Show Summary Details

Page of

PRINTED FROM OXFORD HANDBOOKS ONLINE (www.oxfordhandbooks.com). © Oxford University Press, 2018. All Rights Reserved. Under the terms of the licence agreement, an individual user may print out a PDF of a single chapter of a title in Oxford Handbooks Online for personal use (for details see Privacy Policy and Legal Notice).

Subscriber: null; date: 24 September 2018

The Governance Of Privacy

Abstract and Keywords

This article focuses on the governance of data piracy, which, it explains, includes a complex web of regulation, self-regulation, and technology at the national and transnational levels, which interact to manage how personal information may be used and shared in and across modern societies. It lays out the principle underpinnings of data-privacy regulations, how regulatory systems differ across countries, and the broader governance tools available. The article also considers the politics of privacy regulation, and identifies new challenges and emerging trends in data-privacy governance.

Keywords: data piracy, governance, personal information, privacy regulations, self-regulation, regulatory systems

Personal information—credit card transactions, medical records, retina scans—is constantly collected, organized, and transmitted. Given the possibilities for abuse inherent in the processing of such data, governments have faced the dilemma of how to allow their productive use in society while guarding against potential violations of civil liberties. Far from being a new concern, lawmakers across the advanced industrial democracies first faced this challenge with the spread of the mainframe computer in the 1960s (Hondius 1975; Flaherty 1989). With the emergence of digital data networks and rising demands for surveillance in a globalized economy, the stakes and challenges involved have only grown and often become transnational and multi-jurisdictional (Farrell 2003; Newman 2008a).

The governance of data privacy includes a complex web of regulation, self-regulation, and technology at the national and transnational levels, which interact to manage how personal information may be used and shared in and across modern societies (Bennett and Raab 2006). The backbone of these efforts is formal regulatory rules. While states have tinkered with and adapted these to their national contexts, two broad approaches exist—comprehensive and limited regimes. Comprehensive regimes rely on a general set of Fair Information Practice Principles, which are enforced across the public and private sectors. These principles are monitored and implemented by an independent regulatory agency, which has a set of powers to investigate and sanction regulatory infractions. Limited regimes, by contrast, focus formal rules on the public sector and, with the exception of a few sensitive industries such as health care, rely on self-regulation and technology to manage concerns in the private sector (Newman 2008b; Schwartz and Reidenberg 1996). Within the context of these two legal regimes, industry efforts and technology are used to supplement/supplant public sector governance.

While not the sole determinant of the level of privacy protection in society, such privacy regimes have a significant effect on the level of information sharing and (p. 600) commodification in a society. In the United States, which has a limited regime, there are some 500 million credit reports, more than two for every man, woman, and child. In France, by contrast which has a comprehensive regime, there are no private sector credit reports. While France in this instance might represent an extreme case, it is critical to underscore that the goal of data privacy regulation is not to eliminate data transfers but rather to put a set of rules in place that balance the interests of the individual against those of the organization that hopes to employ the data.

For much of the 1970s and 1980s, data privacy regulation was limited to advanced industrial democracies concentrated in Western Europe and North America (Bennett 1992; Regan 1995). Starting in the 1990s, however, such regulation has spread to over forty nations reaching from Argentina to Albania. While the diffusion of such regulation is still limited primarily to democracies, it can be found in emerging markets and all the world regions. Importantly, the spread of privacy regulation has privileged the comprehensive model, where less than a handful of countries continue to maintain limited regimes. In fact, over the last fifteen years, at least eight nations have shifted from the limited to the comprehensive model of governance. Taken together the diffusion and success of the comprehensive regime marks a significant change in the governance of privacy globally (Bach and Newman 2007). In order to make sense of the rise of privacy regulation and the subsequent diffusion of the comprehensive model, this chapter argues that it is best to examine privacy governance as a sequence of policy decisions in which events at the national level have impacted regional policy which in turn has shaped global debates. In each round, political institutions have played a central role in organizing interests and mediating their influence. Since the 1990s, a network of independent regulatory agencies in Europe—data privacy authorities—has played a central role in promoting the spread of comprehensive rules regionally and globally. This rapid diffusion was far from inevitable but, rather, the result of a series of political fights. Recent challenges to the comprehensive regime stemming from surveillance demands suggest that its stability may once again be called into question.

