'Privacy Law’s Midlife Crisis: A Critical Assessment of the Second Wave of Global Privacy Laws' by Omer Tene in (2013) 74(6)
Ohio State Law Journal argues that
Privacy law is suffering from a midlife crisis. Despite well-recognized
tectonic shifts in the socio-technological-business arena, the information
privacy framework continues to stumble along like an aging protagonist in a
rejuvenated cast. The framework’s fundamental concepts are outdated; its goals
and justifications in need of reassessment; and yet existing reform processes
remain preoccupied with internal organizational measures, which yield
questionable benefits to individuals. At best, the current framework strains to
keep up with new developments; at worst, it has become irrelevant. More than
three decades have passed since the introduction of the OECD Privacy Guidelines; and fifteen years since the EU Directive was put in place and the
“notice and choice” approach gained credence in the United States. This period
has seen a surge in the value of personal information for governments,
businesses, and society at large. Innovations and breakthroughs, particularly in
information technologies, have transformed business models and affected
individuals’ lives in previously unimaginable ways. Not only technologies, but
also individuals’ engagement with the data economy have radically changed.
Individuals now proactively disseminate large amounts of personal information
online via platform service providers, which act as facilitators rather than
initiators of data flows. Data transfers, once understood as discrete point-to-point
transmissions, have become ubiquitous, geographically indeterminate, and
typically “residing” in the cloud.
This Article addresses the challenges posed to the existing information
privacy framework by three main socio-technological-business shifts: the surge
in big data and analytics; the social networking revolution; and the migration of
personal data processing to the cloud. The term big data refers to the ability of
organizations to collect, store, and analyze previously unimaginable amounts of
unstructured information in order to find patterns and correlations and draw
useful conclusions. Big data creates tremendous value for the world economy,
individuals, businesses, and society at large. At the same time, it heightens
concerns over privacy, equality, and fairness, and pushes back against well-established
privacy principles. Social networking services have revolutionized
the relationship between individuals and organizations. Those creating, storing,
using, and disseminating personal information are no longer just organizations,
but also geographically dispersed individuals who post photos, submit ratings,
and share their location online. The term cloud computing encompasses (at
least) three distinct models of utilizing computing resources through a
network—software, platform, and infrastructure as a service. The advantages of
cloud computing abound and include, from the side of organizations, reduced
cost, increased reliability, scalability, and security, and from the side of users,
the ability to access data from anywhere, on any device, at any time, and to
collaborate on a single document across multiple users; however, the processing
of personal information in the cloud poses new privacy risks.
In response to these changes, policymakers in the Organization for
Economic Co-operation and Development (OECD), EU and the United States
launched extensive processes for fundamental reform of the information privacy
framework. The product of these processes is set to become the second
generation of information privacy law. Yet, as discussed in this Article, the
second generation is strongly anchored in the existing framework, which in turn
is rooted in an architecture dating back to the 1970s. The major dilemmas and
policy choices of information privacy remain unresolved.
First, the second generation fails to update the definition of personal data,
the fundamental building block of the framework. Recent advances in reidentification
science have shown the futility of traditional de-identification
techniques in a big data ecosystem. Consequently, the scope of the framework
is either overbroad, potentially encompassing every bit and byte of information,
ostensibly not about individuals; or overly narrow, excluding de-identified
information, which could be re-identified with relative ease. More advanced
notions that have gained credence in the scientific community, such as
differential privacy and privacy enhancing technologies, have been left out of
the debate.
Second, the second generation maintains and even expands the central role
of consent. Consent is a wild card in the privacy deck. Without it, the
framework becomes paternalistic and overly rigid; with it, organizations can
whitewash questionable data practices and point to individuals for legitimacy.
The Article argues that the role of consent should be demarcated according to
normative choices made by policymakers with respect to prospective data uses.
In some cases, consent should not be required; in others, consent should be
assumed subject to a right of refusal; in specific cases, consent should be
required to legitimize data use. Formalistic insistence on consent and purpose
limitation can impede data driven breakthroughs that benefit society as a whole.
Third, the second generation remains rooted on a linear approach to
processing whereby an active “data controller” collects information from a
passive individual, and then stores, uses, or transfers it until its ultimate
deletion. The explosion of peer produced content, particularly on social
networking services, and the introduction into the data value chain of layer upon
layer of service providers, have meant that for vast swaths of the data
ecosystem, the linear model has become obsolete. Privacy risks are now posed
by an indefinite number of geographically dispersed actors, not least individuals
themselves, who voluntarily share their own information and that of their
friends and relatives. Despite much discussion of “Privacy 2.0,” the emerging
framework fails to account for these changes. Moreover, in many contexts, such
as mobile applications, behavioral advertising, or social networking services, it
is not necessarily the controller, but rather an intermediary or platform provider,
that wields the most control over information.
