Book Review: Data Privacy Law: An International Perspective
By Lee Andrew Bygrave
Oxford: OUP, 2014, 272 pp, £75.00, ISBN 978-0199675555 (hbk)
Cite as: C Liddle, “Book Review: Data Privacy Law: An International Perspective”, (2014) 11:2 SCRIPTed 196 http://script-ed.org/?p=1547
© Calum Liddle 2014. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please click on the link to read the terms and conditions.
A lacuna in literature which concerns data privacy from an international perspective would, put plainly, make any decent contribution to the law library welcome. At times fierce national and strong institutional stances on data protection matters have led to an increased risk of fragmented jurisprudence. Culture and history in this field are so often at play in the relevant tribunals and international courts: consider, for example, the recent ‘right to be forgotten’ ruling from the Court of Justice of the European Union and the Google response. Any attempt at a global analysis is therefore a complicated venture.
Bygrave’s publication, however, offers more than a mere rhetorical contribution to an increasingly complex legal field: it is, perhaps, the most comprehensive book published on international data privacy law since Kuner’s Transborder Data Flows and Data Privacy Law (Oxford: OUP, 2013). There are no others of such international breadth, at least not in a text of this size. It is as such one of the very few publications that would make an excellent primer on the layout of the land (or in this case lands) for postgraduate law students. This is an especially important and timely publication bearing in mind the proliferation in the study of information law. This publication is so much more than merely ‘welcome’ to the fold: a publication of this calibre has been so long overdue that it will no doubt quickly become a much sought after (or even mandatory) text for many of those in departments of information science and law. This is, however, not a practitioner’s handbook – but then it is not intended to be.
The author, Lee Andrew Bygrave, is professor at the Norwegian Research Centre for Computers and Law, University of Oslo, and within academia his name is synonymous with internet regulation and privacy. But Bygrave has also been a high-ranking practitioner with involvement at the EU Commission, the Computer Science and Technology Board of the US National Academies and the House of Lords Constitution Committee, among others. This, Bygrave’s latest publication, is not only academically rigorous but is also practically informed. This is well evidenced in the perceptive commentary which accompanies the author’s global analysis throughout.
In the preface to the book Bygrave himself identifies a distinct lack of relevant comparative or international literature; this was his catalyst to publish, he claims. The book is thereafter coherently divided into seven chapters and, to an extent, offers something of a global roadmap for the impending analysis. As is now so often customary in data protection texts the author begins, in Chapter 1, with an endeavour to define the field. This is done with great talent and proves in actual fact to be a necessity for the subsequent discussion. Data privacy law embodies a set of largely procedural principles, Bygrave explains, and carries with it distinguishing features which are symptomatic to the field. These features, including the tendency of data privacy legislation to more-often-than-not establish independent national authorities and commissioners, are alluded to and ample international examples are cited. In his first chapter Bygrave also identifies information security as having something of a unique berth in this field of law and does well to establish clear contextual parameters for his text. The author also turns to the significance of the field and considers, for one, data privacy on the normative plane in light of the information society and the necessary counterweights to technocratic imperatives. Data privacy as a constituent part of democracy, as one might imagine, is also touched upon in a chapter which, for the purposes of his text, proves to be a succinct but well-rounded, logical and informed introduction.
In Chapter 2 the author moves on to discuss international data privacy codes. The chapter is divided in nine parts each considering data privacy initiatives from international bodies (such as the Council of Europe (CoE), the Organisation for Economic Co-operation and Development (OECD) and the United Nations (UN) among others) before turning to the special role of human rights treaties. Bygrave’s attention to human rights treaties is particularly welcome bearing in mind that treaties, such as the European Convention on Human Rights (ECHR), are increasingly cited as data privacy instruments in themselves; an acknowledgement of privacy as a basic human right. The author provides an intriguing chronology with a nod to contemporary events and, once more, to ample case law on this matter.
