The Law and Policy of Online Privacy: Regulation, Self-regulation, or Co-regulation?
| Publication year | 2010 |
| Citation | Vol. 34 No. 02 |
I. Introduction
The rise of the Internet poses profound new challenges for information privacy.(fn1) Companies such as Google save and store our every search query and can often trace them back to us as individuals.(fn2) Websites track how we use their sites and frequently share this information with others.(fn3) Internet service providers (ISPs) have begun to examine the packets of information by which we communicate with the Internet and to search them for data that will reveal our preferences and beha-viors.(fn4) These companies do not engage in these activities because they dislike privacy. They do it because personal information, which can be used for marketing and many other purposes, has economic value. As a result, the Internet has become Janus-faced.(fn5) On one hand, it appears to offer great freedom and anonymity. On the other, it ferrets out and stores everything from our most banal behaviors to our deepest secrets.(fn6) This not only damages individual privacy; it also erodes people's trust in the online environment and threatens to undermine the continued growth of the Internet economy.(fn7) If the United States is to continue to be a society in which personal privacy and the Internet economy flourish together, then it is vital that we find an effective way to protect personal information on the Internet. (fn8)
Two main camps currently dominate the discussion as to how to protect personal privacy on the Internet. The first calls for government regulation.(fn9) It seeks legislation that would set strict limits on how companies collect data online, what types of personal information they can collect, and how they can use it.(fn10) Proponents of this approach maintain that strong government regulation is necessary to protect unsuspecting Internet users from the self-interested behavior of Internet-based compa-nies.(fn11) The second camp, which has thus far won the day, resists government intrusion in the fragile and fast-moving Internet economy and argues that market and industry self-regulation will yield better results than government rules.(fn12) It maintains that Internet businesses already have a market incentive to protect user privacy to avoid losing custom-ers.(fn13) Government regulation is unnecessary and could prove counter-productive.(fn14)
This Article has two main purposes. First, it shows that critics of both the government regulation and the market/self-regulation approaches have raised important concerns about these proposed solutions. There are important reasons to question whether either of these approaches can effectively address the Internet privacy problem. Second, it argues that policy makers and scholars should explore an alternative approach known as "co-regulation." Co-regulation encompasses initiatives in which government and industry
There are reasons to believe that it might. Proponents of co-regulation claim that it provides the flexibility of self-regulation(fn17) while adding the supervision and rigor of government rules.(fn18) They see co-regulation as the best of both worlds-an enforceable, rigorous approach that can protect individual privacy while also keeping up with, and meeting the needs of, the growing Internet economy.(fn19) But co-regulation, too, has its critics. These commentators assert that co-regulation lacks transparency and accountability as compared to traditional notice-and-comment rulemaking.(fn20) They warn that the backroom discussions in which government and industry negotiate regulatory compliance and "share" rulemaking and enforcement responsibilities will often result in deals that favor industry and sell short the public interest.(fn21) Some fear that industry will take advantage of co-regulatory processes to "capture" the agency and co-opt it to industry's point of view.(fn22) It is too early to tell whether the proponents or the critics have it right. Before making such an assessment, we need to study co-regulation and evaluate how it might function as a means of protecting personal information.(fn23)
An excellent opportunity to do this analysis recently arose. The European Union's 1995 Data Protection Directive allows E.U. member nations to experiment with a co-regulatory approach to the protection of personal data.(fn24) During the past decade, many of these nations have implemented such a program.(fn25) This experience can tell us a great deal about how collaborative governance might work in the realm of Internet privacy.
Under the European co-regulatory approach, each member nation passes a comprehensive data protection statute.(fn26) The nation then invites representatives from a given regulated sector to draft a "code of conduct" for the industry that embodies the statutory requirements.(fn27) If the regulatory authority agrees that the code of conduct meets the terms of the statute and approves it, then compliance with the code constitutes compliance with the statute.(fn28) From that point on, firms can follow a set of rules that their own peers have drafted (subject to government review and approval) and, in so doing, comply with the law. The European model is not self-regulation since the government retains an important role in reviewing, approving, and enforcing the proposed codes of conduct. But neither is it pure government regulation since the industry associations, not the regulators, draft the detailed rules and standards that will govern their members. Instead, it is a form of "co-regulation"(fn29) in that government and industry share responsibility for drafting and enforcing regulatory standards.(fn30)
How have the European member states gone about implementing this approach? What do the statutes that embody it look like? Have the national programs been a success? Does the European experiment provide support for the proponents of co-regulation? Or does it validate the concerns of the critics? These important questions have received surprisingly little attention in U.S. scholarly literature, and almost none in U.S. law reviews. This Article begins to explore the topic. Focusing on the legal dimension of the E.U. initiative, it examines the provisions of the European Union's 1995 Data Protection Directive that allow member nations to engage in co-regulation.(fn31) It then provides the first comprehensive analysis in a U.S. law review of the national laws that have implemented this co-regulatory approach.(fn32) It compares these laws to one another, develops an original way of categorizing and understanding them, and draws lessons about the design of legislation to support co-regulation of online privacy.
The Article is structured as follows: Part II shows that the Internet generates serious new threats to individual privacy. Part III describes in more detail the arguments that critics have leveled against the government regulation and the market/self-regulation approaches and evaluates what experience has to tell us about these models. Part III also provides an introduction to co-regulation and surveys the theoretical literature regarding the strengths and weaknesses of this collaborative approach. Part IV turns to the European experiment with data protection codes of conduct. It analyzes the E.U. and national laws that authorize this initiative. The Article closes in Part V with suggestions for further research about this important area of privacy law and policy.
II. Online Threats to Information Privacy
One of the most profound changes in American society in recent decades has been the emergence and exponential growth of the Internet and e-commerce.(fn33) This change has produced many benefits. But it has also led to an unprecedented increase in the collection, aggregation, and use of personal information, creating new and profound challenges to information privacy.(fn34) This Part will describe how Internet businesses collect our personal information online and how they use this information.
1. Search Engines
Most users of the Internet begin by accessing a search engine(fn35) and entering a search query. The collection of the user's personal information begins here. Search engines collect and store every query that users make.(fn36) In most cases, they are able to link these queries both to the computer on which they were entered(fn37) and to the user's individual iden-tity.(fn38) Search queries are often fairly innocuous, but they can also be highly personal. In 2006, AOL posted on its website a database of 20 million search queries entered by 657,000 users over a three-month pe-riod.(fn39) Among the searches were queries for "60 single men," "foods to avoid when breast feeding," "depression and medical leave," "fear that spouse contemplating cheating," and many thousands of queries related to sex and sexuality.(fn40) These queries were not atypical. Many users turn to the Internet for...
To continue reading
Request your trial