Fourth, the second generation, particularly of European data protection
laws, continues to view information as “residing” in a jurisdiction, despite the
geographical indeterminacy of cloud storage and transfers. For many years,
transborder data flow regulation has caused much consternation to global businesses, while generating formidable legal fees. Unfortunately, this is not
about to change.
While not providing solutions to these challenging problems, the Article
sets an agenda for future research, identifying issues and potential paths towards
a rejuvenated framework for a rapidly changing environment.
'The EU-US Privacy Collision: A Turn To Institutions And Procedures' by Paul M. Schwartz in (2013) 126
Harvard Law Review 1966 argues that
Internet scholarship in the United States generally concentrates on
how decisions made in this country about copyright law, network neutrality,
and other policy areas shape cyberspace. In one important aspect
of the evolving Internet, however, a comparative focus is indispensable.
Legal forces outside the United States have significantly
shaped the governance of information privacy, a highly important aspect
of cyberspace, and one involving central issues of civil liberties.
The EU has played a major role in international decisions involving
information privacy, a role that has been bolstered by the authority of
EU member states to block data transfers to third party nations, including
the United States.
The European Commission’s release in late January 2012 of its
proposed “General Data Protection Regulation” (the Proposed Regulation)
provides a perfect juncture to assess the ongoing EU-U.S. privacy
collision. An intense debate is now occurring about critical areas of
information policy, including the rules for lawfulness of personal processing,
the “right to be forgotten,” and the conditions for data flows
between the EU and the United States.
This Article begins by tracing the rise of the current EU-U.S. privacy
status quo. The European Commission’s 1995 Data Protection
Directive (the Directive) staked out a number of bold positions, including
a limit on international data transfers to countries that lacked “adequate”
legal protections for personal information. The impact of the Directive has been considerable. The Directive has shaped the form of
numerous laws, inside and outside of the EU, and contributed to the
creation of a substantive EU model of data protection, which has also
been highly influential.
This Article explores the path that the United States has taken in
its information privacy law and explores the reasons for the relative
lack of American influence on worldwide information privacy regulatory
models. As an initial matter, the EU is skeptical regarding the
level of protection that U.S. law actually provides. Moreover, despite
the important role of the United States in early global information privacy
debates, the rest of the world has followed the EU model and enacted
EU-style “data protection” laws.
At the same time, the aftermath of the Directive has seen ad hoc
policy efforts between the United States and EU that have created
numerous paths to satisfy the EU’s requirement of “adequacy” for data
transfers from the EU to the United States. The policy instruments
involved are the Safe Harbor, the two sets of Model Contractual
Clauses, and the Binding Corporate Rules. These policy instruments
provide key elements for an intense process of nonlegislative lawmaking,
and one that has involved a large cast of characters, both governmental
and nongovernmental.
This Article argues that this policymaking has not been led exclusively
by the EU, but has been a collaborative effort marked by accommodation
and compromise. In discussing this process of
nonlegislative lawmaking, this Article will distinguish the current policymaking
with respect to privacy from Professor Anu Bradford’s
“Brussels Effect.” This nonlegislative “lawmaking” is a productive
outcome in line with the concept of “harmonization networks” that
Professor Anne-Marie Slaughter has identified in her scholarship.
“Harmonization networks” develop when regulators in different countries
work together to harmonize or otherwise adjust different kinds of
domestic law to achieve outcomes favorable to all parties.
The Article then analyzes the likely impact of the Proposed Regulation,
which is slated to replace the Directive. The Proposed Regulation
threatens to destabilize the current privacy policy equilibrium and
prevent the kind of decentralized global policymaking that has occurred in the past. The Proposed Regulation overturns the current
balance by heightening certain individual rights beyond levels that
U.S. information privacy law recognizes. It also centralizes power in
the European Commission in a way that destabilizes the policy equilibrium
within the EU, and thereby threatens the current policy processes
around harmonization networks.
To avert the privacy collision ahead, this Article advocates modifications
to the kinds of institutions and procedures that the Proposed
Regulation would create. A “Revised Data Protection Regulation”
should concentrate on imposing uniformity only on “field definitions,”
that is, the critical terms that mark the scope of this regulatory field.
The Revised Regulation should be clear that member states can supplement
areas that do not fall within its scope with national measures.
This approach would leave room for further experiments in data protection
by the member states. The Revised Regulation should also alter
the currently proposed procedures to limit the Commission’s assertion
of power as the final arbiter of information privacy law.
