Regulatory Responses

I. Concerns over Data Privacy

The above discussions on tracking technologies suggest that the use of tracking devices, in whichever form, is widespread and will continue to be so. This is partly because tracking is inevitable in order to maintain the current Internet infrastructure and ecosystem, which tend not to charge individual users for their use of e-mail, search, and other services. At the same time, general users show continuous concerns and anxieties over data privacy.¹⁶ If these concerns and anxieties are genuine, then policy measures would need to be taken in order to deal with the problem. To do so, how-ever, it is necessary to investigate and identify what the problem is and what the sources of the problem are.

From the perspective of general users, information asymmetry and un-certainty are two of the main issues at work regarding the data privacy problem related to tracking. First, there is a serious information asymmetry between users and data controllers. Since intrusions on data privacy are usually invisible and ubiquitous, users may not know how their mation is collected. More seriously, users also do not know, once infor-mation is collected, how the inforinfor-mation will be analyzed and utilized.

Further, users do not know how long the information will be stored and

16 See, for example, Hoofnagle et al. (2010) for a survey result in the U.S.

how it will be used not just in the primary market but also, if any, in the secondary market.

Second, there is a great deal of uncertainty as to the usage of personal data and information. Users do not know and often cannot predict in any systematic way how their information will be used by data controllers. In fact, it may well be that data controllers are themselves in a difficult posi-tion to make a reasoned predicposi-tion. This is because data controllers may only have general ideas as to the future use of the information that they gather and they may engage in various phases of trials and errors of data mining and analytics in order to extract useful information. Thus, there is always a possibility that the information could be used in a completely unexpected and unwanted manner.¹⁷ The problem could be exacerbated since data controllers, who often possess users’ information for an indefi-nite period of time, may periodically and repeatedly try to engage in ana-lytics as technologies develop and new methodologies become available.

Overall, information asymmetry combined with uncertainty would conflate and exacerbate users’ concerns and anxieties, which could justify legal intervention on related issues.

II. Current Regulations

A significant number of countries and jurisdictions currently have laws on data privacy and, considering active legislative discussions taking place in many jurisdictions, the number is likely to increase continuously in the near future.¹⁸ Among these, jurisdictions with relatively long history of legislation and rigorous enforcement experience include the E.U. and the U.S., in addition to certain individual countries in Europe. In Europe, indi-vidual countries began enacting laws as early as 1970s,¹⁹ and the E.U. level directive on data protection, commonly called the Data Protection Di-rective, was announced in 1995.²⁰

Outside the U.S. and Europe, activities in Asia Pacific are noteworthy.

The APEC (Asia-Pacific Economic Cooperation) Privacy Framework was adopted in 2004, and subsequently a considerable number of countries in the region enacted or amended laws on data privacy. In Asia, however,

17 For instance, in the Target’s case, noted above, while the retail chain realized the significant value of identifying pregnant women at an early stage, actually identifying them through predictive analytics took many phases of internal trials and errors.

18 See Bygrave (2010); OECD (2011b).

19 For instance, at a local government level within a country, in Germany, the Hesse Parliament adopted the Data Protection Act in 1970 and, at a national level, Sweden enacted the Data Act in 1973. OECD (2011b), 8.

20 Directive 95/46/EC on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of such Data.

laws were enacted only recently in many cases and the related enforcement experience is thus limited. Due to the lack of legislative and enforcement history, implications that can generally be drawn from the experience in Asia are limited as yet.²¹ Other than the countries and jurisdictions already mentioned, some countries in North America, South America, and Oceania are also relatively active, and all regions of the world now have at least one country with data privacy law. Brief discussion below on legal issues is mostly about the E.U. and the U.S., which have distinctive traditions and unique characteristics.

1. The E.U.: Data Protection Directive and Other Directives In the E.U., the European Commission is given a general mandate to regu-late data privacy issues, while most of the relevant legislative and en-forcement activities are carried out by authorities in individual countries.

The E.U. adopted several directives on data privacy, and among these, the most significant is the Data Protection Directive of 1995. The Data Protec-tion Directive has a binding effect on E.U. member states and also on cer-tain non-member states that are parties to the Agreement on the European Economic Area (E.E.A.), with several qualifications. It provides a regula-tory framework on the collection, processing, storage, and transfer of per-sonal data. The Data Protection Directive has also exerted a considerable influence over third-party countries. This is not only due to its history of rigorous enforcement but also due to its extraterritorial effect. That is, un-der the Data Protection Directive, it is not allowed to transfer personal data to a third country unless such third country provides ‘adequate’ levels of data protection.²²

While the Data Protection Directive serves as an overarching directive on general data privacy issues, there are other directives which deal with narrower, sector-specific issues. Regarding data privacy issues, certain directives on electronic communications are most relevant, including in particular the Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sec-tor (the “e-Privacy Directive”).²³ The e-Privacy Directive regulates data

21 See Bygrave (2010), 199–200; Kuner (2011), 17.

22 E.U. Data Protection Directive, Articles 25–26.

23 This Directive was preceded by Directive 97/66/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector. The e-Privacy Directive was subsequently partly amended by Directive 2006/24/EC on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC. The e-Privacy Directive was further partly amend-ed by Directive 2009/136/EC amending Directive 2002/22/EC on universal service and

privacy on communication networks concerning, among others, confidenti-ality of communication, regulation of spam, use of cookies, and treatment of traffic data.