In terms of central governance challenges, the privacy domain offers examples of several key phenomena. Digital networks and cross-border security operations have elevated privacy to a transnational issue in which citizens and governments face multiple jurisdictional demands. In response, transgovernmental networks of public sector actors have emerged to manage these global governance challenges, harmonizing regulations regionally, and shaping standards internationally. At the same time, private sector self-regulatory initiatives such as the adoption by multinational corporations of codes of conduct and chief privacy officers offer a complementary approach. Both, however, raise important issues of democratic accountability as transnational networks of non-elected regulators and firms play a critical role in international privacy governance.

The chapter proceeds in three sections. The first section lays out the principle underpinnings of data privacy regulations, how regulatory systems differ across countries, and the broader governance tools available. The second section delves into the politics of (p. 601) privacy regulation examining the national, regional, and international fights that have resulted in the rise and diffusion of the comprehensive model. The final section concludes with some thoughts on new challenges and emerging trends in data privacy governance.

Governing privacy

From the 1960s, democratic societies across the globe started debating the appropriate response to the threats posed by the rapidly expanding ability of governments and organizations to collect and process personal information facilitated by computer technology. These debates continue to inspire privacy protection today and form the backbone of regulatory regimes. This section will first describe the common set of privacy principles that underpins most modern privacy regulation before turning to the scope and structure of regulatory institutions. Finally, the section looks at the broader privacy governance toolkit.

The Fair Information Practice Principles

During the early years of the computer, a group of legal scholars in Western Europe and the USA began exploring the implications of the technology for the law. These experts quickly transitioned from studying the effect of computers on the law to larger questions surrounding the relationship between computers and society (Hondius 1975). These discussions produced a set of general norms based on the principle that individuals about whom data is collected (i.e. data subjects) have certain rights that must be balanced against the interests of those who collect and process personal information (i.e. data controllers). These principles may include the right to be notified before the collection of information, the right to consent to the further distribution of information, the right to access data held by a data controller, the right to object to incorrect data, or the right to demand erasure of incorrect or disputed information. The principles are termed the Fair Information Practice Principles (FIPPs). They were first elaborated in the Freedom of Information Act adopted in the United States in 1966 and were latter codified internationally in the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 1980 and the Council of Europe's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data which came into force in 1985 (OECD 1980; Bennett 1992). While the exact formulation varies across national legislation and sometimes stresses one of the principles over another, the general formulation of the basic concepts are listed in Table 42.1.

Most evaluations of national and international legislation and private sector self-regulation are based on their consistency with or reflection of the FIPPs. (p. 602)

Table 42.1 The Fair Information Practice Principles

Collection limitation: personal information collection should be limited and lawful

Purpose: the purpose of data collection should be disclosed and data should not be used for other purposes without consent

Openness: individuals should be informed about privacy policies

Accuracy: data should be accurate, complete, and current

Participation: individuals may request information about data held by organizations and challenge incorrect data

Security: stored data must be secure from theft or corruption

Accountability: organization must be held accountable to measures that implement the above principles

Institutional variation in regulatory scope and structure

Despite the fact that most modern data privacy regulations reflect the spirit of the FIPP, there is still considerable variation in the scope and structure of national data privacy regimes. Most important is the distinction in scope—comprehensive versus limited regimes (Newman 2008b). In comprehensive regimes, public and private organizations face formal regulation. While the exact rules may vary slightly between public and private sectors with some sectors facing additional rules, data processing in the economy and society is covered by some form of regulation. Additionally, comprehensive regimes include an independent regulatory agency which monitors and implements privacy rules. Generally speaking, data privacy authorities are independent in the sense that they have control over personnel, enjoy long-term leadership tenure, and exercise budget autonomy. As is the case with all such regulatory institutions, some are more independent than others. Nevertheless, there are many examples of data privacy authorities that have opposed policies of their governments and maintained their leadership appointments and faced little political intervention. In addition to independence, data privacy authorities have a range of powers that they may employ in day-to-day enforcement and implementation which include the authority to investigate breaches of regulation, consultative responsibilities concerning new legislative development, citizen complaint management, and in some cases the ability to impose sanctions. As is the case with independence, the exact powers vary among authorities, although the regional legislation within Europe has harmonized at a high level the powers that these regulators may use.

