Policy and regulation around data protection is inherently a global issue since digital information flows within and between countries around the world. But how far are policies and regulations throughout the Internet standardized, and to what extent do they differ depending on the respective jurisdiction? Unity, in this case, means common standards of protection and common methods to process personal data, thereby facilitating their flow between countries. Conversely, diversity entails different standards of protection and the potential use of some jurisdictions as ‘data havens’ where personal data protected in one country can be processed under weaker controls in another. This commentary primarily uses examples from the European data protection regime to argue that this interplay of harmonization and divergence should be discussed at three levels of analysis: the macro/legislative level, the meso/regulatory level, and the micro/professional level.
Macro/legislative level
At the macro level, consistent trends toward harmonization can be identified since the 1980s.[1] Data protection laws that emerged around the 1970s and 1980s shared similar core principles yet varied considerably in terms of legal frameworks and regulatory styles (Bignami 2011). Early on, the Organization for Economic Cooperation and Development (OECD) and the Council of Europe respectfully adopted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) in an attempt to harmonize national data protection laws. These organizations set a threshold for informational self-determination and similar yet broad principle-based regulation and procedural protections, known as the Fair Information Practices Principles (FIPPs; Mayer-Schönberger 1997).
The adoption of the European Data Protection Directive (EDPD) in 1995 was a response to the two earlier frameworks that had low harmonizing impact on national regulatory styles and the chosen policy instruments (Bennett 1992; Bignami 2011). According to Abraham Newman, pioneering national data protection supervisory authorities (DPAs) feared that the lack of strong supranational regulations and enforcement would create data havens, so they successfully nudged European policymakers towards adopting the EDPD (Newman 2008). However, competition over the preferred regulatory approach impacted the outcome of the policy convergence process. Delegations established coalitions to accept their favoured regulatory approaches, for example, regarding the empowerment of DPAs via the automatic-processing notification scheme, the reliance on data protection officers (Medzini 2021a), and the formation and use of codes of conduct (Medzini 2021b). The finalized EDPD only imposed omnibus protections and set broad principle-based standards, thereby allowing national policymakers to pursue their preferred policies.
European policymakers had a window of opportunity to promote a more comprehensive unified approach to data protection with the Lisbon Treaty and the EU Charter of Fundamental Rights entering into force in 2009. European policymakers could now address several challenges to the free movement of personal data that the EDPD could not manage, including globalization and transnational data processing, fast-paced technological developments, and inconsistencies in data protection governance (European Commission 2010). The EU Commission decided that instead of amending the EDPD or establishing a central European data protection authority (Medzini 2021a), it would promote a directly applicable regulation to address these challenges and achieve a high degree of harmonization (European Commission 2012). Member states resisted this decision, leading to lengthy deliberations, conflicting interests, and many objections on specific issues. Policymakers reached a political compromise in December 2015, and the directly applicable regulation – the General Data Protection Regulation (GDPR) – was adopted in 2016. The GDPR brought with it a more harmonized macro-level approach to the governance of data protection.
So-called ‘adequacy decisions’ are another method for the European Union to push for unity in data protection. The European Commission uses this tool to assess non-European data protection regimes, negotiate their potential alignment with EU standards possible, and then permit cross-border data transfer. Without an adequacy decision, organizations in non-EU countries must guarantee to maintain European-level data protection policy and practice (Hoofnagle, van der Sloot and Borgesius 2019). Until now, 13 countries have received recognition of adequacy. Yet an adequacy decision does not guarantee that external states do not push against the European pull towards unity. For example, poor monitoring and weak enforcement in the US led the European Court of Justice in 2015 to invalidate the Commission’s adequacy decision regarding the EU-US Safe Harbor Agreement and invalidate the adequacy decision regarding its replacement – the Privacy Shield Framework. Furthermore, the GDPR requires the Commission to monitor and review adequacy decisions on an ongoing basis, at least every four years. This review process is impactful, as introducing amendments that weaken adequate data protection legislation can result in a loss of the adequacy decision.
Meso/regulatory level
The pull towards unity and against diversity also occurs on the meso-level through global coordination between DPAs. According to the International Conference for Data Protection and Privacy Commissioners (ICDPPC) there are at least 122 privacy and data protection authorities worldwide. Leading examples of such DPAs include the French Commission Nationale de l'Informatique et des Libertés, the UK’s Information Commissioner’s Office, and the USA’s Federal Trade Commission. These DPAs have diverse sets of capacities and resources. For example, European DPAs have been found to have different levels of expertise regarding Information Communication Technologies (ICTs), distinct strategies for participation in ICT-related decision-making, and differences in available yet already-limited resources (Raab and Szekely 2017). Due to their differences, policymakers and regulated organizations worldwide have constantly critiqued DPAs for inconsistent interpretation and application of data protection laws and regulations.
