The Global Governance of Privacy Actors, Mechanisms, and Perspectives Ralf Bendrath University of Bremen European Digital Rights (EDRI) WSIS Privacy & Security Working Group

European Digital Rights

Global Governance of Privacy What is “global governance”? “governance without government” regulation without enforcement? legitimacy / democracy?

Global actors: more than ever international organizations CoE, OECD, APEC, … supranational organizations EU global corporations users and developers of ICTs CSR / Global Compact transnational NGOs EDRI, TACD, BBA,… technical bodies IETF, IEEE, ICANN, …

What is ”enforcement”? Ideal types of political regulation: Hierarchical (State) Decentralized (Market) Horizontal (Committee)  hybrid forms emerging

Hierarchical Enforcement state central control (one sovereign, one DPA) sanctions oversight, registration, notification blocking orders fines, criminal charges seizure of equipment based on public law judicial review, democratic decisions national level globalization as major challenge

Decentralized Enforcement market no sovereign (invisible hand) WTO?  exception for privacy no coordinated sanctions based on private law different types of contracts sanctions difficult global law firms as arbitrators still “in the shadow of the law” global monopolies and market failure as challenge consumer influence?

Horizontal Coordination committee ISO, ITU, OECD, Art. 29 WP, IETF, IEEE, … no sovereign, but visible hands enforcement through public opinion standards: technical, contracts, management, … network effects sanctions through market global (regional  global) public-private diverse forms of public-private weight judicial review? often seen as non-political “just technical”? “just legal”? Inclusiveness as challenge

Hybrid Forms I public certification of private mechanisms Audits, Binding Corporate Rules Model contracts Standards (Canada) Web Seals? Safe Harbor under law even without DP laws “unfair and deceptive trade practives”

Hybrid Forms II Private enforcement of public laws regulation through code not as “user empowerment” mainstreaming privacy into infrastructure design global corporations BCR / Codes of Conduct also apply where there is no law

Hybrid Forms III “Competition” among states benchmarking (OECD/PISA) Open Method of Coordination (EU) efficiency of DPAs

Problems of Global Governance Transparency? Accountability? Expert domain global privacy jet-set DPAs, CPOs, few NGOs companies: “elephants and mice”

Perspectives for Global Governance more transparency more inclusiveness cf. UN Reform / Kofi Annan “real” expert deliberations “non-coercive power of the better argument” Accountability? Who is sovereign? The people!

We, the People? responsive to citizens cooperation with user organizations consumer organizations public interest organizations community / social software Wikipedia for Privacy? the public sphere conflicts are needed and important

A conflict perspective on privacy privacy is no big issue of international conflict anymore global attention cycles for privacy 1960s-1970s: national laws 1970s-1980s: OECD / CoE 1990s: EU Directive 2000: fundamental ceasefire with Safe Harbor no harmonization, but interface solution

A New Grand Debate? Global Transatlantic Europe WSIS: Internet Governance & Privacy APEC vs. EU? Transatlantic PNR / Safe Harbor? Europe Data Retention

New “Rainbow Coalitions” NGOs in international politics EDRI, EPIC, PI, NCC, TACD, … European Parliament (and others?) DP authorities, of course some companies friendly journalists  different roles, but same goal information, cooperation and strategizing