The limited regime, by contrast, focuses regulatory efforts on the public sector and generally lacks an independent regulatory agency that may monitor and enforce data privacy rules. In terms of regulatory scope, the public sector must comply with some form of FIPP rules. In the private sector, however, only a limited number of sensitive sectors face privacy regulations with the majority of sectors engaging in self-regulation or no regulation at all. These systems lack an independent regulator with oversight at (p. 603) times provided by a government ministry or an ombudsman with limited authority (Schwartz and Reidenberg 1996).

Differences in privacy regimes, while certainly not the only measure of privacy protection in a society, do shape the collection and transmission of information in an economy and a polity. Take two examples. Mailing lists that are aggregated and sold to companies for marketing are significantly more expensive in countries such as Germany where comprehensive rules reign than in the USA (Turner and Buc 2002). Similarly, there are no private sector credit reports in France, while there are some 500 million in the USA. This alters the types of information available to both businesses attempting to segment markets and to governments hoping to rationalize services or monitor citizens.

In addition to the scope of privacy regimes, there is considerable variation in their institutional structure. The primary difference in this regard centers on the level of centralization in oversight and implementation. In some jurisdictions, for example France and Sweden, one centralized data privacy authority is responsible for the domain. For much of their history, these centralized systems relied on licensing and registries of databases to keep abreast of the policies of data controllers (Flaherty 1989; Bennett 1992). Other countries, by contrast, opted for decentralized systems whereby regulatory oversight is shared among a number of government agencies and private sector actors. In Germany, for example, each Land has its own data privacy authority, which is responsible for monitoring privacy regulations in Land administrations as well as private companies that have their company headquarters in the Land. Additionally, private companies are required to appoint in-house data privacy officials, who are legally responsible for upholding data privacy regulations in the firm. In other countries, such as Australia, co-regulation has developed in which industry associations may develop sector codes that, if accepted by the data privacy authority, supplant government rules. If industry does not opt to develop a code, the national regulations apply to the sector. Formal legislation, then, acts as a regulatory backstop for industry-specific regulations. Different regulatory structures are then differentially positioned to oversee certain types of regulatory issues. Centralized systems, for example, may be well situated to manage large ologopolistic firms in the telecommunications or financial services industry. Decentralized regulatory structures have more local monitors that may uncover emerging challenges in data protection.

The structure of regulatory institutions naturally interacts with the scope of the privacy regime. Comprehensive regimes may have more centralized (e.g. France) or more decentralized structures (e.g. Germany). Similarly, limited regimes may be more centralized (e.g. South Korea) or more decentralized (e.g. the USA). The tasks and functions conducted by either a centralized or decentralized regulator, however, are embedded and defined by the regulatory scope of data privacy rules.

While formal rules play a critical role in setting the boundary conditions for privacy governance, there are also a number of other tools that contribute to privacy protection (Bennett and Raab 2006). Technology, for example, plays a critical role in modern privacy protection regimes. At the most basic level, for example, computer programs frequently come with a set of defaults concerning the amount of personal information (p. 604) revealed and exchanged. Individual users may then use technology to limit access to that information and to increase their control over information exchange. Companies have developed a host of privacy enhancing technology (PETs), which offer further protection for individuals or companies concerned about personal privacy. Another set of governance tools center on private sector efforts to manage privacy challenges. Many companies have voluntarily appointed chief privacy officers, who review and monitor company policy vis-à-vis personal data. Some sectors have also looked into self-regulatory codes of conduct or best practices. These technological and self-regulatory efforts, however, are significantly influenced by the legal environment. The threat of government intervention, for example, may bolster such efforts and the lack of government rules may undermine their efficacy (Newman and Bach 2004; Scharpf 1999).

