1 www.hunton.com

Cost of PrivacyProf. Lucas Bergkamp

Center for Information Policy Leadership@Hunton & Williams

Erasmus University Rotterdam

ERIM/PRIME Privacy for Business WorkshopThe Airlines Sector

Rotterdam, 17 December 2004

2 www.hunton.com

Roadmap • Regulatory Models for Privacy (data protection)

• Key Elements and Foundations of EU Data Protection Law

• Adverse Effects, Paradoxes, Costs

• Data and Security (Passenger Data)

3 www.hunton.com

Part I

Regulatory Models

for Privacy

4 www.hunton.com

Public and Private Privacy Law

Public Law• tends to be ex ante• government-citizen• no or limited individual

tailoring; "goverment knows best"

• enforceable irrespective of individual interest or harm

• criminal or administrative sanctions

Private Law• chiefly ex post• citizen-citizen• individual tailoring

possible; "individual knows best"

• enforceable if individual interest is affected

• injunction (in some instances) or damages

Why is data protection law public law, rather than private law?

If harm to privacy is subjective, private law would be preferable

5 www.hunton.com

Privacy Regulatory Models

• Government control over data flows and uses– current EU model– rules can always be enforced– high level of protection, inflexible, expensive

• Property right in personal data– enforcement only at request of affected

individual– transfer by consent, and under agreed

conditions (e.g. as to use)– medium level of protection, flexible,

expensive (due to consents)

6 www.hunton.com

Privacy Regulatory Models

• No personal property right in data– anyone may collect and use data for any

purpose– individual may refuse or provide data under

conditions– low level of protection, flexible, inexpensive

• What is the right mix of regulatory models?– expensive government control model only if

justified by high objective risk– property right model only where no-property

right is inappropriate– no personal property right is default

model

7 www.hunton.com

Privacy from Economic Perspective

• Production model is capatalist system• Regulated market economy• Regulation, i.e. government intervention, is

justified in two situations:– to impose external cost on responsible

person– to provide "public goods" (non-rivalry, non-

excludability)• Lack of of data protection does not result in

external cost• Is privacy a public good?

– there is both rivalry and excludability How can privacy regulation be justified?

8 www.hunton.com

Privacy Demand and Need for Protection in Information Society

0€

1

3

2

90

80

70

60

50

40

30

20

10

P

Demand for privacy as function of wealthNeed for protection as function of wealthLevel of privacy imposed by law

Three observations:

Privacy law delivers where there is no privacy demand (1)

Privacy law delivers where there is no need for protection (2)

Privacy law delivers where there is neither (3)

10 20 30 40 50 60 70 80 90

9 www.hunton.com

Part II

Key Elements and

Foundations of EU

Data Protection

Law

10 www.hunton.com

EU Data Protection Law

• Directive 95/46 on the protection of individuals with regard to processing of personal data

• Directive [___] concerning the processing of personal data and the protection of privacy in the electronic communications sector

• E-Commerce Directive

– refers to Data Protection Directive

• Miscellaneous other instruments

11 www.hunton.com

Key Provisions of EU Data Protection Law

• General prohibition on collection and processing of personal data

– subject to limited exceptions– burden of proof is on data

controller• Where permitted, data processing is

restricted (necessary, fair, purpose limitation, etc.)

• Special regime for sensitive data• Transfers to non-EU jurisdictions are

subject to specific transfer regimes

12 www.hunton.com

Key Provisions of EU Data Protection Law

• Rights of data subjects and corresponding obligations of data controllers (notice, choice, access, rectification, etc.)

