Book Review: Data Privacy Law: An International Perspective

By Lee Andrew Bygrave

Oxford: OUP, 2014, 272 pp, £75.00, ISBN
978-0199675555 (hbk)

Cite as: C Liddle, “Book Review: Data Privacy Law: An International Perspective”, (2014) 11:2 SCRIPTed 196

Download PDF
DOI: 10.2966/scrip.110214.196

©  Calum Liddle 2014. This work is licensed under a Creative
Commons Attribution-NonCommercial-ShareAlike 4.0 International
. Please click on the link to read the terms and

A lacuna in literature which concerns data
privacy from an international perspective would, put plainly, make any
decent contribution to the law library welcome. At times fierce national
and strong institutional stances on data protection matters have led to an
increased risk of fragmented jurisprudence. Culture and history in this
field are so often at play in the relevant tribunals and international
courts: consider, for example, the recent ‘right to be forgotten’ ruling
from the Court of Justice of the European Union and the Google response.
Any attempt at a global analysis is therefore a complicated venture.

Bygrave’s publication, however, offers more
than a mere rhetorical contribution to an increasingly complex legal field:
it is, perhaps, the most comprehensive book published on international data
privacy law since Kuner’s
Transborder Data Flows
and Data Privacy Law
(Oxford: OUP, 2013). There are
no others of such international breadth, at least not in a text of this
size. It is as such one of the very few publications that would make an
excellent primer on the layout of the land (or in this case lands) for
postgraduate law students. This is an especially important and timely
publication bearing in mind the proliferation in the study of information
law. This publication is so much more than merely ‘welcome’ to the fold: a
publication of this calibre has been so long overdue that it will no doubt
quickly become a much sought after (or even mandatory) text for many of
those in departments of information science and law. This is, however, not
a practitioner’s handbook
but then it is not intended to be.

The author, Lee Andrew Bygrave, is professor
at the Norwegian Research Centre for Computers and Law, University of Oslo,
and within academia his name is synonymous with internet regulation and
privacy. But Bygrave has also been a high-ranking practitioner with
involvement at the EU Commission, the Computer Science and Technology Board
of the US National Academies and the House of Lords Constitution Committee,
among others. This, Bygrave’s latest publication, is not only academically
rigorous but is also practically informed. This is well evidenced in the
perceptive commentary which accompanies the author’s global analysis

In the preface to the book Bygrave himself
identifies a distinct lack of relevant comparative or international
literature; this was his catalyst to publish, he claims. The book is
thereafter coherently divided into seven chapters and, to an extent, offers
something of a global roadmap for the impending analysis. As is now so
often customary in data protection texts the author begins, in Chapter 1,
with an endeavour to define the field. This is done with great talent and
proves in actual fact to be a necessity for the subsequent discussion. Data
privacy law embodies a set of largely procedural principles, Bygrave
explains, and carries with it distinguishing features which are symptomatic
to the field. These features, including the tendency of data privacy
legislation to more-often-than-not establish independent national
authorities and commissioners, are alluded to and ample international
examples are cited. In his first chapter Bygrave also identifies
information security as having something of a unique berth in this
of law and does well to establish clear
contextual parameters for his text. The author also turns to the
significance of the field and considers, for one, data privacy on the
normative plane in light of the information society and the necessary
counterweights to technocratic imperatives. Data privacy as a constituent
part of democracy, as one might imagine, is also touched upon in a chapter
which, for the purposes of his text, proves to be a succinct but
well-rounded, logical and informed introduction.

In Chapter 2 the author moves on to discuss
international data privacy codes. The chapter is divided in nine parts each
considering data privacy initiatives from international bodies (such as the
Council of Europe (CoE), the Organisation for Economic Co-operation and
Development (OECD) and the United Nations (UN) among others) before turning
to the special role of human rights treaties. Bygrave’s attention to human
rights treaties is particularly welcome bearing in mind that treaties, such
as the European Convention on Human Rights (ECHR), are increasingly cited
as data privacy instruments in themselves; an acknowledgement of privacy as
a basic human right. The author provides an intriguing chronology with a
nod to contemporary events and, once more, to ample case law on this

Come Chapter 3 the author is concerned with
national data privacy laws. The chapter is sensibly broken into a
continental overview: Europe, the Americas, Africa and Middle East

et cetera. The author endeavours
to provide a ‘broad-brush’ approach in reviewing national regimes on a
regional basis. This is done well, with a comparative analytical approach
that details, for example, common points of departure in the national data
protection laws of the EU member states. The author then turns specifically
to a section on the USA and the transatlantic data privacy divide. The
comparative analysis continues with a much appreciated insight into the
cultural influence of American corporations which have been seen to steer
the national attitude to data privacy regulation.