The politics of privacy governance

Early national debates

Formal proposals for privacy regulation swept the advanced industrial democracies in the early 1970s. Frequently supported by an odd-couple alliance between the progressive left and the libertarian right, a host of parties, scientific experts, and civil society organizations participated in the lobbying effort. Despite the similar set of legislative proposals and constellation of privacy advocates, the ultimate national rules differed considerably in the regulatory scope and structure. Most important for future international debates, some countries adopted comprehensive rules that covered both the public and private sector and established an independent regulatory agency—data privacy authority—which oversaw the implementation and enforcement of these regulations.

Although initial draft laws often centered on a similar set of privacy principals, grounded in the FIPPS, the reaction by bureaucracies and private sector organizations varied considerably. In some countries, such as France, private sector involvement in the development of such legislation was minimal, although the regulations put in place clear restrictions on how such data could be used. In the USA, by contrast, industry played an active and decisive role in shaping the final rules. The intensity of industry preferences and the success of its involvement were largely shaped by differences in the domestic organization of business and politics.

To understand organizational privacy preferences, it is first critical to examine the broader institutional environment in which such organizations are embedded. Some companies or bureaucracies, for example, have large internal databanks which require little external enhancement from other organizations. One can, then, think of these organizations as enjoying a relatively ologopolistic information position. In such a setting, privacy rules bolster that position by making it more difficult for new firms or government agencies to acquire similar data and defends the organization against claims (p. 605) by others hoping to gain access to their data. In other sectors or countries, however, firms may sit in a fragmented market where data is spread across a number of smaller firms and agencies. In such settings, these organizations rely on data sharing in order to obtain enough data to perform their required function. Privacy rules, thus, impose a considerable cost for such organizations as they restrict the flow of data in the economy and bureaucracy (Newman 2010).

Not only do such rules differentially affect organizational preferences, but these organizations face distinct institutional opportunity structures. In some countries, the legislative process is ripe with possibilities for interest groups to intervene and shape legislation. Veto points such as bicameral legislatures, judicial review, and presidentialism offer a few examples of institutional structures that expand the ability of interest groups to exercise their political voice in the legislative process. Other more unitary governments, by contrast, enjoy considerable autonomy in the legislative process and are better able to push their policy agenda against the preferences of interest group lobbying.

Early national politics on privacy, then, were significantly influenced by the organization of industry and politics. French banks, for example, found much to support in new privacy rules as they enhanced the banks’ already dominant oligopolisitic position. Banks in the USA, by contrast, were much more fragmented and thus stood to lose from such rules. Additionally, these banks could use single member districts and presidentialisms to get their preferences heard. As a result of these domestic political battles, several key countries such as France and Germany emerged from the 1970s with comprehensive rules while others including the USA adopted limited regimes (Newman 2008b).

Regional ratcheting up

Starting in the 1980s, the European Union (EU) began a concerted effort to deepen economic cooperation across borders. While a number of European countries had adopted comprehensive rules, several EU member states including Belgium, Greece, Italy, Portugal, and Spain had not. This opened up the possibility for regulatory arbitrage in the face of the deepening integration of the European single market. Data privacy authorities in countries with comprehensive rules, therefore, worried that this effort might threaten their regulatory authority.

Data privacy authorities cooperating with their peers in other countries through transgovernmental networks worked to develop regional rules that would mitigate the asymmetric regulations in Europe. These regulators used their expertise, authority over market access, and network ties to build an agenda for pan-European rules and alter the costs to other political actors of inaction. For example, a set of member states attempted to integrate border control through an agreement known as the Schengen Agreement. The European Commission was very interested in the agreement as it would facilitate the free flow of labor with in the EU. In order to facilitate the agreement, the participants needed to construct a system of information exchange—the Schengen Information System—that would allow for proper implementation and monitoring. Belgium, how (p. 606) ever, did not yet have comprehensive data privacy rules and thus threatened to undermine the regulations in place in other countries. The data privacy authorities from France, Luxembourg, and Germany (which has all previously adopted comprehensive rules) threatened to block data transfers to the Schengen system without pan-European rules. It was at this point that the Commission and the member states recognized the importance of regional data privacy rules for the broader European effort. Sub-state actors—data privacy authorities—working across borders used their power resources to alter the European debate (Newman 2008a).