2. The U.S. Regulatory Framework

Contrary to the E.U., in the U.S., there is no uniform regulatory framework or omnibus legislation which comprehensively deals with data privacy is-sues. Instead, different industries or sectors are subject to different regula-tions and, as a general matter, online behavioural tracking is largely self-regulated. And, while the Federal Trade Commission (FTC) serves as a major regulator, it does not have a specified mandate on data privacy is-sues.²⁴

About gathering user information online, the FTC has so far mostly re-lied on a self-regulatory ‘notice and choice’ model. Under this model, companies are expected to provide a clear and detailed online privacy poli-cy to users and ask them to make an informed choice.²⁵ After the FTC made it clear that it would rely on a self-regulatory notice-and-choice model, several proposals for professional codes of conducts and online guidelines have been made by professional associations from advertising and other industries.²⁶

III. Reform Proposals: the E.U. and the U.S.

Active discussions are currently taking place in the E.U., the U.S., and many parts of the world regarding data privacy issues. As part of these active discussions, competing reform proposals have been made by author-ities in both the E.U. and the U.S. in early 2012.

users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

24 The FTC’s mandate is based on a broad authority to regulate ‘unfair and deceptive trade practices’ that is granted to the FTC pursuant to Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

25 The E.U. also employs a model similar to a notice and choice model.

26 For instance, proposals were announced by, among others, Network Advertising In-itiative (NAI), Interactive Advertising Bureau (IAB), and European Advertising Stand-ards Alliance (EASA).

In the E.U., a major reform proposal was announced in January 2012 by the European Commission.²⁷ Through this proposed reform, the European Commission is seeking to overhaul the existing regulatory framework. In order to do so, it recommends establishing a new European Data Protection Board, which would oversee the overall data privacy issues in the E.U. At the same time, the reform proposal proposes reinforcing protective measures by granting users such rights as the right to be forgotten, the right to access users’ own data, and the right to data portability. Also, data controllers would have to comply with strengthened regulatory measures including a duty to report breach within 24 hours.

Different from this, in the U.S., while various reports were issued and reform measures have been proposed, a sector-specific and self-regulatory approach is still the prevailing norm. Significantly among the reform ef-forts, in February 2012, the White House announced a reform proposal.²⁸ While the White House report generally maintained the existing policy stance of the U.S. government, the report was noted for proposing what is called the ‘Consumer Privacy Bill of Rights’, which proclaimed basic prin-ciples of better consumer control of data, increased transparency, secure and accountable handling of data, and flexibility.

Separately, the FTC also released a report with a reform proposal in March 2012 after a long period of study on privacy issues and after releas-ing a preliminary report in December 2010.²⁹ The FTC placed an emphasis on such concepts as privacy by design, simplified choice, and increased transparency. It maintained its general support for industry-led efforts, including the development and implementation of the ‘Do-Not-Track’

(DNT) mechanism.³⁰ At the same time, recognizing the limits of self-regulation, it made an arduous effort arguing for the legislation of a base-line privacy law.

27 See the European Commission press release entitled ‘Commission proposes a com-prehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses’ (January 25, 2012) and other related materials available at http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.

28 See White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012).

29 See Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012).

30 The Do-Not-Track mechanism is a mechanism that is proposed to protect users’

right to choose whether to allow tracking by websites. There is no consensus yet as to what this mechanism precisely means in practicality or how this mechanism could be implemented. See Tene and Polonetsky (2012), 320–27, for discussions on this mecha-nism.

D. International Harmonization

I. Divergent Interests

Brief discussions on legislative and reform activities in various jurisdic-tions above, most notably in the E.U. and the U.S., indicate that there are divergent regulatory approaches currently under way. There are also possi-bilities of overlapping and conflicting jurisdictions. Thus, from companies’

perspectives, doing business in multiple jurisdictions means being subject to multiple and possibly conflicting laws and regulations in different juris-dictions. Regulation by individual authorities in different jurisdictions could also be problematic from a global welfare point of view in part be-cause, in their assessments of regulatory impact, they would not normally consider ramifications of their decisions that would fall outside their juris-dictional boundaries. This is, in a nutshell, a failure to internalize all rele-vant costs and benefits in the regulatory decision-making process. This failure to internalize would be particularly problematic for many technolo-gy companies because their businesses often show network externalities and their business models are developed to make use of resources at multi-ple locations for the efficient and effective provision of data processing and computation services.

From the perspective of individual regulators, however, it is inevitable and indeed only natural that they do not consider all international effects since doing so is normally not part of their mandates. Below, we try to delineate the problem arising from this failure to internalize through a sim-ple analytic framework.³¹ For expositional simplicity, it is assumed that individual regulators do not consider costs and benefits outside their juris-dictions.

