Book Review: ‘Data Privacy Law: An International Perspective’

 

Monika Zalnieriute[1]

 

Cite as Zalnieriute M., “Book Review: ‘Data Privacy Law: An International Perspective’”, in European Journal of Law and Technology, Vol 5, No 2, 2014.

 

BOOK

 

Lee A. Bygrave, Data Privacy Law: An International Perspective, 2014, Oxford University Press, 272 pp, £75, ISBN 978-0-19-967555-5

 

REVIEW

 

We live in interesting times of continuous flux, and this is especially true of data privacy. Indeed the world of privacy is changing, and changing fast: many new initiatives and international agreements on data privacy are being negotiated and the existing international data privacy frameworks, such as the Council of Europe Convention 108, the OECD Guidelines, have recently been revised. Last, but not least, the EU data privacy regime under Data Protection Directive 95/46 is coming to an end and the work in progress already is bringing significant changes to the legal data privacy landscape, business practices and the lives of individuals.[2] Looking beyond the purely legal developments, privacy as a policy issue in the digital era has become subject to intense debate on various levels among policy-makers, academics, national security agencies and legislators. The particular importance and topicality of privacy is (perhaps for the first time) best evidenced by the inter-governmental debates at the United Nations, where privacy rights and their limits are on the UN agenda among government officials (demonstrated by the unanimous General Assembly Resolution on the Privacy in the Digital Age back in 2013) and the subsequent efforts among the various UN bodies to address the increasingly urgent issues of privacy and extraterritorial surveillance. [3]  Indeed, the mass-surveillance revelations by Edward Snowden have arguably attracted a previously unseen attention to privacy issues and which makes international headlines everyday. In this context, Lee A. Bygrave presents his contribution to the global debates on the importance, core goals, deficiencies and limits of privacy laws in the Internet-era in a new book Data Privacy Law: An International Perspective, which offers a truly detailed and researched contribution to an ever-changing complex legal landscape.

 

Bygrave has been researching data privacy law for more than 25 years and the result is a truly delightful, enriching and detailed book for scholars and students of information technology law and privacy in the digital world.  As the author himself notes in the preface, the field of data privacy law has been undergoing an enormous change and burgeoned significantly during those years. Despite the fact that the adoption of data privacy laws have been spreading with an ever-increasing speed during the last decade, there still is insufficient expert guidance on what are the main goals, qualities and limits of these laws; and Bygrave steps in with his excellently researched and clear oversight and analysis. In this way, Bygrave’s Data Privacy Law is already a second comprehensive data privacy law book published in recent years by the OUP alongside Christopher Kuner’s Transborder Data Flows and Data Privacy Law, published in 2013.

Data Privacy Law: An International Perspective consists of 6 comprehensive chapters, each dealing with different aspects of data privacy law; and one short concluding essay in chapter 7, where the author critically reflects on the prospects and future of international data privacy regime.  As the title of the book suggests, Bygrave adopts an international perspective on the subject and thus uses the international data privacy instruments as a reference point in examining the various national laws from around the globe. Broader considerations, such as political climate and the relationship of data privacy law with other legal fields, such as human rights or administrative law, are also included to present readers with a fuller picture of the subject and help them contextualise it.

After the Introduction briefly discusses the main ideas and approaches presented in the book, chapter 1 introduces a conceptual background to data privacy law by examining the limits and boundaries, as well as the origins of the subject. Bygrave explains the important role of data privacy in the society more generally, as well as introduces the relevant actors operating in the area, thus laying a foundation for the forthcoming analysis.

 

Chapter 2 then introduces the reader to the typology/taxonomy of international data privacy instruments, where he discusses the various initiatives by the Council of Europe (CoE), the Organization for Economic Co-operation and Development (OECD), the United Nations (UN), European Union (EU) among others. Bygrave also highlights the special role occupied by the human rights treaties, such as the ICCPR and the ECHR in the data privacy discourse. This last point has been a special area of interest for Bygrave for some time (see for instance his article on the subject in International Journal of Law and Information Technology from 1998),[4] and he has researched the relationship between the core data protection principles and Article 17 ICCPR and Article 8 ECHR. This relationship has now gained special importance after the Snowden revelations about extraterritorial surveillance activities by the western governments. While Bygrave provides a detailed chronological overview, perhaps certain overall conclusions on the role of the international instruments would greatly benefit the chapter. 

 

In Chapter 3 the author provides an overview of the landscape of national data privacy legislation by grouping them into four main areas of the world: Europe, the Americas, Asia – Pacific, and Africa & the Middle East; and then has a closer look at the transatlantic data privacy disagreement, that has been dominating privacy discourse since its emergence as a policy issue in the 1970s. Bygrave sheds light on the cultural, ideological factors determining the transatlantic divergence over the regulation of private sector activities.  He provides concrete examples that contradict the traditional narratives of a generally weaker USA data privacy regime such as non-existence of a privacy-invasive regime in the USA comparable to that imposed by the (now invalidated) EU Data Retention Directive (pp. 113 – 116).[5] The acknowledgement of various similarities and the demonstration of the USA’s regime’s more stringent efforts than comparable efforts in the European regime, such as higher and more wide-ranging penalties, is welcome in that it breaks those dominant traditional narratives in certain aspects.  However, the author seems to be rather optimistic regarding the USA framework. For instance, while it is true that the Federal Trade Commission has indeed imposed quite a few large monetary penalties, Bygrave refers to its limited jurisdiction only in footnotes.