The result of this political dance was the 1995 European Data Privacy Directive. The directive requires all member states to adopt rules for the public and private sector and establish an independent data privacy authority (Swire and Litan 1998). Importantly, it required a harmonization of implementation and enforcement authorities of these regulators, significantly boosting the regulatory powers of many existing regulators. The directive also includes an important international requirement contained in Article 25. This article requires that data about European citizens may only be transferred to other countries if those other countries have adequate rules domestically (Long and Quek 2002). In order to assist the European Commission in the development of new rules and to assess the privacy rules of other countries, the directive created the Article 29 Working Party. The Working Party is a novel governance mechanism composed of a network of national regulators with a secretariat in Brussels. It reviews emerging data privacy issues, offers opinions concerning the adequacy of privacy laws in other countries, and follows the implementation and enforcement of privacy laws within the member states (Eberlein and Newman 2008).

Political entrepreneurship by data privacy authorities, then, contributed to the further expansion of comprehensive rules within Europe. The directive also boosted the authority of existing regulators and put them in a position to contribute to the governance of market access into and out of the EU.

The diffusion of European rules

Since the passage of the directive, a host of countries ranging from Argentine to Albania have adopted comprehensive data privacy rules. In total over forty jurisdictions now have comprehensive rules. This includes eight countries (from Canada to the Czech Republic) that had previously relied on limited regimes and have switched their rules. This shift is due in significant part to the international repercussions of the European privacy directive.

On the one hand the passage of the directive shifted the international status quo best practice. Article 25 of the directive limits the transfer of data concerning European citizens to countries that maintain adequate privacy rules. This adequacy clause transformed international debates as it raised the costs in non-European countries that either lacked privacy rules or used a limited regime. While the EU could not force other countries to alter their national rules, the directive changed national privacy debates in many countries. It served as model legislation for advocates of privacy rules and altered the economic calculus of (p. 607) multinational corporations that actively worked in or traded with Europe but were based in other countries. In short, the directive coordinated regulatory authority within Europe so as to leverage the internal market at the international level (Bach and Newman 2007).

At the same time, European data privacy authorities used their expertise in the field to promote policy changes in other jurisdictions and offered the Commission the technical resources to evaluate policy in those countries. In some cases, particularly for new member states or regional neighbors, envoys from member state data privacy authorities engaged in twinning missions. Bureaucrats from member state authorities went to those countries in order to assist in legislative development and implementation. In other cases, the Article 29 Working Party, which is comprised primarily of national regulators, examined the policies of other countries to determine whether they met adequacy requirements. The Working Party has determined that a number of countries such as Argentina, Canada, and Switzerland meet the standard while at the same time refusing to give Australia or the USA a similar evaluation. From direct twinning to adequacy ruling, the EU uses its regulatory expertise to teach and model for other jurisdictions while at the same time holding the stick of market access in the background of negotiations (Newman 2008b).

It is clear that the EU efforts have been far from universal. The USA remains committed to the limited system and has resisted EU pressures (Farrell 2003). Nevertheless, the international regulatory landscape concerning privacy has changed dramatically in the last twenty years with a threefold increase in the number of countries with comprehensive regimes. While formal rules are not the only governance tool to manage privacy issues, it is clear that the baseline in terms of regulation has shifted significantly. This shift is in a significant part the result of a sequence of events taking place first nationally, then regionally, and finally spilling over transnationally.

New competing alternatives

Since the turn of the millennium, a number of governments and multinational companies have started to explore alternatives to the European privacy directive. The most advanced effort is the APEC Privacy Framework (APEC 2004). Developed within the Asian Pacific Economic Cooperation (APEC), the framework builds on the FIPP principles. But in contrast to the EU privacy directive, it relies on self-implementation and self-certification. Countries would, hypothetically, be in a position to determine whether their rules met the adequacy standards of other countries. This effort is supported by the USA and Australia. While it offers a potentially flexible set of principles to build domestic privacy rules, it is unclear if it will drive policy debates at either the domestic or the international level. The Article 29 Working Party has not yet recognized the standard, and, given the considerable amount of self-certification and self-implementation, it seems doubtful that they will.

