Privacy law is suffering from a midlife crisis. Despite well-recognized tectonic shifts in the socio-technological-business arena, the information privacy framework continues to stumble along like an aging protagonist in a rejuvenated cast. The framework’s fundamental concepts are outdated; its goals and justifications in need of reassessment; and yet existing reform processes remain preoccupied with internal organizational measures, which yield questionable benefits to individuals. At best, the current framework strains to keep up with new developments; at worst, it has become irrelevant. More than three decades have passed since the introduction of the OECD Privacy Guidelines; and fifteen years since the EU Directive was put in place and the “notice and choice” approach gained credence in the United States. This period has seen a surge in the value of personal information for governments, businesses, and society at large. Innovations and breakthroughs, particularly in information technologies, have transformed business models and affected individuals’ lives in previously unimaginable ways. Not only technologies, but also individuals’ engagement with the data economy have radically changed. Individuals now proactively disseminate large amounts of personal information online via platform service providers, which act as facilitators rather than initiators of data flows. Data transfers, once understood as discrete point-to-point transmissions, have become ubiquitous, geographically indeterminate, and typically “residing” in the cloud.
This Article addresses the challenges posed to the existing information privacy framework by three main socio-technological-business shifts: the surge in big data and analytics; the social networking revolution; and the migration of personal data processing to the cloud. The term big data refers to the ability of organizations to collect, store, and analyze previously unimaginable amounts of unstructured information in order to find patterns and correlations and draw useful conclusions. Big data creates tremendous value for the world economy, individuals, businesses, and society at large. At the same time, it heightens concerns over privacy, equality, and fairness, and pushes back against well-established privacy principles. Social networking services have revolutionized the relationship between individuals and organizations. Those creating, storing, using, and disseminating personal information are no longer just organizations, but also geographically dispersed individuals who post photos, submit ratings, and share their location online. The term cloud computing encompasses (at least) three distinct models of utilizing computing resources through a network—software, platform, and infrastructure as a service. The advantages of cloud computing abound and include, from the side of organizations, reduced cost, increased reliability, scalability, and security, and from the side of users, the ability to access data from anywhere, on any device, at any time, and to collaborate on a single document across multiple users; however, the processing of personal information in the cloud poses new privacy risks.
In response to these changes, policymakers in the Organization for Economic Co-operation and Development (OECD), EU and the United States launched extensive processes for fundamental reform of the information privacy framework. The product of these processes is set to become the second generation of information privacy law. Yet, as discussed in this Article, the second generation is strongly anchored in the existing framework, which in turn is rooted in an architecture dating back to the 1970s. The major dilemmas and policy choices of information privacy remain unresolved.
First, the second generation fails to update the definition of personal data, the fundamental building block of the framework. Recent advances in reidentification science have shown the futility of traditional de-identification techniques in a big data ecosystem. Consequently, the scope of the framework is either overbroad, potentially encompassing every bit and byte of information, ostensibly not about individuals; or overly narrow, excluding de-identified information, which could be re-identified with relative ease. More advanced notions that have gained credence in the scientific community, such as differential privacy and privacy enhancing technologies, have been left out of the debate.
Second, the second generation maintains and even expands the central role of consent. Consent is a wild card in the privacy deck. Without it, the framework becomes paternalistic and overly rigid; with it, organizations can whitewash questionable data practices and point to individuals for legitimacy. The Article argues that the role of consent should be demarcated according to normative choices made by policymakers with respect to prospective data uses. In some cases, consent should not be required; in others, consent should be assumed subject to a right of refusal; in specific cases, consent should be required to legitimize data use. Formalistic insistence on consent and purpose limitation can impede data driven breakthroughs that benefit society as a whole.
Third, the second generation remains rooted on a linear approach to processing whereby an active “data controller” collects information from a passive individual, and then stores, uses, or transfers it until its ultimate deletion. The explosion of peer produced content, particularly on social networking services, and the introduction into the data value chain of layer upon layer of service providers, have meant that for vast swaths of the data ecosystem, the linear model has become obsolete. Privacy risks are now posed by an indefinite number of geographically dispersed actors, not least individuals themselves, who voluntarily share their own information and that of their friends and relatives. Despite much discussion of “Privacy 2.0,” the emerging framework fails to account for these changes. Moreover, in many contexts, such as mobile applications, behavioral advertising, or social networking services, it is not necessarily the controller, but rather an intermediary or platform provider, that wields the most control over information.
Fourth, the second generation, particularly of European data protection laws, continues to view information as “residing” in a jurisdiction, despite the geographical indeterminacy of cloud storage and transfers. For many years, transborder data flow regulation has caused much consternation to global businesses, while generating formidable legal fees. Unfortunately, this is not about to change. While not providing solutions to these challenging problems, the Article sets an agenda for future research, identifying issues and potential paths towards a rejuvenated framework for a rapidly changing environment.'The EU-US Privacy Collision: A Turn To Institutions And Procedures' by Paul M. Schwartz in (2013) 126 Harvard Law Review 1966 argues that
Internet scholarship in the United States generally concentrates on how decisions made in this country about copyright law, network neutrality, and other policy areas shape cyberspace. In one important aspect of the evolving Internet, however, a comparative focus is indispensable. Legal forces outside the United States have significantly shaped the governance of information privacy, a highly important aspect of cyberspace, and one involving central issues of civil liberties. The EU has played a major role in international decisions involving information privacy, a role that has been bolstered by the authority of EU member states to block data transfers to third party nations, including the United States.
The European Commission’s release in late January 2012 of its proposed “General Data Protection Regulation” (the Proposed Regulation) provides a perfect juncture to assess the ongoing EU-U.S. privacy collision. An intense debate is now occurring about critical areas of information policy, including the rules for lawfulness of personal processing, the “right to be forgotten,” and the conditions for data flows between the EU and the United States.
This Article begins by tracing the rise of the current EU-U.S. privacy status quo. The European Commission’s 1995 Data Protection Directive (the Directive) staked out a number of bold positions, including a limit on international data transfers to countries that lacked “adequate” legal protections for personal information. The impact of the Directive has been considerable. The Directive has shaped the form of numerous laws, inside and outside of the EU, and contributed to the creation of a substantive EU model of data protection, which has also been highly influential.
This Article explores the path that the United States has taken in its information privacy law and explores the reasons for the relative lack of American influence on worldwide information privacy regulatory models. As an initial matter, the EU is skeptical regarding the level of protection that U.S. law actually provides. Moreover, despite the important role of the United States in early global information privacy debates, the rest of the world has followed the EU model and enacted EU-style “data protection” laws.
At the same time, the aftermath of the Directive has seen ad hoc policy efforts between the United States and EU that have created numerous paths to satisfy the EU’s requirement of “adequacy” for data transfers from the EU to the United States. The policy instruments involved are the Safe Harbor, the two sets of Model Contractual Clauses, and the Binding Corporate Rules. These policy instruments provide key elements for an intense process of nonlegislative lawmaking, and one that has involved a large cast of characters, both governmental and nongovernmental.
To avert the privacy collision ahead, this Article advocates modifications to the kinds of institutions and procedures that the Proposed Regulation would create. A “Revised Data Protection Regulation” should concentrate on imposing uniformity only on “field definitions,” that is, the critical terms that mark the scope of this regulatory field. The Revised Regulation should be clear that member states can supplement areas that do not fall within its scope with national measures. This approach would leave room for further experiments in data protection by the member states. The Revised Regulation should also alter the currently proposed procedures to limit the Commission’s assertion of power as the final arbiter of information privacy law.