University of New South Wales Faculty of Law Research Series
Last Updated: 4 November 2011
Global Data Privacy in a Networked World
Graham Greenleaf, University of New South Wales
This paper is available for
download at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1954296
This article is to be published as Greenleaf, G
‘Global data privacy in a networked world’, a Chapter in
Brown, I (ed) Research Handbook on Governance of the Internet,
Cheltenham: Edward Elgar, forthcoming 2012.This article may also be referenced
as UNSWLRS 38.
This article analyses the global growth of data
privacy (‘data protection’) laws over 40 years from a number of
After outlining the extent of global expansion, the influence of
international agreements concerning privacy is identified as one
their relative consistency and stability. The nature of United States
exceptionalism is discussed briefly, as is the failing
APEC alternative. The
fundamental elements of data privacy principles, and data privacy enforcement,
as seen through these agreements
and national legislation, are summarised. The
points on which the European Union is proposing to strengthen both principles
are noted. The extent to which these principles and enforcement
mechanisms can cope with the new challenges of a networked world
through two examples: social networking systems (SNS) and cloud
Bennett and Raab (2006), in the most systematic global review of data privacy regulation, presented their ‘main research question’ as whether there was a ‘race to the bottom’, a ‘race to the top’, or something else, in the global development of data privacy protection. They correctly caution that the existence and formal strength of a data privacy law is only one factor by which we should measure data privacy protection in a country, and two other key dimensions are the effectiveness of enforcement and the extent of surveillance (discussed below). Therefore, globally, there is more than one race to the top or bottom. They concluded that the most plausible future scenario (the Bennett-Raab thesis) was ‘an incoherent and fragmented patchwork’, ‘a more chaotic future of periodic and unpredictable victories for the privacy value’. So Bennett and Raab found some ‘upward’ global trajectory influenced significantly by the EU Directive, but sufficiently weak in the mid-2000s that the countervailing weakness of the APEC approach was enough to make the future quite unpredictable.
Half a decade later, it can be argued that there is now a clearer ‘upward’ global trajectory than Bennett and Raab found, provided we keep clear that we are only talking about the existence and formal strength of data privacy laws, not the other factors. The article shows that by mid-2011 there are 27 data privacy laws outside Europe (as many as there are EU member states), and a handful of further Bills expected to be enacted soon. Of course, the number of data privacy laws can only be part of the measure, but in Africa, Latin America and even in Asia the European Directive has become the single most significant influence on the content of those laws, and leads to them embodying a relatively high standard of data protection principles. The lower standards of the APEC Privacy Framework have not served to ‘slow or even reverse’ this trend as Bennett and Raab and others (myself included) feared. A handful of new data privacy laws across the globe each year, with EU-influenced privacy principles, and revisions of some existing weaker laws to strengthen them, does not constitute a ‘race’ in most uses of the term, but nor does it any longer look like such a ‘halting and meandering walk’ as Bennett and Raab found. It may not be a race, but data privacy laws do have a global trajectory, namely expansion at an increasing rate with principles more commonly influenced by the EU Directive than any other source.
But as Bennett and Raab conclude, there is not one race to the top or bottom that we must consider. It is better to say that the various dimensions on which we must measure the health of privacy as a value, including data privacy principles, their enforcement, and surveillance practices. These dimensions, as they say, differ from place to place and time to time, and are not readily ‘balanced’ into one overall measure. Nevertheless, considered solely on the dimension of the global spread of EU-like data privacy laws, the Bennett-Raab thesis no longer appears correct. On the other dimensions of effective enforcement and limiting surveillance, there are no obvious global trajectories which could give rise to similar optimism.