Class 4.1 Notes: Data Security and Privacy

In Class 4.1, focused on Data Privacy and Security, of Cyberlaw and the Global Economy,
Professor Viktor Mayer-Schoenberger of the Kennedy School of Government
led us through the history of data protection laws.  He breaks
down the story into four generations of legal paradigms.

First Generation: States adopted a technology-based view.  In the
early days of computing, the idea was that there might be one federal
databank, with loads of personal information in a single mainframe,
combining consumer and government data alike (compare to today’s TIA
proposals).  Harvard Law School Professor Arthur Miller wrote a famous article that
posed a challenge to this idea by asking: “Where is the individual? And
what about their privacy?”  The legal answer was to regulate the
centralized technology, to regulate that mainframe.  But quickly
it became clear that there were too many computers to manage things
this way.

Second Generation: States adopted more of an individual-rights-based
view.  In come the privacy advocates who sought to extend doctrine
such as the Miller obscenity standard to the information technology
realm.  A negative right is introduced: others can’t intrude upon
your personal information.  You’re the one who releases this
information.  It’s your information, and you give people the
rights to process that information.  The citizens get a cause of
action.  What are the damages that you can seek through this cause
of action?  The problem with this regime was that people didn’t
fight for their rights.  The process was too expensive. 
There’s a cost-benefit analysis for individuals: you need to believe
that you’ll get something out of the process.  (Someone suggested
you could cure this problem by allowing for punitive damages.) 
This second generation model failed because the transaction costs were
too high.  Noboby exercised these extensive rights. 
[According to Prof. Mayer-Schoenberger, America got stuck in this
second generation of thinking and focused on much more directly state
actors rather than on private actors.]

Third Generation: States refined the conceptual framework of the
individual-rights-based approach.  The negative liberty rights
view — the digital (zeros or ones) view — of the world was
dismantled.  The idea was Equal Citizenship, marrying liberty and
equality and establishing a right of self-determination of use of
data.  This transformation from negative liberty rights into the
realm of positive liberty rights began in Germany following a 1983
census case.  The goal was to empower the individual to be able to
exercise their positive liberties.  The barriers to lawsuit were
lowered.  Professor Mayer-Schoenberger polled every state data
protection ombudsman and asked how many cases were brought in 8 years
by 85 million Germans?  He learned that not a single case was
brought.  The debate was still an elitist one: if you want privacy
and can pay for it, then you can have it.  It was a great theory,
but utterly impractical.

Fourth Generation: States adopted a pragmatic solution.  The
strategy was to bring the center of gravity back to the state. 
The individual is not good at safeguarding their personal information,
so the state needs to build in certain safeguards.  The state
needs to establish a set of protections on behalf of the individual as
against the users of the data.

We talked a great deal as well about the EU Data Directive.  This
directive was sought, perhaps counterintuitively, by businesses looking
for a level playing field and fearing unfair competition.  The
directive focuses on the flows of data.  It requires that those
who make use of data from anywhere in Europe need to adopt safeguards
that meet the standards set forth in the Data Protection
Directive.  Otherwise, a company within an EU country would need
to get consent from the individual before exporting the data.  The
consent needs to be specific to the actual transfer (under Article

How do United States companies deal with the EU Data Directive and
related implementations?  There are in essence two choices for a
US-based company in order to comply with the EU Directive.  Either
set up multiple data centers, one in the United States and others
aborad.  Or agree to the terms of the negotiated US Safe
Harbor.  United States multinationals have tended to use a
cost-based set of considerations when trying to decide which choice to
make, ordinarily opting for the split approach.  European
businesses with United States customers have made a similar choice,
setting up a separate data warehouse for the United States with lower

Questions that came to mind to me during the discussion, most of which we didn’t get to cover in much depth:
* When we regulate in the technology space, what exactly should we seek
to regulate?  The technology or individuals and their actions
using technology?

* Why isn’t the third generation view of self-determination effectively
what we have now in the United States for online activities, to the
extent that companies tend to try to adhere to their privacy policies
(at least until they change them)?

* Should we think the same way about data protection as against the
state as we do against  private actors?  It seems as though
under United States law, we make a very big distinction between these
two, and that in certain European contexts there is less of a gap
between the two treatments under the privacy laws.

* Is privacy the quintissential collective active problem?

* Is there any way to prove whether or not there have been positive effects of the EU Data Protection Directive?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.