The Governance of Privacy

Bennett and Raab’s The Governance of Privacy is meant to address the politics of privacy protection as they regard personal information. The authors interrogate the public policies of ‘borderless’ and ‘bordered’ worlds in mapping privacy’s governance structure in contemporary regulatory environments. By the time that we reach the third, and last, section of the text, Bennett and Raab have already talked about policy goals and the instruments implicated in those goals; part three considers the impacts of using those instruments in realizing policy goals.

We begin the third section of the book by evaluating policy instruments and “their interrelationships as mutually supportive or conflicting components in privacy-protection systems” (Bennett and Raab 2006: xxvi). The configuration of these instruments lets us identify particular privacy regimes, and entail asking how commissioners, advocates, laws, and so forth, are arranged. To let us evaluate these instruments, four dominant comparative methods are offered:

1. Scope of Application: What geographical spaces does the instrument apply to? What technologies? What sectors?
2. Enforceability: Are instruments and regulations binding or non-binding? Self-regulated? Are they used for deterrence or compliance? Are they both adopted and implemented? It is noted that legal fiats are not necessarily the most effective method of enforcing policy. A nice diagram outlining the relationships of enforceability is provided on page 215.
3. Accountability: Where there are strong hierarchies, there are fewer policy instruments in play. It can be incredibly challenging to identify who is accountable to who, and in what manner – this leads us to ask what are the most effective/efficient ways of micro-mapping these relationships (not taken up in depth in the text). Could something like ANT offer a way of mapping accountability in detail?
4. Policy Community: This includes commissioners, advocates, data controllers, industry associations, academics, etc. Each participant has different amounts of political capital, and we can expect that they are differently able to inject themselves into stages of the policy process – as such, we need to think through the policy community with sensitivity to the broad process of policy formation and implementation, and avoid exclusively focusing on any particular moment.

At the same time, there are various groups that are involved in policy communities:

• Government
• Regulatory bodies – such bodies may function with different degrees of international/national/regional influence
• Data controllers
• Data subjects – trust often determines how subjects involve or do not involve themselves in policy developments
• Technology providers and developers
• Privacy groups and the media – this group is given a much more detailed analysis in Bennett’s The Privacy Advocates. Broadly, these groups often are made of diverse coalitions that emerge as particular issues arise, and often lack a cohesive, common, ideological structure. They are often hindered by the abstract and hypothetical nature of privacy problems, and this makes it challenging to develop clear typographies and definitions of privacy advocates and activists (I will note that a six-part distinction is made in The Privacy Advocates).

Once we have established the grounds under which a comparative analysis can be performed and identified the relevant groups involved in the policy process, we move to evaluate the actual impact of privacy policies: are they having their desired impact(s)? A substantial set of criteria and domains are offered in the text, which respond to questions of;

• Why do we need to evaluate data protection?
• How can we evaluate data protection policies?
• What are the operational criteria for evaluation?
• What factors facilitate evaluation?
• What impedes evaluation?
• What, or who, should be evaluated?

In the course of responding to these questions, what we find is that data protection should be approached as a process of operational change and learning that involves a network of actors and objectives. As such, we should focus on the processes in our analyses, and see outputs as demonstrating successes or failures of these processes. At the same time, however, there is value in examining the input:output ratio; doing so can let us identify and understand inefficient processes. As a consequence of the shift to focusing on processes, we can interrogate the reasons for good or bad outputs and avoid ‘blackboxing’ the process stage of policy formation and implementation. Such evaluations may demand bottom-up analyses, so that we can think through the relationships between actors, goals, outputs, inputs, and so forth, but at the same time we might wonder if engaging in both a bottom-up analysis along with a top-down analysis might not provide an even deeper understanding of the stated versus real culture of privacy policy.

Emergent from this, of course, is a question of where privacy policy is heading towards: are we doomed to the minimal possible ‘levels’ or privacy, the highest, or something in between? Three separate directions are outlined:

1. Race-to-the-bottom: This rests on the assumption that there is a competitive advantage to operating in locations with weak data protection regulations. It demands that data controllers are relatively mobile and that differences in cost structures lead corporations to try and relocate their activities to weak regulatory environments.
2. Conditional race-to-the-bottom: This holds that the race can be deterred or, at the very least, delayed. Sunk costs limit the rapid shifts of companies between regulatory domains, and the dominance of particular economies (e.g. US, EU) mean that certain regulatory environments cannot actually be evaded by relocating to locations with weak privacy regulations. Finally, the ability of social and political activists to shine spotlights and embarrass companies, regardless of their territorial location, means that even where legal regulations are low, there may be high social expectations of privacy that prevent data controllers from taking advantage of reduced legal regulations.
3. Trading up: Under this account, the burdens of compliance affect foreign data controllers more than domestic controllers, which means that domestic groups experience a competitive advantage when faced which heightened privacy regulations. Such regulations may limit access to the domestic market. Further, given that a mosaic approach to privacy regulations can carry with it high costs for compliance, efficiency calls for an integration/harmonization of data protection regulations to limit transactional costs of doing personal-information related business.

As it stands, Bennett and Raab do not see data controllers fleeing en masse to nations with low regulatory policies; while flights are occurring, this is not because of data protection laws or regulations. Instead, we have seen that those with substantial political capital (e.g. EU) have used it to encourage the development of privacy regulations – this has happened both at the governmental/official level (e.g. EU) as well as in the realm of activism (e.g. EPIC, ACLU, Privacy International).

While on the one hand we may argue that trading up is occurring, at the same time surveillance practices are becoming increasingly widespread, expanding to manage the contemporary ‘risk’ society. How can we reconcile the ’surveillance society’ with a trading-up approach to privacy regulations? Bennett and Raab offer four responses:

1. Things would be much worse if not for privacy protections.
2. Trading up is not equal in all sectors, and will be resisted when compliance costs more than implementing privacy protections.
3. The trading up of standards is not the same as the trading up of practices – remember the need to focus on the procedure of privacy protection, and not just on the outputs.
4. Democratic decisions are deeply influenced by technology companies; in Lawrence Lessig’s terms, there is a need to recognize the bilateral influence of both East and West coast ‘code’. Technologies have practices that are implicated in them – the trading of Personally Identifiable Information (PII) is a practice that is ingrained in certain technologies, and cannot ‘neutrally’ be read as a mere accident of those technologies. Again, we much focus on the practice of technology, rather than stated/expected outputs.

While we might see particular instantiations of ‘privacy directions’ in various sectors, this multiplicity should not make us ask whether or not we are in a race to the bottom or to the top. Instead, it presents us with an incoherent/fragmented patchwork or privacy protections. Were we to just focus on either inputs or outputs, we might be inclined to make a bolder statement, but as soon as we attend to the middle spaces and the actual practices of the actors involved in privacy protection, we find that the regulatory environment is filled with divergent approaches, attitudes, and actor networks. We might then ask whether the development of regulatory processes since 2004-6 (when the book was, presumably, written) would lead us to alter this concluding judgement, or whether things today are as divergent today as they were when the book was published.