Come Chapter 3 the author is concerned with national data privacy laws. The chapter is sensibly broken into a continental overview: Europe, the Americas, Africa and Middle East et cetera. The author endeavours to provide a ‘broad-brush’ approach in reviewing national regimes on a regional basis. This is done well, with a comparative analytical approach that details, for example, common points of departure in the national data protection laws of the EU member states. The author then turns specifically to a section on the USA and the transatlantic data privacy divide. The comparative analysis continues with a much appreciated insight into the cultural influence of American corporations which have been seen to steer the national attitude to data privacy regulation.
A discussion on the aims of data privacy law in light of a distinct lack of universal clarity is contained in Chapter 4. Bygrave notes that “Legislation on data privacy serves a multiplicity of interests, which in some cases extend well beyond traditional conceptualizations of privacy” (pp 119). When it comes to the scope of data privacy laws, academics (and practitioners also) will be pleased to read what is by far one of the better attempts at determining when data constitutes ‘personal data’ pursuant to national data privacy laws. The author considers the concepts of identification, ease of identification, the use of auxiliary information and even a brief discussion on whether IP addresses can be defined as ‘personal data’.
Chapter 5 turns to the core principles of data privacy law. The chapter is divided between the principles which will be, no doubt, of universal familiarity to those immersed in data protection: fair and lawful processing, proportionality, purpose limitations and the test for sensitivity, among others. This chapter should prove useful to academics who teach real-world data protection practice as Bygrave’s discussion is, for one, far more robust than the practice guidance produced by the UK Information Commissioner’s Office.
The author then moves in Chapter 6 to consider oversight and enforcement of data protection laws. Bygrave considers the independence of the data privacy agencies (or ‘supervisory authorities’) as required of the EU member states under Article 28(1) of the Data Protection Directive. The varying scope of comparative authorities is alluded to, as too are their duties and competencies. Most welcome, once more, is the cultural insight catered for as part of a very broad global analysis. As an example, the author contends quite convincingly that data privacy agencies with strong formal powers – such as monetary penalties – will not necessarily have greater success regulating data controllers than their counterpart agencies in different jurisdictions equipped with weaker powers:
Other factors include the seriousness with which a given community generally takes data protection matters, the extent to which the administrative and corporate cultures of a given jurisdiction are imbued in respect for data privacy ideals, and the talents of the DPA (pp 190).
The author then turns to transnational cooperation and inter-legal aspects of data privacy law. All the time the case law is relevant and the analysis undertaken is clear and concise. The author’s incisive writing style at this point is especially welcome bearing in mind the intricacy of the field.
Chapter 7 constitutes, essentially, a short essay. It resembles something of a manifesto: a call for harmonisation, however unlikely, of data privacy regimes across the globe. Bygrave considers the candidates for a harmonised approach – such as the adoption of a UN framework convention, the OECD and the CoE, among others – and highlights the obstacles in achieving global consensus. Speaking of the EU-US divide on data protection and the ongoing tensions Bygrave insists that this is not about ‘winners and losers’ and highlights the shared initiatives adopted on both sides of the pond. As a final word Bygrave looks to China, warning the reader that a focus on the ongoing wrangling between EU and US data privacy ideologies will not forever take global precedence: “Other major [economic] players are likely to muscle their way onto the data privacy stage…. China will increasingly have a voice on data privacy issues, although the import of its message remains to be deciphered, let alone clearly heard” (pp 209).
Overall, the author’s endeavour with this book is a successful one, in which an international perspective is maintained throughout with expert comparative insight. The allure of this book to the legal field lies in the power of Bygrave’s sociological gaze on the law of data privacy; the author is all-too-aware of the cultural reigns which shape and shift global attitudes. This remains nonetheless a legally robust text, with ample case law and a sophisticated knowledge of contemporary affairs. There is little, if anything, superfluous to be found here: it is a work of merit, not posture. The author is, in all the circumstances, to be congratulated for such a contribution.
Researcher, Graduate Teaching Assistant and a Doctoral Candidate funded by the Arts and Humanities Research Council at the Department of Computer and Information Sciences, University of Strathclyde. Liddle is also an Information Governance Consultant.