Privacy Self-Regulation and the Changing Role of the State
My new working paper is just out. I have looked at the changes in the regulation (or "governance") of data protection, with a special focus on the different forms of new governance mechanisms. Building on Lawrence Lessig's work on "Code and Law" and also on previous research on the governance of privacy done by Colin Bennett and Charles Raab, I distinguish between social codes (contracts, self-regulatory schemes etc.) and technical codes (privacy-enhancing technologies). This is the abstract:
Privacy Self-Regulation and the Changing Role of the State. From Public Law to Social and Technical Mechanisms of Governance
This paper provides a structured overview of different self-governance mechanisms for privacy and data protection in the corporate world, with a special focus on Internet privacy. It also looks at the role of the state, and how it has related to privacy self-governance over time. While early data protection started out as law-based regulation by nation-states, transnational self-governance mechanisms have become more important due to the rise of global telecommunications and the Internet. Reach, scope, precision and enforcement of these industry codes of conduct vary a lot. The more binding they are, the more limited is their reach, though they – like the state-based instruments for privacy protection – are becoming more harmonised and global in reach nowadays. These "social codes" of conduct are developed by the private sector with limited participation of official data protection commissioners, public interest groups, or international organisations. Software tools - "technical codes" - for online privacy protection can give back some control over their data to individual users and customers, but only have limited reach and applications. The privacy-enhancing design of network infrastructures and database architectures is still mainly developed autonomously by the computer and software industry. Here, we can recently find a stronger, but new role of the state. Instead of regulating data processors directly, governments and oversight agencies now focus more on the intermediaries – standards developers, large software companies, or industry associations. And instead of prescribing and penalising, they now rely more on incentive-structures like certifications or public funding for social and technical self-governance instruments of privacy protection. The use of technology as an instrument and object of regulation is thereby becoming more popular, but the success of this approach still depends on the social codes and the underlying norms which technology is supposed to embed.