Options for Cooperation and Harmonization

While the externality argument provides a strong and clear case for inter-national harmonization, in reality, it is hard to witness a palpable sign of major progress on international harmonization. This suggests that there may be serious impediments to international harmonization, other than different economic structures and different assessment criteria applied in different jurisdictions, as discussed above. Among these impediments, dif-ferent policy goals pursued in difdif-ferent jurisdictions may be a particularly important factor.

The differences in policy goals would reflect different legal and cultural traditions as well as different policy priorities in different jurisdictions.

When it comes to the differences between the E.U. and the U.S., one of the most commonly observed differences lies in defining and understanding the concept of data protection and privacy itself. While privacy is often explained as liberty in the U.S., dignity of individuals is considered a key underlying attribute in the E.U. when considering data protection.⁴³ Thus,

42 Further, as noted above, since net exporting countries tend to have lenient rules, while net importing countries stringent rules, there will be difficulties when these differ-ent types of countries negotiate in order to achieve international harmonization. This is because a harmonised rule may well mean a less stringent rule compared to the then de facto prevailing rule, which net exporting countries would prefer and which net import-ing countries would not. On the other hand, in the absence of international harmonization, stringent rules would prevail.

43 See Whitman (2004).

different from the U.S., data protection is perceived to constitute a funda-mental human right in the E.U. There may also be other notable differ-ences between the E.U. and the U.S. (and among different jurisdictions).⁴⁴ These differences would include different attitudes toward market’s self-correction capabilities, which can be summarized as the emphasis on regu-lation and paternalism, as opposed to the emphasis on self-reguregu-lation, in-novation, and entrepreneurship. With this backdrop, we now consider what kind of international cooperation and harmonization would be possible.

On a broad conceptual level, there could be three categories of interna-tional cooperation and harmonization that can be considered. First is gen-erally about soft law aspects such as sharing information and establishing international guidelines. The second category is on procedural aspects and would include international cooperation establishing choice of law rules and coordinating on the enforcement front. And, the third category would encompass various efforts to build substantive rules with binding effects.

Effective regulation of data privacy issues on a global level will after all require serious efforts for harmonization of substantive rules, although harmonization of substantive rules could be a cumbersome process. It should be noted that, while these categories can be distinguished conceptu-ally and may serve useful analytic purposes, their boundaries may not be clear and that there would be overlaps among different categories.

I. ‘Soft’ Cooperation

With the continuing increase in international data flows, individual domes-tic regulators are pressured to adopt measures for international cooperation for practical reasons. At a minimum, without establishing a mechanism to share information among regulators, it could sometimes be difficult to build the requisite know-how and skills for effective regulatory enforce-ment and investigation. Sharing information in this context does not have to be specifically about on-going cases or investigations. Instead, sharing of non-case specific information such as sharing information on technical expertise and investigative methods would be helpful for many regulators.

In the Internet arena, in particular, once a service becomes available in a jurisdiction, such a service often becomes available in many other jurisdic-tions as well, using the same or similar technologies and invoking similar data privacy issues across various jurisdictions. This implies that once a legal problem on data privacy arises in a jurisdiction, similar legal prob-lems may well arise in other jurisdictions in due course. For instance, legal

44 For an example of a regulatory paradigm that appears to be at least partially outside the paradigms dominated by the perspectives from Europe and the U.S., see Chesterman (2012), which discusses the experience of Singapore.

issues surrounding Google’s Street View project would be a case in point, as we witness similar legal issues developing in multiple jurisdictions re-garding similar factual and technological issues.⁴⁵

A serious limitation of soft cooperation in general is that cooperation typically takes place on a voluntary basis and that the level of cooperation could vary depending on the participants’ good-will and self-interest. Also, no penalties can usually be imposed for a breach of duties, other than the harm on the breaching party’s reputation. Nonetheless, soft cooperation could make a significant contribution under certain circumstances, enhanc-ing common understandenhanc-ing of relevant issues and providenhanc-ing a shared or standardized regulatory platform. In that respect, two specific areas for collaborative efforts are worth mentioning. One is about exerting collective research efforts in order to better understand in a systematic way the deci-sion-making process of individuals in choosing to hide or divulge their personal information. The other area is regarding enhancing the collective understanding about companies’ behaviour, that is, as to how companies gather information from individuals, what the specific substance and na-ture of the collected information is, and how the companies analyze and use the information.

