Vol. 17 No. 2 (February, 2007) pp.125-128
THE GOVERNANCE OF PRIVACY: POLICY INSTRUMENTS IN GLOBAL PERSPECTIVE, by Colin J. Bennett and Charles D. Raab. Cambridge: The MIT Press, 2006. 368pp. Paper. $30.00/£19.95. ISBN: 0262524538.
Reviewed by Christopher Shortell, California State University, Northridge. Email: cshortell [at] csun.edu.
In THE GOVERNANCE OF PRIVACY, Colin Bennett from University of Victoria and Charles Raab from University of Edinburgh attempt the daunting task of moving towards a more systematic and empirical evaluation of privacy protections globally. The authors bring an impressive command of the literature and privacy practices to bear on their questions and demonstrate a remarkable degree of subtlety and nuance in the book. There are simply no other studies on privacy that combine the comprehensiveness and rigor demonstrated by these authors.
Bennett and Raab begin by making two key observations. First, they argue that privacy related problems are political and policy issues just as much, if not more, than legal or technical issues. Limiting analysis of privacy to strictly legal or technical approaches, then, ignores critically important aspects of privacy. Secondly, the authors note that globalization has a dramatic impact on the regulation of privacy. Regulation instruments exist at both the national and international levels, with interactions in both directions. These observations drive the authors’ inquiry into privacy governance and shape the focus of the study.
The book is divided into three sections. The first section deals with the goals of privacy protection. In this section the authors approach privacy primarily from a theoretical standpoint. Why is privacy worth protecting at all? The second section describes the many policy instruments that are in place internationally, nationally, and across industrial sectors throughout the world. These are not limited to legal obligations, but also include codes of practice and technological developments for individual consumers. The final section of the book focuses on the impact of these many policy instruments. Bennett and Raab conclude by looking ahead to the future to predict where privacy protection is heading. I will discuss each of the sections in turn, followed by some thoughts about the successes and challenges presented in their work.
Part I comprises the most theoretical portion of the work. Chapter 1 describes the dominant beliefs about privacy that underlies much of the regulation in place today. As the authors deftly explain, current approaches to privacy protection are based heavily on the paradigm of liberalism. Data subjects are assumed to be autonomous individuals with an interest in controlling information about themselves. Privacy can be justified in terms of promoting liberal democracy, but its specifics are highly subjective. Different people care about different types of personal information at different [*126] times. In a liberal paradigm, then, the focus must be on procedural rather than substantive data protection for the individual. If an individual’s privacy is violated, there are procedures in place which allow for an individual remedy.
In Chapter 2, the authors directly challenge the wisdom of relying on a liberal paradigm when it comes to privacy. Building on Priscilla Regan’s work (1995), they point out that privacy operates not only at the individual level, but also at a societal level. A chilling effect on associational activities has broad repercussions for society beyond those immediately impacted. For Bennett and Raab, excessive surveillance can result in social inequities- some are more protected than others. For them, “the recognition that who wins and who loses from privacy protection is a central issue would alter the policy playing field, the actors who may be mobilized, and hence the ‘politics’ of privacy” (p. 38).
Chapter 3 shifts away from the primary philosophical discourse surrounding privacy to focus on two related issues – trust and risk. Privacy is increasingly viewed as instrumental in securing the trust of consumers with regard to electronic commerce. Bennett and Raab call for greater academic attention to notions of trust and how they affect the development and evaluation of privacy regulation. Risk, likewise, is a critical factor to take into account. What level of risk is acceptable when handling data? Who decides that?
In Part II, the authors shift focus to the largely descriptive task of presenting and classifying the many privacy policies currently in place. The section is divided into chapters devoted to transnational conventions, national-level regulatory agencies, industry self-regulation, and technological instruments. With great care, Bennett and Raab discuss the origins of the Council of Europe convention, the Organization for Economic Coordination and Development guidelines, and the European Union directive on privacy. They note the interactions between these different standards and the ways in which political pressures led to divergent outcomes. Recent developments in Asia and in international standards bodies are also briefly considered. This discussion largely sets the stage for implementation of these principles at the national level and through industry associations.
