Privacy, Data Protection, EU, Administrative Law, Comparative Law, Governance, Regulation, Technology, Europe, Qualitative Empirical Research, Corporate Compliance, Data Protection Authority, Interviews, Organizational Behavior, and Law
As this Article goes to press, the European Union is embroiled in debates over the contours of a proposed new privacy regulation. These efforts, however, have lacked critical information necessary for reform. For, like privacy debates generally, they focus almost entirely on law "on the books"-legal texts enacted by legislatures or promulgated by agencies. By contrast, they largely ignore privacy "on the ground"-the ways in which corporations in different countries have operationalized privacy protection in the light of divergent formal laws, different approaches taken by local administrative agencies, and other jurisdiction-specific social, cultural, and legal forces. Indeed, despite the new regulation's central goal of harmonizing privacy across Europe by preempting today's enormous variation in national approaches, policymakers have been hobbled by an absence of evidence as to which national choices about privacy governance have proven more or less resilient in the face of radical technological and social change. Information about the relative strengths and benefits of the alternate regulatory approaches that have flourished in the "living laboratories" of the European member states is largely undeveloped. This Article begins to fill this gap-and at a critical juncture. Our "on the ground" project uses qualitative empirical inquiry-including interviews with, and questionnaires completed by, corporate privacy officers, regulators, and other actors within the privacy field in three European countries, France, Germany and Spain-to identify the ways in which privacy protection is implemented in different jurisdictions, and the combination of social, market, and regulatory forces that drive these choices. It thus offers a comparative "in-thewild" assessment of the effects of the different regulatory approaches adopted by these three countries. In the face of novel challenges to privacy, leveraging the adaptability of distinct regulatory approaches and institutions has never been more important. As technological and social change has altered the generation and use of data, the definition of privacy that has prevailed in the political sphere-individual control over the disclosure and use of personal information-has increasingly lost its salience. In particular, the common instruments of protection generated by this definition-procedural mechanisms to protect individual "choice"-have offered an inapt paradigm for privacy protection in the face of data ubiquity and computing capacity. In developing new metrics for protecting privacy, policymakers must take into account a far more granular and bottom-up analysis of both differences in national practice and the forces on the ground that result in the diffusion-or lack thereof-of corporate structures and institutions that research suggests are most adaptive in protecting privacy in the face of change. Through such comparative analysis, this Article upends the terms of the prevailing policy debate, revealing the ways in which different regulatory choices have shaped corporate behavior. This analysis offers important insights for policymakers considering reform not just in Europe, but also in United States, where Congress, the Federal Trade Commission, and the Obama administration have all expressed a willingness to reexamine deeply the current regulatory structure, and a desire for new models. And, more broadly, it underscores the importance of administrative agencies' choices about regulatory tools and approaches, relations with those that they regulate, and their own internal structures in shaping the mindset and behavior of the private firms they govern to maximize public values.