One unifying instrument against diverging enforcement and regulatory action is coordination action through networking among these authorities. For the most part, these networks can benefit from flexibility and informality at the expense of permitting members to voluntarily leave the network when faced with conflicting interests (Börzel 1998). In some cases, a process of ‘networkation’ may formalize the network as a form of governance (Levi-Faur 2011), for instance, by establishing network administrative organizations that hold power and discretion to govern the network (Provan and Kenis 2008). There are several networks between data protection supervisory authorities, such as the ICDPPC, which issues joint resolutions and declarations, and the Global Privacy Enforcement Network (GPEN), an informal OECD-recommended network. GPEN enables discussions of practical privacy enforcement cooperation, shares best practices, and supports joint enforcement initiatives. The International Working Group on Data Protection in Telecommunications (also known as the Berlin Group) provides its members with working papers and alerts on technological developments regarding personal data.
Several other networks of data regulators operate only within the European Union. National DPAs and the European Data Protection Supervisor – the DPA for the European institutions – meet regularly and co-supervise four European large-scale IT systems: Eurodac, the Visa Information System, the Schengen Information System, and the Customs Information System. The European Data Protection Board (EDPB), is a formalized independent body that replaced the EDPD’s advisory Article 29 Working Party.[2] The EDPB guides and promotes cooperation between DPAs and contributes to the consistent application of the European data protection regime by settling disputes and adopting binding decisions.
Micro/professional level
Another level where unity pulls and diversity pushes exist is on the professional micro-level. The micro-level of data protection, or as Kenneth Bamberger and Deirdre Mulligan (2015) have deemed it, ‘privacy on the ground’, deals with how organizations implement data protection in their daily operations and design their products and services.[3] Regulatory intermediaries are integral to governing data protection on the ground. They provide capacities such as legitimacy, expertise, and independence that neither regulators nor organizations benefit from and permit them to take upon themselves a function in the regulatory process (Abbott, Levi-Faur and Snidal 2017). Famous groups of intermediaries in data protection include chief privacy officers (CPOs; Bamberger and Mulligan 2011), data protection officers (DPOs; Medzini 2021a), and private monitoring and certification bodies (Medzini 2021b). They are professionals who guide and consult how organizations should implement data protection policies and manage privacy-related risks. In some instances, they also monitor and enforce self-regulation, for example by monitoring compliance and providing advice regarding the data protection impact assessments as required by the GDPR. Thus, these professionals strengthen corporate and managerial responsibility and accountability by ensuring and demonstrating compliance towards data protection (European Commission 2012).
CPOs and DPOs can generate both diversification and harmonization. On the one hand, DPOs and CPOs can interpret and operationalize privacy protections differently (Bamberger and Mulligan 2015). And while the number of European DPOs increases rapidly,[4] and with it the possibility that they will interpret data protection laws and regulations differently, the GDPR only stipulates soft rules to regulate the required qualifications and responsibilities of appointed DPOs. National policymakers and regulators cannot formally constrain or limit the professional qualities of DPOs. On the other hand, professional organizations, networks, and training institutions enter the regulatory gap and become a source for harmonization among professionals. Since the 1970s, several professional associations have surfaced, including in countries where organizations were not required to appoint DPOs (until the adoption of GDPR; Medzini 2021a). These professional associations pull towards unity by offering resources, networking opportunities, training, and certifications to individual DPOs and CPOs positioned across various organizations. These associations can also promote shared group interests through dialogues with and lobbying in front of European and national policymakers.
Summary
This commentary analysed unification pulls and diversity pushes on three levels. Different transnational treaties, frameworks, guidelines, and standards attempt to harmonize existing and new national data protection laws on the macro level. On the meso level, data protection regulators use networking and coordination actions to overcome their diversities. Lastly, on the micro level, professional organizations and other institutions enter the regulatory gap and act as venues for harmonization among professionals that guide and monitor data processing operations within organizations. As data processing operations increasingly occur between and within organizations around the world, unity pulls at all three levels will continually seek to fend off diversity pushes that create variation and complexity between jurisdictions.
[1] Recent unifying examples include the UN’s Guidelines for the Regulation of Computerized Personal Data Files (1990); the APEC Privacy Principles (2005); and the ISO series of 27000 security standards, specifically ISO/EIC 27018 on the protection of personally identifiable information for cloud computing (Bennett and Raab 2020).