First, one area which collective research efforts could yield useful re-sults is the one concerning individuals’ choices whether to divulge or withdraw personal information. In particular, it has been reported that in-dividuals’ choices on data privacy may not be rational at all times and that instead individuals’ choices are context-dependent. That is, individuals tend to make different decisions, depending on the context under which data privacy issues are presented and on various other factors. These fac-tors include: whether the personal information at issue is presented in a

45 Google Street View is a feature available for Google Map and other Google prod-ucts, which provides panoramic photo images of streets. Data privacy issues were raised mainly on two fronts: first, about the process of taking the photographs and about using the photographs themselves and, second and more recently, about collecting and storing what is called payload data while taking these photographs. These data privacy issues were raised by regulators in several counties, although factual and technological circum-stances were generally similar. The U.S. Federal Communications Commission (FCC) issued a report in April 2012 about Google’s conduct in relation to the collection of pay-load data and also in relation to FCC’s investigation of the related data privacy issues.

See Federal Communications Commission, Notice of Apparent Liability for Forfeiture, In the Matter of Google Inc. (April 13, 2012). Issuance of the FCC report prompted renewed interests about the case among certain third country regulators. See D. Streitfeld and K.J.

O’Brien, ‘Google Privacy Inquiries Get Little Cooperation’, New York Times (May 22, 2012); K.J. O’Brien, ‘European Regulators May Reopen Street View Inquires’, New York Times (May 2, 2012); E. Wyatt, ‘Denials Over Google Street View’, New York Times (June 12, 2012). It is, however, unclear if regulators in these jurisdictions have any formal mechanism to share information on this case or any other specific cases.

loss frame or a gain frame; ⁴⁶ whether the website looks professional or unprofessional;⁴⁷ whether and how confidentiality assurance is presented;⁴⁸ how reasons for obtaining personal information are presented; and the or-der that the requests for information is presented.

In addition to these, there is also a phenomenon called the paradox of control. It refers to the phenomenon which shows that the perception of more user control over disclosure of private information increases revela-tion, while the perception of less control reduces revelation.⁴⁹ Further, there is a problem called privacy paradox, which is about the discrepancy between individuals’ professed preferences and values and their actual decision-making regarding data privacy.⁵⁰ Thus, while individuals say that they want privacy, they may not want to pay to protect their privacy and may even be willing to disclose sensitive personal information for a very small reward.

Overall, what is summarized above about the behaviour of users is cur-rently an active area of research, and efforts are being made in order to understand the actual behaviour of users in a systematic manner. Thus, while this line of research has shed an invaluable light in advancing our understanding of individuals’ privacy choices, no general conclusions on related issues have been reached. At the same time, problems arise because regulators are forced to make rules and pronounce guidelines regardless of whether they have sufficient information and systematic understanding on individuals’ decision-making processes. For instance, a notice and choice regime may have been employed in many jurisdictions without a concrete understanding on the effectiveness of such a regime or without analyzing sufficiently as to how to make it more effective.⁵¹

Second, the level of the current understanding about the way companies collect personal information and analyze the collected information is very limited, and there is a need to enhance collective understanding in this area.