 

Chapters 4 – 6 are similar to Chapters 2 - 4 in the author’s book Data Protection Law: Approaching its Rationale, Logic and Limits, published by Kluwer Law International, in 2002, in that they creatively discuss the aims and scope, the core principle and the enforcement mechanisms of data privacy laws. In Chapter 4 Bygrave notes that despite the dominant view that data privacy rules aim to safeguard the privacy of individuals, such an approach is too ‘simplistic’ (p. 117) and provides more nuanced and in-depth analyses of the goals of data privacy laws, that may ‘extend well beyond traditional conceptualizations of privacy’ (pp. 119). As regards to the scope of data privacy, Bygrave also can be applauded for his attention to detail in the analysis of the scope of data privacy laws, including in-depth consideration on what exactly constitutes ‘personal data,’ and what factors are taken into account to define it (pp. 126 – 138).

 

Chapter 5 then gives the reader a closer look at the core principles of data privacy law, where the author with great detail scrutinizes the main principles, such as fair and lawful processing, purpose limitation and other well-known principles to anyone familiar with data privacy at least to a certain degree. Because of its detailed and clear structure, this chapter should be particularly useful for academic teaching and courses on information and data privacy law.

 

Chapter 6 then scrutinizes the oversight and enforcement of data privacy laws by giving an overview of the data privacy agencies (their independence, powers and competences) as well as the role of the international expert committees and judiciary in the oversight and enforcement. Bygrave also scrutinizes the notification, licencing schemes and remedies available for breaches of data privacy legislation, before turning to the trans-border data flows and jurisdictional issues arising from these complex issues. He goes beyond mere descriptive exercise and provides insights into the cultural differences between different jurisdictions, and their influence on the enforcement of data privacy rules in practice (pp. 189 – 190).

 

After critically analysing the various qualities of data privacy rules and their enforcement, Bygrave concludes the book with a convincingly-written short 5-page essay in chapter 7 on the necessity and viability for global consensus and harmonization for data privacy regimes. He briefly analyses several options for increased harmonization, such the UN framework convention, globalization of the Council of Europe Convention 108,[6] or using OECD Guidelines and soft law approach to harmonization; and highlights the pros and cons of proceeding under the auspices of these forums. On a last note, Bygrave warns that the continued emphasis on the EU – USA relationship and their disagreements might distract attention from the other rising global powers, such as China, and their potential in shaping international data privacy discourse (p. 209). This warning might be indeed noteworthy.  However, readers would perhaps relate to the argument more if the role of global economic powers, such as China or Russia, had been at least briefly included in the book.

 

All in all, Bygrave’s book provides an insightful and authoritative overview and critical analysis of contemporary privacy issues. The book with its critical analytical perspective and thoughtful insights could not be more timely and useful in the context of the revisions and updates of the existing international data privacy regimes and an international outcry over the extraterritorial surveillance programmes. Arguably, data privacy is gaining a momentum on international plane, and political attention has also resulted in some de facto progress, such as the adoption of the UN General Assembly Resolution on the Privacy in the Digital Age. There are many challenges and controversies surrounding privacy rights of individuals, and the view that these could be dealt with in an easy manner would be naïve.  In this context, Bygrave’s contribution based on his long experience as one of the world's leading and influential data privacy experts and academics, provides a very nuanced and legally robust text, which should be important reading for policy-makers, academics, and legal practitioners, who are interested in the ever-changing landscape of data privacy.

 



[1] Dr. Monika Zalnieriute is a Fellow at the Centre for Internet & Human Rights; European University Viadrina; Mittelweg 50, 12053 Berlin, Germany; e-mail: monika.zalnieriute@eui.eu; https://cihr.eu.  

[2] See the OECD, Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 1980; CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS 108, 1981; and the European Union Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (OJ L 281, 23.11.1995, 31).

[3] See General Assembly Resolution on Right to Privacy in the Digital Age, A/RES/68/167, adopted on 18 December 2013, available at http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/68/167 (visited 09/10/2014). The Report of the Office of the United Nations High Commissioner for Human Rights on the Right to Privacy in the Digital Age, A/HRC/27/37, available at http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf/ (visited 09/10/2014). Human Rights Council recently organized a panel on privacy, see the video of the HRC panel, available at UN Web TV, http://webtv.un.org/meetings-events/watch/panel-discussion-on-the-right-to-privacy-10th-meeting-27th-regular-session-of-human-rights-council/3781559740001/ (visited 10/10/2014).

 

[4] Bygrave, L.A., Data Protection Pursuant to the Right to Privacy in Human Rights Treaties, International Journal of Law and Information Technology, Vol. 6(3), 1988, pp. 247 – 284.

[5] On the 8th of April 2014 (after the publication of this book) the European Court of Justice declared the Data Retention Directive retroactively invalid under the EU law because of its disproportionate interference with the European citizens’ right to private life and protection of personal data; see Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger. Given that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the Directive entered into force.

[6] CoE, Additional Protocol to the Convention for the protection of individuals with regard to automatic processing of personal data, regarding supervisory authorities and trans-border data flows, CETS No. 181, 2001. The accession by non-Member states has become a practical possibility since 2008, when the Council of Ministers decided to examine any accession requests. Uruguay has become the first non-European country to join the Convention in April 2013, and Morocco is invited to do so in the near future.