• Procedural obligations (notification to government agencies)

• Covers all sectors of industry and commerce

• Applies to personal data broadly defined to include customer and employee data including coded data

13 www.hunton.com

Trends in EU Privacy Law

• Technology convergence forces change of law

– broader, comprehensive regimes

– technology-neutral law• Harmonization of law

– move towards « opt-in only » approach

14 www.hunton.com

EU Data Protection Policy’s Human Right Foundations

• Privacy is fundamental right• 1950 European Convention of Human Rights,

Article 8: right to respect for family life, home, correspondence, and private life

• European Court of Human Rights (ECHR) interpreted right to private life extensively

• Right to private life has been accorded « Drittwirkung » or horizontal effect

15 www.hunton.com

EU Data Protection Policy’s Human Right Foundations

• In Niemitz v. Germany, the ECHR held that right to private life applies also to professional and business life

• Right to private life imposes both negative (e.g. not to collect « unnecessary » data) and positive obligations (e.g. to provide resources for exercise of right)

• Employee right to privacy implies right to reasonable use of employer’s resources for personal purposes

16 www.hunton.com

Implications of Human Right Foundations

• Privacy is priceless– cost of privacy is irrelevant

• Privacy is inalienable– customers and employees have unequal

bargaining position – need to be protected against potential

abuse and may not waive rights

17 www.hunton.com

EU Data Protection Policy’s Human Right Foundations

• Governmental discretion– social justice in privacy administration

requires government interpretation in many cases

– ad-hoc decision-making: « government knows privacy violation when it sees one »

– social justice over legal certainty

18 www.hunton.com

EU Data Protection Policy’s Underlying Assumptions

• Information use– business wants data to increase profits– poses risk to consumer

• Nature of Business– profit-motive will cause corporations to

disregard privacy– consumers are victims of business

practices

19 www.hunton.com

EU Data Protection Policy’s Underlying Assumptions

• Data protection offers “high level of protection” against « risks » and « harms »

– but what are the risks and harms?– EU did not identify any risks or harms– Known harms have been caused by

state (e.g. Stasi-files)– Citizens Against Government Waste

found that private sector does better job than public sector in protecting data

20 www.hunton.com

EU Data Protection Policy’s Underlying Assumptions

• Typical examples of harms caused by companies involve

– trivial harms (e.g. receiving a brochure against one’s wish) or

– hypothetical harms (e.g. supermarket sends data about someone’s food purchases to health insurer so that premium can be adjusted in function of health risk)

• Different in government context

21 www.hunton.com

Eu Data Protection Policy’s Underlying Assumptions

Data Protection Promotes Autonomy• Right to define oneself (German Supreme

Court’s concept of informational self-determination)

• « Face we want to present to the world »– but this right limits other person’s

ability to learn about individual’s less attractive side

22 www.hunton.com

EU Data Protection Policy’s Underlying Assumptions

Data Protection Promotes Autonomy• Autonomy requires opt-in• EU does not take seriously risk that people

misrepresent facts and defraud others (« identity theft »)

• Nikon France v. Onos: employer may not search employee’s « personal » files

23 www.hunton.com

EU Data Protection Policy’s Underlying Assumptions

Government Abuse of Private Sector Data• because government tends to abuse private sector

data, there should be no data anywhere• does government’s malice justify imposing

restrictions on private sector?• if potential for abuse leads to eliminating valuable

assets (e.g. biotechnology, guns, etc.), society will suffer

• does government failure justify further government intervention?

• is it effective, would privacy law have prevented the Holocaust?

24 www.hunton.com

EU Data Protection Policy’s Underlying Assumptions

Government Abuse of Private Sector Data• ironically, data protection laws provide liberal

exceptions for government use• « war against terrorism » may require more

private sector data

25 www.hunton.com

Part III

Adverse Effects,

Paradoxes, Costs

26 www.hunton.com

Interim Conclusions

• Data Protection Directive was not conceived with e-commerce in mind, and raises numerous problems and legal uncertainty

• Government control and discretionary authority are inconsisent with innovative information society and consumer choice

• Data protection applies even if consumer does not want it, resulting in paternalism

• Privacy protection increases risk of fraud• EC exports its consumer and data protection

regime to the rest of the world, thus reducing availability of e-commerce services and making them more expensive

How could this happen?

27 www.hunton.com

How does Information Society Differ from Old Economy?