A discussion on the aims of data privacy law
in light of a distinct lack of universal clarity is contained in Chapter 4.
Bygrave notes that “Legislation on data privacy serves a multiplicity of
interests, which in some cases extend well beyond traditional
conceptualizations of privacy” (pp 119). When it comes to the scope of data
privacy laws, academics (and practitioners also) will be pleased to read
what is by far one of the better attempts at determining when data
constitutes ‘personal data’ pursuant to national data privacy laws. The
author considers the concepts of identification, ease of identification,
the use of auxiliary information and even a brief discussion on whether IP
addresses can be defined as ‘personal data’.

Chapter 5 turns to the core principles of
data privacy law. The chapter is divided between the principles which will
be, no doubt, of universal familiarity to those immersed in data
protection: fair and lawful processing, proportionality, purpose
limitations and the test for sensitivity, among others. This chapter should
prove useful to academics who teach real-world data protection practice as
Bygrave’s discussion is, for one, far more robust than the practice
guidance produced by the UK Information Commissioner’s Office.

The author then moves in Chapter 6 to
consider oversight and enforcement of data protection laws. Bygrave
considers the independence of the data privacy agencies (or ‘supervisory
authorities’) as required of the EU member states under Article 28(1) of
the Data Protection Directive. The varying scope of comparative authorities
is alluded to, as too are their duties and competencies. Most welcome, once
more, is the cultural insight catered for as part of a very

broad global analysis. As an example, the author contends
quite convincingly that data privacy agencies with strong formal
such as monetary
will not
necessarily have greater success regulating data controllers than their
counterpart agencies in different jurisdictions equipped with weaker

Other factors include the seriousness with
which a given community generally takes data protection matters, the extent
to which the administrative and corporate cultures of a given jurisdiction
are imbued in respect for data privacy ideals, and the talents of the DPA
(pp 190).

The author then turns to transnational
cooperation and inter-legal aspects of data privacy law. All the time the
case law is relevant and the analysis undertaken is clear and concise. The
author’s incisive writing style at this point is especially welcome bearing
in mind the intricacy of the field.

Chapter 7 constitutes, essentially, a short
essay. It resembles something of a manifesto: a call for harmonisation,
however unlikely, of data privacy regimes across the globe. Bygrave
considers the candidates for a harmonised approach
such as the adoption of a UN framework
convention, the OECD and the CoE, among others
and highlights the obstacles in achieving
global consensus. Speaking of the EU-US divide on data protection and the
ongoing tensions Bygrave insists that this is not about ‘winners and
losers’ and highlights the shared initiatives adopted on both sides of the
pond. As a final word Bygrave looks to China, warning the reader that a
focus on the ongoing wrangling between EU and US data privacy ideologies
will not forever take global precedence: “Other major [economic] players
are likely to muscle their way onto the data privacy stage…. China will
increasingly have a voice on data privacy issues, although the import of
its message remains to be deciphered, let alone clearly heard” (pp

Overall, the author’s endeavour with this
book is a successful one, in which an international perspective is
maintained throughout with expert comparative insight. The allure of this
book to the legal field lies in the power of Bygrave’s sociological gaze on
the law of data privacy; the author is all-too-aware of the cultural reigns
which shape and shift global attitudes. This remains nonetheless a legally
robust text, with ample case law and a sophisticated knowledge of
contemporary affairs. There is little, if anything, superfluous to be found
here: it is a work of merit, not posture. The author is, in all the
circumstances, to be congratulated for such a contribution.

Calum Liddle

Researcher, Graduate Teaching Assistant and
a Doctoral Candidate funded by the Arts and Humanities Research Council at
the Department of Computer and Information Sciences, University of
Strathclyde. Liddle is also an Information Governance Consultant.


Book Review: Data Privacy Law: An International Perspective