When policymakers and regulators consider specific rules to regulate data privacy, they would weigh the merits of such rules against potential costs. Merits would mostly come from enhanced protection of data privacy of data subjects in their jurisdictions, and related costs would include lost opportunities for the provision of innovative and efficient services. For instance, while imposing restrictions on companies’ capability to use cook-ies to track Internet users would give rise to a certain level of psychologi-cal and other comforts to Internet users, it would at the same time reduce companies’ capability to analyze users’ behaviour and to provide useful services tailored to users’ needs. Regulators would then try to find a

bal-31 What appears below in this section is an extension from a standard international economic theory. In particular, Guzman (1998), albeit on antitrust issues, provides a useful framework, which is employed in this section as well.

ance and allow only those activities which show net benefits. Thus, if there is a hypothetical global regulator, such a regulator would weigh the ex-pected ramifications to all companies (data controllers) and also to all us-ers (data subjects) in making its decisions.³²

Now, in order to see how fragmented regulation by individual regulators can distort policy decisions, consider countries with different economic structures. First, suppose a case where a country (Country 1) has multiple technology companies which generate most of their revenues from their international operations. If these companies engage in activities that can be considered harmful to general users, most of the harm would fall on users located in foreign countries, while these companies would reap most of the associated benefits. And, in this context, domestic regulators, having only to look to domestic costs and benefits when making a policy assessment, would thus ignore the interests of foreign users and would show favourable attitude towards the interests of companies over the interests of users.³³

On the other hand, if a country (Country 2) does not have many domes-tic technology companies and instead users employ services provided by mostly foreign companies, such importation of services could generate analogous but opposite distortions. That is, domestic regulators would make an assessment based on domestic costs and benefits, thus ignoring much of companies’ interests as a whole. The result would be favourable attitude towards the interests of users over the interests of companies.³⁴

32 An implicit assumption in the argument here is that, in making decisions, regulators consider benefits to the companies (in the form of producer surplus) and to the general users (in the form of consumer surplus) only. Other possible policy objectives are not considered. An implication that will be drawn is that, even if regulators across different jurisdictions pursue common policy objectives, their decisions will vary and could be sub-optimal. In arithmetic form, if we use the notations of ‘PS’ for the expected producer surplus and ‘CS’ for the expected consumer surplus, regulators will allow companies’

activities if and only if ∆PS + ∆CS > 0. This would be, in economics terms, the deci-sion of the ‘social planner’.

33 This is based on the assumption that regulators cannot impose different regulations depending on whether a company is domestic or foreign based. About the situation de-scribed in the text, in an extreme case, if the impact on domestic consumers is negligible and thus can be ignored by the regulator, companies’ activities will be allowed in this country if and only if ∆PS1 > 0, where PS1 is the expected producer surplus in Country 1.

Now suppose that a situation arises where ∆PS1 > 0 and ∆PS + ∆CS < 0. That would be a situation where proposed business activities will enhance the producer surplus in Coun-try 1 but, at the same time, reduce the overall producer surplus and consumer surplus globally. While the regulator in this country would allow these activities, the (global) social planner would not.

34 In an extreme case, if the companies’ interest can be ignored in making policy deci-sions, companies’ activities will be allowed if and only if ∆CS2 > 0, where CS2 is the expected consumer surplus in Country 2. If a situation arises such that ∆CS2 < 0 and

∆PS + ∆CS > 0, then a proposed activity will not be permitted even if it would generate overall net benefits on a global level.

More generally, assume that the companies in a country (Country 3) ac-count for α percent of the global market and that they explain α percent of the global producer surplus. At the same time, suppose that the same coun-try’s users account for β percent of the relevant global market and the same β percent of the global consumer surplus. Then, the regulator in that coun-try will naturally consider the impact on the α percent of the global pro-ducer surplus and β percent of the global consumer surplus when it con-templates introducing new regulations or revising existing regulations. The net impact of a country’s regulation will then depend on the country’s share in the global provision of services and the country’s share in the global consumption.³⁵ If the country is a net exporter (i.e., α > β), then the country’s regulator would give a relatively high weight on the impact on producer surplus in devising regulatory measures.³⁶ This would mean that, compared to a closed-economy situation, the country’s regulator would give a favourable consideration to the interests of its companies. If the country is a net importer (i.e., α < β), on the other hand, the opposite will be true. Thus, in that case, relatively stricter rules on data privacy against companies’ interests will be applied compared to the closed-economy situ-ation.

This simple exposition illustrates how policymaking would be different if we consider the open-ended and inter-connected nature of the Internet.

Compared to the closed-economy case, a rational regulator’s decision-making would take into account only a part of the interests of all stake-holders, while the resulting regulatory measures would show an extraterri-torial effect. Both the regulator in a net exporter country and the regulator in a net importer country would have biased assessment criteria and fail to consider the impact of their decisions on third country data controllers and

Compared to the closed-economy case, a rational regulator’s decision-making would take into account only a part of the interests of all stake-holders, while the resulting regulatory measures would show an extraterri-torial effect. Both the regulator in a net exporter country and the regulator in a net importer country would have biased assessment criteria and fail to consider the impact of their decisions on third country data controllers and

Im Dokument Economic Analysis of International Law (Seite 93-103)