• Global market place• Services economy• Reduces transaction cost

– lower information and search cost– lower contracting cost

• Empowers consumers– more offers– quicker– easy comparison– no "undue influence"

• E-traders offer a wide variety of privacy policies

• Technology permits consumer to impose his privacy preferences

28 www.hunton.com

EU Data Protection Policy’s Foundations

• Privacy is fundamental right– privacy is "priceless;" it is about values– privacy is uniform and non-waivable

• Governmental discretion– vague principles require government

interpretation in many cases – ad-hoc decision-making: “government knows

privacy violation when it sees one”– social justice over legal certainty

• Consumer protection– consumer is deemed to have unequal

bargaining position, and to need protection against potential abuse

– paternalism over freedom

29 www.hunton.com

Paradoxes of EU Privacy Policy in Information Society

• Consumer protection (EU) v. consumer empowerment (information society)

• Restricting competition choice (EU) v. enhancing competition (information society)

• Disincentives for innovation (EU) v. incentives for innovation (information society)

• Restricting consumer choice (EU) v. enhancing consumer choice (information society)

• Privacy over-regulation causes de facto “under-regulation” because excessive legal requirements are not enforced

How can we begin to resolve these problems?

30 www.hunton.com

Privacy as a Fundamental Right

• Data protection is deemed justified as fundamental right

– democratic society requires individual right to communicate and participate

– unrestricted data processing undermines communication and participation

– information society and commercialization of personal data increases risk to individuals

• But shouldn't we identify and differentiate between various possible risks?

– what risks does privacy law reduce?• Aren't there better ways to ensure individual right to

communicate and participate?• What about the trader's right to communicate?

31 www.hunton.com

Fundamental Issues

• Market or government?– which meets consumer privacy demands best?

• what does consumer really want?– why is privacy protection not an appropriate

element of competition?• private privacy protection initiatives

• What core of privacy (if any) should be non-waivable?

– public law, government control• What default privacy protection regime do we

need?– private law, variable by contract– if it meets needs of parties, it may be efficient– if it is overly protective, it will increase transaction

cost

32 www.hunton.com

Cost of Privacy

• Direct compliance cost• Indirect cost

– Loss of opportunity– Loss of benefits of free flow

33 www.hunton.com

Conclusions • Opportunity cost of data protection has increased dramatically in information society, while need for protection has decreased

• Government control model and public law result in inflexible and expensive regime with unfavorable cost-benefit ratio

• Rethink government's role– free data flows do not result in external cost, no

market failure– privacy is subjective and should be regulated

primarily by private law– targeted, public law approaches to preventing

significant objective harm– redesign system and recalibrate balance between

pubic and private law

34 www.hunton.com

Part IV

Data and Security

35 www.hunton.com

Data and Security

• Data are likely relevant to security

– what data?– pertaining to whom?– how much?– right data timely provided may

enhance security• Alternatives to data collection?

36 www.hunton.com

Data and Security

• Government v. private sector– no self-limiting mechanism in

government• Government has monopoly over

force– security is dominated by

government– but government needs help

from private sector

37 www.hunton.com

Data and Security

• Conditions for data to be helpful to advancing security

– relevancy and volume of data– government’s ability to “digest”

and act on data• Balance between too much and too

little data• “Shotgun” or targeted collection

38 www.hunton.com

Data and Security

• Targeted collection from groups posing high security risks may make process more efficient and effective

– enhances relevancy– but can high risk individuals avoid

meeting profile?• Targeted collection raises ethical issues

– is it fine to subject a person to this process based on his meeting “profile”?

– what guarantees are there for preventing misuse for other purposes?

39 www.hunton.com

Data and Security

• Fundamental questions– will data collection by

government work?– is targeted collection based

on profiles more effective or efficient and ethical?

• Passenger data– what are guarantees against

government misuse?

40 www.hunton.com

Data and Security

• Cost of Privacy– who would want to maintain

privacy for all if this results in higher security risks?

– too much privacy will be costly

41 www.hunton.com

Data and Security

• Cost of Privacy– how to measure cost of

privacy?• no market value

– how to weigh costs and benefits of privacy against costs and benefits of security?• problem of incommensurability

– surveys• how reliable are they?

42 www.hunton.com

Conclusions • There is cost to privacy protection

• In market setting, cost is self-limiting• Government’s monopoly over

force and absence of self-limiting mechanism are differences that should have consequences

• Privacy versus security debate highlights problems of quantifying cost of privacy