Another alternative that has gained considerable attention in the private sector is binding corporate codes of conduct. These binding corporate codes spell out a set of (p. 608) practices maintained by a company and its affiliates. If breaches occur, the company has committed itself through legal contracts to resolving the matter. Seen as a potentially flexible solution for MNCs, few have actually adopted the measure. The most difficult part of such binding corporate codes are the set of legal obligations that might arise across multiple jurisdictions. They thus pose a significant regulatory burden on companies operating transnationally. At the same time, they offer an important example of how private sector authority might be brought to bear to resolve a transnational governance dilemma.

A final model for dealing with such issues is the Safe Harbor Agreement between the USA and the EU. The Agreement was concluded in July 2000, and went into force in November 2000. It is based on a set of Safe Harbor Principles that companies apply to data transferred from the EU to the USA (Farrell 2003). Firms that pledge to follow these principles receive Safe Harbor from the application of the European Directive. The US Department of Commerce maintains a list of firms that have agreed to follow the Agreement.1 The principles of the Agreement are binding on companies and businesses must choose whether they will be monitored and enforced by self-regulation or a self-certification. Under self-regulation, the company agrees to comply with the principles and joins an independent dispute settlement body that processes and mediates complaints. The Federal Trade Commission agrees to act as a regulatory backstop, monitoring firm compliance with their self-regulatory agreements. Under self-certification, firms register with a national European data privacy authority and agree to regulation by that agency. If companies transfer human resources data, they are required to self-certify. A 2004 review of the Agreement's implementation found that 75 percent of firms self-certified, de facto placing themselves under the supervision of data privacy authorities in Europe (Commission of the European Communities 2004). In short, the Agreement creates a framework for multinational companies to share data across the Atlantic without requiring these firms to adjust data processing practices of domestic customers. Data coming from Europe, however, is guaranteed a similar level of protection to that it would enjoy at home. While it is still unclear how successful the Agreement has been, it offers a potentially innovative governance tool in which a network of regulators from multiple jurisdictions share the monitoring and enforcement of their rules vis-à-vis transnational companies.

Conclusion

Since the middle of the last century, the governance of privacy has changed dramatically. In parallel with many other sectors, governments have come to rely on a set of similar regulatory tools to manage a broad range of potential conflicts that arise as personal information collection and exchange have become more widespread. This has included the creation of formal rules on the use of such data and in some countries the establishment of independent regulatory agencies that monitor and enforce these rules. At the same time, private sector actors have explored a number of self-regulatory tools (p. 609) and technologies to deal with emerging privacy challenges (See Rhodes, Chapter 3, this volume; Peters, Chapter 2, this volume).

While many of these discussions started largely as national decisions, in the last twenty years they have spilled over in regional and transnational debates. Importantly, data privacy authorities worked collaboratively in transgovernmental networks within Europe to promote the passage of regional rules. Once in place, the EU was able to use its well-developed regulatory capacity in the issue area to promote comprehensive rules in other jurisdictions. Although regulations continue to vary in terms of their oversight structure, there has been a general movement toward the comprehensive model globally.

Despite these efforts, conflict within or across systems is far from over. New government-sponsored surveillance efforts have raised questions as to the limits of privacy protection within comprehensive systems. Alternative regulatory models such as the APEC privacy framework draw into question the long-term staying power of the current harmonization trend. New technologies such as cloud computing and radio frequency identification raise new monitoring capabilities and pose new challenges to individuals attempting to manage their personal information.

In terms of the literature on governance, the area of data privacy offers several important points of comparison. Most generally, it signals the general trend towards arm's length oversight structures (Jordana and Levi-Faur 2004; Rhodes, Chapter 3, this volume). At the same time, international and regional solutions have tended to rely on networks of regulators in contrast to traditional command and control centralized authority. The Article 29 Working Party offers an example of a novel form of network governance that is also being experimented with in other sectors such as international financial regulation (Eberlein and Newman 2008; Sabel and Zeitlin 2010). Such transnational governance based in collaborative networks of non-elected regulators, however, posses clear questions concerning democratic accountability. Finally, data privacy offers a puzzling case of the EU successfully promoting strict standards in the face of globalization and against the wishes of the USA. The area then signals the important role that regulatory capacity both in terms of control over market access and issue expertise plays in international regulatory negotiations.