[2] The Article 29 Working Party (WP29) was an independent advisory body on data protection who acted until the entry into force of the GDPR. It consisted of representatives of data protection authorities of the European member states. The WP29’s archives with, among others, opinions, letters, and working documents can be found at: https://ec.europa.eu/justice/article-29/documentation/index_en.htm
[3] This fragmentation between privacy professionals extends beyond the already existing differentiating perception of privacy among technologists and engineers who design products with or without accounting for privacy and data protection (Ribak 2019; Waldman 2018).
[4] For example, with the adoption of the GDPR, privacy professional groups assessed a need to appoint at least 28,000 DPOs, an assessment that continued to grow to 75,000 DPOs and 500,000 organizations.
References
Abbott, Kenneth W., Levi-Faur, David and Snidal, Duncan (2017). ‘Theorizing Regulatory Intermediaries: The RIT Model’, The ANNALS of the American Academy of Political and Social Science, 670(1): 14–35.
Bamberger, Kenneth A. and Mulligan, Deirdre K. (2011). ‘New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States: An Initial Inquiry’, Law & Policy, 33(4): 477–508.
Bamberger, Kenneth A. and Mulligan, Deirdre. K. (2015). Privacy on the Ground: Driving Corporate Behavior in the United States and Europe, Cambridge, MA: The MIT Press.
Bennett, Colin J. (1992). Regulating Privacy: Data Protection and Public Policy in Europe and the United States, Ithaca, NY: Cornell University Press.
Bennett, Colin J. and Raab, Charles D. (2020). ‘Revisiting the Governance of Privacy: Contemporary Policy Instruments in Global Perspective’, Regulation & Governance 14(3): 447–464.
Bignami, Francesca (2011). ‘Cooperative Legalism and the Non-Americanization of European Regulatory Styles: The Case of Data Privacy’, The American Journal of Comparative Law, 59(2): 411–461.
Börzel, Tanja A. (1998). ‘Organizing Babylon: On the Different Conceptions of Policy Networks’, Public Administration, 76(2): 253–273.
European Commission (2010). A Comprehensive Approach on Personal Data Protection in the European Union, available at: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0609:FIN:EN:PDF (accessed: 22 November 2022).
European Commission (2012). Impact Assessment Accompanying the Document Regulation of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data, available at: https://www.europarl.europa.eu/cmsdata/59702/att_20130508ATT65856-1873079025799224642.pdf (accessed: 22 November 2022).
Hoofnagle, Chris J., van der Sloot, Bart and Borgesius, Frederik Z. (2019). ‘The European Union General Data Protection Regulation: What It Is and What It Means’, Information & Communications Technology Law, 28(1): 65–98.
Levi-Faur, David (2011). ‘Regulatory Networks and Regulatory Agencification: Towards a Single European Regulatory Space’, Journal of European Public Policy, 18(6): 810–829.
Mayer-Schönberger, Viktor (1997). ‘Generational Development of Data Protection in Europe’, in Philip E. Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape, Cambridge, MA: The MIT Press, 219–241.
Medzini, Rotem (2021a). ‘Credibility in Enhanced Self‐Regulation: The Case of the European Data Protection Regime’, Policy & Internet, 13(3): 366–384.
Medzini, Rotem (2021b). ‘Governing the Shadow of Hierarchy: Enhanced Self-Regulation in European Data Protection Codes and Certifications’, Internet Policy Review, 10(3): 1–29.
Newman, Abraham L. (2008). ‘Building Transnational Civil Liberties: Transgovernmental Entrepreneurs and the European Data Privacy Directive’, International Organization, 62(1): 103–130.
Provan, Keith G. and Kenis, Patrick (2008). ‘Modes of Network Governance: Structure, Management, and Effectiveness’, Journal of Public Administration Research and Theory, 18(2): 229–252.
Raab, Charles and Szekely, Ivan (2017). ‘Data Protection Authorities and Information Technology’, Computer Law & Security Review, 33(4): 421–433.
Ribak, Rivka (2019). ‘Translating Privacy: Developer Cultures in the Global World of Practice’, Information, Communication & Society, 22(6): 838–853.
Waldman, Ari E. (2018). ‘Designing Without Privacy’, Houston Law Review, 55(3): 659–727.
About the Author
Rotem Medzini is a post-doctoral fellow at the Käte Hamburger Kolleg/Centre for Global Cooperation Research, University of Duisburg-Essen. Rotem studies data and content governance via regulatory intermediation to understand why and how regulation expands online. His research has been published in prestigious peer-reviewed journals, including New Media & Society, Policy & Internet, and Internet Policy Review. Rotem received his PhD in Public Policy from the Hebrew University in Jerusalem and a Masters in the Science of Law (JSM) from Stanford University.
Contact: medzini@gcr21.uni-due.de