This is related to the recognition that one of the most difficult problems in

46 See Acquisti et al. (2010).

47 See John et al. (2011).

48 Ibid.

49 See Tucker (2011); Brandimarte et al. (2010).

50 See, for instance, Acquisti and Grossklags (2005).

51 For an example of a critical account in this regard, see Barocas and Nissenbaum (2009). This implies that the notice and consent regime, which is used in many jurisdic-tions, may have serious limitations. First of all, not many users read notice. Second, even if efforts are made to enhance readability, such efforts may not be successful in increas-ing the instances of genuine informed consents. For instance, while a notice can be given prominence, prominence itself could have little effect on readership. Further, even those who read notice may well consent regardless of the substance or one-sidedness. Marotta-Wurgler (2012) provides interesting insights on these issues in the context of executing software license agreement.

assessing current regulatory frameworks and reform proposals lies in the fact that there is a general lack of knowledge regarding how personal formation is collected and used. Psychological and subjective costs of in-formation disclosure would mainly arise due to users’ anxiety over the possibility of embarrassing disclosure or unanticipated use of their infor-mation and also due to the concern coming from the perception that they are being observed and analyzed. In this context, current reform proposals will not be much helpful in alleviating users’ concerns. Efforts for fact-gathering should be done first prior to putting forth serious reform pro-posals. Specifically, there is a need to gather facts as to the life-cycle of the user information.

While underlying studies in this context would need to be conducted through individual research efforts, their results should be discussed and shared among various stakeholders. This undertaking – discussing and sharing – is crucial considering its policy ramifications at an international level, and efforts made in this context could signal the embarkation of a major step toward international cooperation and harmonization. This could also entail discussions of certain key terms and concepts that often appear in data privacy laws (sometimes with variations) such as ‘personal data’

and ‘data controller’. Discussions in this context could eventually lead to a uniform and harmonized understanding of these terms and concepts across jurisdictions and, that way, common understanding and common platform could be established. In all, the final results of these studies and other soft cooperation could be influential. For instance, the OECD Privacy Guide-lines on the Protection of Privacy and Transborder Flows of Personal Data of 1980, although not legally binding, has served as a model for legisla-tions in many countries and still remains highly influential.

II. Procedural Cooperation

While information sharing and other soft cooperation has its own merits, it also has clear limitations, including the lack of binding effect and enforce-ability. A step further in the direction of tightening cooperation would be to establish rules for choice-of-law decisions and for enforcement coopera-tion.⁵² First of all, facilitating international cooperation at the enforcement level would have obvious benefits since many of the business activities with data privacy implications easily cross jurisdictional boundaries and

52 In a related context, Kuner notes an increasing tension between the geography-cased regulatory approach and the organisationally-based regulatory approach. Kuner (2011), 20–21.

cooperation among enforcement authorities could often be tremendously helpful or even be required for the effective enforcement of laws.⁵³

This has indeed been an area with relatively active discussions. For in-stance, there are repeated calls made for international cooperation at the annual International Conferences of Data Protection and Privacy Commis-sioners, and often these calls are focused on enforcement issues.⁵⁴ Organi-sation for Economic Co-operation and Development (OECD), which has led early efforts on data privacy issues and is continuing to lead related discussions, is also actively promoting cooperation on enforcement.⁵⁵

About choice-of-law issues, adopting coherent and standard rules would enhance efficiency by reducing incidences of conflicting, overlapping, or sometimes confusing jurisdictions and by reducing conflicts over govern-ing-law decisions.⁵⁶ This will in turn enhance clarity and transparency about jurisdiction and applicable law, and thus raise predictability of legal ramifications of various activities which have data privacy connotations.⁵⁷

53 There is a duty to cooperate within the E.U., although how cooperation is conduct-ed in practice is unclear. ‘The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.’ E.U. Data Protection Directive, Article 28(6).

54 As an example, after the 2011 International Conferences of Data Protection and Privacy Commissioners, which was held in Mexico, a working group was formed in order to discuss possibilities for enforcement cooperation. See S. Paluck-Bastien, ‘Think local-ly, act globally: Data protection authorities from around the globe meet in Montreal to discuss enforcement co-operation’, The Privacy Advisor (May 24, 2012), available at https://www.privacyassociation.org/publications/2012_05_24_think_locally_act_globally.

