fears of R2B helps R2T (offshore data havens)• WTO rules provide data privacy exemption in the context of restrictingimports• Privacy advocates were able to use EU Directive as a leverage to forcedomestic regulators and business to raise standards
Governance of privacy in the risk societyGovernance of privacy in the risk societySecurity vs Privacy