Protectors of Privacy: Regulating Personal Data in the Global Economy, Abraham L. Newman (Ithaca, N.Y.: Cornell University Press, 2008), 221 pp., $39.95 cloth.
Judith Wagner DeCew (Reviewer)
Abraham Newman has written a thoughtful and provocative book about the protection of privacy and how it has evolved in two dramatically different ways in the European Union and the United States over the past fifty years. His focus is on governmental agencies and nongovernmental interest groups that have spearheaded the efforts to protect personal information and data, especially since the rise of personal computers and their expanding role in the digital age. According to Newman, privacy policies "have implications for individual liberty, the powers of the state, and the global economy" (p. 3). While Newman's focus is on privacy protection and its evolution, his historical and political analysis leads him to a broader and more dramatic conclusion—namely, that "nations rely on regulatory capacity to develop, coordinate, and implement market rules"(p. 154), and this power is not merely an extension of norms or economic size, but is rooted in the expertise and authority that institutions enjoy to govern markets and society.
After documenting the well-known digital revolution, and the massive data storage and information flows throughout the world, Newman turns to two major systems for protecting privacy. The United States and multiple countries in Asia have developed limited systems that focus on self-regulation within both industry and government so that personal information is readily available. In contrast, the EU and others have adopted an alternative vision highlighting consumer protection and individual privacy against the efficiency and economic interests of firms and public officials" (p. 2). He documents the development of this latter model from the comprehensive rules about data privacy passed in the 1970s, to the EU data privacy directive enacted in 1995 (now adopted in some form by all twenty-seven EU members), to the continuing power of those data protection authorities or agencies focusing on individual privacy still in force despite 9/11. EU-style privacy protection regulations have spread rapidly across the industrial world and have led and transformed the global privacy debate. As a result, the United States "now faces mounting challenges to develop, set, and enforce rules of global markets from one of its strongest allies, the European Union" (p. 155). This result is striking, he notes, because of the dominance of U.S. regulatory preferences in other areas, such as intellectual property and Internet domain names.
The goal of the book is to explain alternative approaches to privacy, and to examine why and how the EU has shaped policy decisions regarding privacy within its own nations and in other countries through its agenda for globalization. The answers are developed through two types of arguments: first, an argument concerning the specifics of European politics and regulation methods; and second, an argument focusing on the agents of change—that is, the way European data privacy protection has depended on "protectors of privacy, who both advocate for strong individual safeguards within Europe and have the resources to enforce European rules internationally" (p. 3). Using a plethora of examples from various countries and interviews with players in the development of privacy guidelines in various nations, Newman effectively differentiates the comprehensive EU approach to privacy legislation from the limited U.S. approach, which puts faith in the market to check inappropriate activity, has no dedicated privacy agency, and lacks the necessary expertise to defend its position in international debates.
Rejecting other accounts, Newman's explanation of this divergence is that "government officials with regulatory capacity played a crucial role in creating and expanding privacy protection within Europe and around the world" (p. 9). Such individual privacy commissioners or group agencies had technical expertise, were given governmental authority, and were able to form political coalitions and to lobby successfully for enhanced individual privacy protection, requiring that personal information not be collected without an individual's consent, not be used for purposes other than those intended without individual consent, and so on. This contrasts sharply with th U.S. approach, which allows such entities
as insurance companies and employers, ample access to personal information, due partially to a lack of governmental support for privacy legislation, as well as a more fragmented political system. The United States has stood behind efficiency arguments that business and government need unfettered access to personal data to guarantee economic growth and national security, whereas the EU has argued that privacy is critical in a robust information society because citizens would only participate in an online environment if they felt their privacy was guaranteed against ubiquitous business and government surveillance.
Newman highlights the EU capacity to send a coherent signal about the value and protection of individual privacy by delegating experts to other countries to teach how to build compliant institutions, and by providing EU members with a variety of tools to influence and shape policy decisions abroad. This has important theoretical implications about the global influence of consolidated regulatory agencies, and highlights the need for scholars to take seriously the study of the EU in international politics and economic governance. As the author notes, "Privacy provides a cutting-edge case of the shifting responsibilities of governance in transnational markets and the possibility for political entrepreneurial intervention to shift the definition of basic fundamental rights on a global scale" (p. 19).
Protectors of Privacy is an excellent addition to the literature—a carefully written and splendid defense of enhanced privacy protection for individuals in the digital age. My own research confirms the accuracy of Newman's views. Given the growing demand for electronic medical records, doctors in the Netherlands, for example, have taken the time to build into computer programs ways of allowing varying levels of access to that information to protect individual privacy. Access to sensitive medical information is denied unless a physician or other actor defends the "need to know" to a privacy commissioner or agency. For particularly sensitive mental health records, the system works like a safe-deposit box, where two keys are needed to "open" the information for access, and one of them is held by the protector of privacy. In contrast, standard computer databases for medical records in the United States allow the free flow of individual medical information.
Further, Newman's analysis underscores a key view I have repeatedly defended (see In Pursuit of Privacy: Law, Ethics and the Rise of Technology)—namely, that privacy protection, rather than free-flowing access to information, should be the default standard. In comprehensive systems in the EU and elsewhere, the assumption is that the use of information by organizations is not transparent and is out of an individual¡¦s control. In contrast, in limited selfregulatory systems, such as in the United States, there is merely a patchwork of state and federal guidelines, leading to confusion and easy access to information, regardless of deleterious effects on individuals. Protectors of Privacy defends the value of studying alternative systems of regulation of personal information, demonstrating that they are not merely of abstract political or legal concern, but also affect how individuals express their identity, how business differentiates markets, and how governments manage risk.
— JUDITH WAGNER DECEW
The reviewer is Professor of Philosophy at Clark University in Worcester, Massachusetts.