The data protection credibility crisis

Abstract

The Italian Marxist theorist Antonio Gramsci once wrote (in translation) that ‘the old is dying and the new cannot be born; in this interregnum, a great variety of morbid symptoms appear’. Although Gramsci was not speaking about data privacy, it seems to us that this statement could apply to the current state of data protection regulation around the world, which is marked by a realization that existing regulatory models are not working effectively, the lack of political will to explore alternatives, and general frustration about how to improve the situation. This has led to a credibility gap between the objectives of data protection law and how personal data are protected in practice. It should not be this way. The importance of data privacy has never been greater, and countries and regional organizations around the world are enacting legislation in an attempt to protect it. Much of this legislation has been based on the EU Data Protection Directive 95/46, which will be replaced by the proposed EU General Data Protection Regulation if the EU can ever finalize its interminable legislative process. Even the White House, which for years had seemed to oppose any large-scale federal legislation to deal with data processing in the private sector, has called for enactment of a Consumer Privacy Bill of Rights Act to grant increased protection to the online processing of personal data. Regional organizations such as Asia-Pacific Economic Cooperation, the Council of Europe, the Organization of American States, the Economic Community of West African States, the Organisation for Economic Co-operation and Development, and others have also done extensive work to enact new privacy instruments or amend their existing ones. All this activity has also had an effect at the global level, with the UN General Assembly passing a resolution that affirms the ‘right to privacy in the digital age’. But the increasing amount of new data protection regulation raises an important point: is all of this making any difference in increasing the protection of data privacy in practice? There are three aspects to this question that we would like to discuss briefly here. First of all, there is general confusion about the correct approach to regulating the collection, processing, and use of personal data. Among the issues about which there is no global consensus are how effective the law can be in regulating online data processing; the correct balance between legal regulation and private sector selfregulation; and how best to enforce the law. To a large extent, these questions are not unique to data protection and tend to arise in any area that involves the regulation of technology. But coming to a consensus about them has proved intractable, as they often reflect differences in national and regional laws and cultures. Secondly, the globalization of data processing creates major problems for applying and enforcing the law. The fact that it is increasingly difficult to determine the location where data are collected and processed gives rise to confusion on the part of individuals about what their rights are and how they can exercise control over their data in a meaningful way. Data controllers are similarly frustrated by the application of multiple laws to a particular database or online service, and regulators and governments are often unable to apply and enforce their laws across national borders, which can lead to international tensions. Thirdly, questions arise about how data protection regulation is enforced. Recent years have witnessed what could be called the ‘FTC-ization’ of data privacy enforcement, which reflects the strategy of the US Federal Trade Commission to concentrate on enforcement in highprofile cases, in order to make examples of the corporations involved and frighten others into compliance. Other regulators, such as European data protection authorities, have adopted a similar approach, at least in part because they lack the resources to enforce the law on a more widespread scale. However, while this may generate enforcement efficiencies, it raises questions