The chapter on self-regulating instruments is particularly interesting. Bennett and Raab show how informal self-regulation through industry associations and individual firms is often intended to head off more rigorous legislation from government. The absence of formal laws does not necessarily mean that privacy is unprotected. Where there is threat of adoption of data protection laws, companies will often strategically follow at least some privacy standards. In legal terms, these firms are operating in the shadow of the law. Bennett and Raab do an excellent job of tracing out the motivations and reactions of various private and public actors with regard to self-regulation. This is particularly relevant in the United States, which lacks the comprehensive data protection laws found in most other western [*127] industrialized countries. Part II concludes with a consideration of the role of technology in privacy protections. The authors not only catalog some of the myriad privacy technology available for consumers, but they also explore how the very design of technology, such as the use of cookies, can either be more or less privacy protective.
The heart of the book is found in Part III. After the setup from Parts I and II, the authors turn their attention to gauging the impact of these privacy policy regimes. Bennett and Raab acknowledge up front that we are not yet in a position to provide any kind of comprehensive evaluation of the impact of privacy protections. As they argue, privacy itself is a contested notion, making measurement very difficult. However, they are not content to leave it at that. They endeavor to identify how one could evaluate not only the economy, efficiency, and effectiveness of privacy policies, but also the equity inherent in them. They do a tremendous job categorizing, specifying, and operationalizing some very complex issues. The strength of their analysis lies in the attention they pay to the ways that different areas influence one another. Transnational regimes influence national regulatory agencies and companies, but are themselves influenced by privacy commissioners and industry associations. Evaluating the work of privacy commissioners alone is no more sufficient than simply evaluating the practices of private companies.
Bennett and Raab conclude with a consideration of whether privacy protections are engaged in a “race to the bottom” or a “race to the top.” After considering available evidence, they argue that privacy protection is actually improving globally. Companies are not moving around in order to avoid privacy regulations such as those developed in the EU. Instead, there has been a gradual increase in awareness and action on the issue of privacy. Off-setting this positive note, however, is the realization that privacy protection may not be “trading up” as rapidly as other global factors – “those of the extensive, intensive processing of personal data; of the transformation of economic activity through the use of electronic communications and information infrastructures; and of the globalization of law enforcement and security objectives” (p.289). In particular, the changes in state behavior with regard to law enforcement in the wake of September 11 threaten the improvements in privacy protection that have been won over the last two decades. These realities lead the authors to conclude that the future will be mixed. There will be privacy gains in some sectors that will be offset by privacy losses in other sectors.
While on the whole the book is remarkably thorough, there are a couple areas that could have used some additional attention. The authors are correct to note that formal laws and legal proceedings fail to tell the whole story about privacy protections. However, even the authors note that “the evolution of a jurisprudence growing out of cases brought to courts or tribunals all give some comfort to the cause of privacy” (p.146). Unfortunately, there is no [*128] follow-up on what this jurisprudence is or how it interacts with the other factors that the authors so carefully detail. I agree with the authors that a strictly legal approach misses too much, but the courts are not irrelevant. Those privacy cases that do get decided affect the behavior of data controllers and regulating agents in important ways. Future privacy scholars should make an effort to integrate the courts and law more fully into the picture that Bennett and Raab draw.
A second concern relates to the relatively limited attention given to threats to privacy from government agencies. Most of the discussion on this is found in the last few pages of the concluding chapter, but the changes in acceptance of government surveillance plays a significant role in the broader issues of privacy. For example, in the United States, attempts to establish the Total Information Awareness program and its successors relies in part on matching of publicly held data with privately generated databases primarily intended for marketing purposes. Where governments rely on surveillance of that sort, the likelihood of new, more restrictive laws and the successful enforcement of existing laws may be diminished. This dynamic is likely to be a prominent one in coming years with regard to privacy, and a greater integration of that dynamic in the work would have been valuable.
Nonetheless, this is an impressive study. Bennett and Raab bring together a wealth of experience and data to provide far greater order and rigor to the study of privacy. At the end, we are left with more questions than answers, but they are useful questions and suggest future directions for research.
REFERENCES:
Regan, Priscilla. 1995. LEGISLATING PRIVACY: TECHNOLOGY, SOCIAL VALUES AND PUBLIC POLICY. Chapel Hill: University of North Carolina Press.
*********************
© Copyright 2007 by the author, Christopher Shortell.
 The Governance of Privacy: Policy Instruments in Global Perspective
|