References

APEC (Asian Pacific Economic Cooperation). 2004. APEC Privacy Framework. Santiago. Singapore: APEC Secretariat.Find this resource:

    Bach, D. and Newman, A. 2007. The European regulatory state and global public policy: Micro-institutions and macro-influence. Journal of European Public Policy 16: 827–846.Find this resource:

      (p. 610) Bennett, C. 1992. Regulating Privacy: Data Protection and Public Policy in Europe and the United States. Ithaca, NY: Cornell University Press.Find this resource:

        Bennett, C. and Raab, C. 2006. The Governance of Privacy: Policy Instruments in Global Perspective. Boston, MA: MIT Press.Find this resource:

          Commission of the European Communities. 2004. The implementation of Commission Decision 520/2000/EC on the adequate protection of personal data provided by the Safe Harbour privacy principles and related frequently asked questions issued by the US Department of Commerce. October 20. Brussels: European Commission.Find this resource:

            Eberlein, B. and Newman, A. 2008. Escaping the international governance dilemma? Incorporated transgovernmental networks in the European Union. Governance 21: 25–52.Find this resource:

              Farrell, H. 2003. Constructing the international foundations of E-commerce: The EU–US safe harbor arrangement. International Organization 2: 277–306.Find this resource:

                Flaherty, D. 1989. Protecting Privacy in Surveillance Societies. Chapel Hill: University of North Carolina Press.Find this resource:

                  Hondius, F. 1975. Emerging Data Protection in Europe. New York: Elsevier.Find this resource:

                    Jordana, J. and Levi-Faur, D. 2004. The Politics of Regulation: Institutions and Regulatory Reforms for the Age of Governance. Cheltenham: Edward Elgar.Find this resource:

                      Long, J. W. and Quek, M. P. 2002. Personal data privacy protection in an age of globalization: The US–EU safe harbor compromise. Journal of European Public Policy 9: 325–344.Find this resource:

                        Newman, A. 2008a. Building transnational civil Lliberties: Transgovernmental entrepreneurs and the European data privacy directive. International Organization 62: 103–130.Find this resource:

                          Newman, A. 2008b. Protectors of Privacy: Regulating Personal Data in the Global Economy. Ithaca, NY: Cornell University Press.Find this resource:

                            Newman, A. 2010. What you want depends on what you know: Firm preferences in an information age. Comparative Political Studies 43: 1286–1312.Find this resource:

                              Newman, A. and Bach, D. 2004. Self-regulatory trajectories in the shadow of public power: Resolving digital dilemmas in Europe and the United States. Governance 17: 387–413.Find this resource:

                                OECD (Organisation for Economic Co-operation and Development). 1980. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: OECD.Find this resource:

                                  Regan, P. 1995. Legislating Privacy: Technology, Social Values, and Public Policy. Raleigh: University of North Carolina Press.Find this resource:

                                    Sabel, C. and Zeitlin, J. 2010. Experimentalist Governance. Oxford: Oxford University Press.Find this resource:

                                      Scharpf, F. 1999. Governing in Europe: Effective and Democratic. Oxford: Oxford University Press.Find this resource:

                                        Schwartz, P. and Reidenberg, J. 1996. Data Privacy Law: A Study of United States Data Protection. Charlottesville, VA: Michie.Find this resource:

                                          Swire, P. and Litan R. 1998. None of Your Business: World Data Flows, Electronic Communication, and the European Privacy Directive. Washington, DC: Brookings.Find this resource:

                                            Turner, M. and Buc, L. 2002. The Imiact of data restrictions on fundraising for charitable and nonprofit institutions: Privacy leadership initiative. New York: Privacy Leadership Initiative.Find this resource: