Data Protection and Privacy Law
Where Regulators Are King?
This essay first appeared in the Internet Monitor project’s second annual report, Internet Monitor 2014: Reflections on the Digital World. The report, published by the Berkman Center for Internet & Society, is a collection of roughly three dozen short contributions that highlight and discuss some of the most compelling events and trends in the digitally networked environment over the past year.
Across the world, data protection and privacy law is in a phase of rapid growth. As we move closer to the Internet of things, living in a world of wearable tech, smart homes, and smart cities, where every device is potentially personal and at the same time universal, society must decide on what rules should govern this world. What information should be considered personal data? What requirements should be in place regarding the collection, use, and sharing of personal data, and what activities should be prohibited? What does it mean for an individual to express consent, and when is affirmative or explicit consent required? The answers to these questions shape the world in which we live.
As data protection and privacy law is still very much in its infancy, the aforementioned questions pose challenges for companies and regulators alike. Both companies and regulators need binding law to guide their actions — law that reflects the will of society. Companies need to know what data processing activities are lawful, and regulators need to know when enforcement is appropriate.
At present, much of the world is going through legislative reform in regards to data protection and privacy law in an effort to help address those questions.[i] However, in the absence of clear legislation or court decisions, regulators frequently publish non-binding guidance to fill the gap. This non-binding guidance is needed and useful for informing companies how regulators are going to enforce the law, but it is often broad and, sometimes, beyond the scope of the law. Unless companies are willing to challenge such guidance and subsequent regulator enforcement in court, non-binding guidance is frequently treated as de facto law.
In Europe, non-binding guidance most often comes from the European Commission’s Article 29 Working Party[ii] and various Member State data protection authorities.[iii] In recent years, these institutions have provided guidance on what information constitutes personal data,[iv] what constitutes effective consent,[v] when consent is and is not required,[vi] and many other similar topics. With few clarifying court decisions, these guidance documents have been treated as de facto law, as limited alternatives exist.
In the US, the Federal Trade Commission (FTC) has engaged in de facto regulation on the basis of a general prohibition against unfair and deceptive trade practices[vii] — an activity that is currently being tested by the courts.[viii] Through workshops,[ix] non-binding guidance,[x] and, most effectively, private settlements with companies following formal complaints,[xi] the FTC has established de facto requirements without promulgating privacy rules pursuant to the Administrative Procedures Act[xii] and without much legal precedent to support its interpretations.
Where no sufficiently clear law exists or where such law does exist but is silent on vital nuance, is it right for a regulator to step into the shoes of a legislature or court by providing non-binding guidance on how personal data should be regulated, and more importantly, guidance on how we communicate with one another in an interconnected world? Surely this guidance is helpful, but in the absence of binding law, at what point does non-binding guidance become the law?
Read more in the Berkman Center’s Internet Monitor 2014: Reflections on the Digital World.
[i] In the last few years alone, new laws have been introduced in Singapore, Uruguay, South Korea, Mexico, Malaysia and many others, and reform is ongoing across Europe, South Africa, and the United States.
[ii] The Article 29 Working Party is comprised of representative members of all Member State data protection regulators in the EU; see European Commission’s Article 29 Working Party Opinions, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.
[iii] See European Commission: National Data Protection Authorities, http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm.
[iv] See Article 29 Working Party Opinion 216 on Anonymisation Techniques, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
[v] See Article 29 Working Party Opinion 187 on the Definition of Consent, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf.
[vi] See Article 29 Working Party Opinion 217 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46/EC, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.
[vii] See Section 5 of the Federal Trade Communications Act, 15 U.S.C. §45, http://www.law.cornell.edu/uscode/text/15/45.
[viii] See FTC v. Wyndham Worldwide Corp., 2014 BL 94785, D.N.J., No. 2:13-cv-01887, 4/7/14, http://epic.org/privacy/big-data/ftc-v-wyndham-opinion.pdf; see also Bloomberg BNA: 3rd Circuit to Wade Into Wyndham-FTC Fight; First Appeals Court to Rule on FTC, available at http://www.bna.com/3rd-circuit-wade-n17179893179/.
[ix] See Federal Trade Commission: Events for a list of past and upcoming workshops and events, http://www.ftc.gov/news-events/events-calendar/all.
[x] See Federal Trade Commission: Bureau of Consumer Protection, Business Center for access to FTC guidance documents, http://www.business.ftc.gov/.
[xi] See Federal Trade Commission: Enforcing Privacy Promises for a detailed list of past settlements, http://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.
[xii] See Administrative Procedures Act, 5 U.S.C. §553, http://www.law.cornell.edu/uscode/text/5/553.