55 The OECD Council adopted a formal recommendation in 2007, calling for interna-tional enforcement cooperation. See OECD (2007). Subsequently, the OECD published a report on the implementation of the 2007 recommendation. The report provides detailed information regarding what has been accomplished during the previous several years such as building a website, establishing national contact points and networks, and devel-oping a form for assistance request. However, the report admits that, about handling specific cases, cross-border cooperation appears to be more the exception than the rule.

See OECD (2011a).

56 Rules on applicable law and jurisdiction about data privacy issues are ‘notoriously unclear’. Kuner (2011), 25. Further, the problem can become even murkier since “[s]tates seem more concerned about protecting their citizens, residents and companies against improper data processing carried out abroad than about avoiding jurisdictional conflicts with other States”. Kuner (2010), 246.

57 For instance, in the E.U., a Member State law would be applied to a data controller not established in the E.U., if such data controller makes use of the ‘equipment’ located in the Member State in order to process personal data. E.U. Data Protection Directive, Article 4(1)(c). There are debates as to whether this provision grants an exorbitant juris-diction to an E.U. Member State and also as to what this provision, including the word equipment, means precisely. See Kuner (2010), 228–229; 239–240. Also, the influential Article 29 Working Group, composed of members from national data protection authori-ties in the E.U. established pursuant to Article 29 of the Data Protection Directive, is of the opinion that a Member State law would be applicable if data processing took place based on the information gathered through cookies sent from a non-Member State to

Establishing these rules, however, does not mean that, once relevant rules are adopted, there would no longer be over-regulation or under-regulation.

Also, in reality, assigning jurisdiction to a single state would simply not be feasible, unless a consensus is reached over other related issues, including applicable substantive and procedural laws.

On the other hand, for regulators in small open economies, achieving in-ternational cooperation on procedural issues could enhance their capability to enforce laws and could give better opportunities for them to bring cases.

This is so because, with international procedural cooperation, obtaining evidence and other useful information could become easier for these regu-lators. Also, large international companies may become less inclined to ignore regulators in smaller jurisdiction in light of the cross-jurisdictional ramifications of an enforcement case.

International cooperation on a procedural level, however, would inevi-tably have limitations. With procedural cooperation, laws will be better enforced and there will be savings in the enforcement costs. However, the inherent problem of the failure to internalize, discussed above, will not be cured.

III. Substantive Harmonization

Given the desirability of international harmonization and the limits of weaker level cooperation, it would only be natural to consider harmoniza-tion at a more substantive level. Substantive level cooperaharmoniza-tion is indeed what would be required in order to eliminate the externality problem aris-ing from fragmented legal regimes. That way, different interests among different regulators and the resulting different considerations will be han-dled adequately and the failure to internalize will be prevented. Also, through substantive cooperation, existing problems arising from the lack of legislation or from inadequate legislation could be cured, while the prob-lem of overlapping jurisdictions could be avoided at the same time.

In this context, we consider possible options for substantive cooperation.

In broad terms, possible regulatory instruments can be grouped into two categories, that is, first, measures to reach a multilateral consensus and to prepare an international convention involving many countries and, second, measures to harmonize domestic laws and regulations themselves.

First, reaching an agreement through an international convention would bring in a great degree of harmonization. This is simply because adopting an international convention would mean that the same legal principles will

computers in Member States. Article 29 Working Party, ‘Privacy on the Internet: A Comprehensive EU Approach to Online Data Protection’ (WP 37, November 21, 2000).

be applied across all signatory states. However, even among international conventions, there are many possibilities in terms of the degree of enforce-ability and binding effect. For instance, Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Per-sonal Data of 1981 (“Council of Europe Convention 108”), which is one of the few and earliest international conventions on data privacy, explicitly permits derogations and does not have a strong binding effect.⁵⁸

One major difficulty with the efforts to adopt an international conven-tion is that it usually takes a long period of time to reach a consensus, if a consensus can be reached at all. At the same time, once an international convention is adopted, it is difficult to make an amendment. Difficulty of making a timely amendment could be especially problematic considering the current pace of technological changes related to data privacy.

There have been some suggestions calling for the adoption of an

There have been some suggestions calling for the adoption of an