The business of comparing public policies across different domains (i.e. jurisdictions, regions, countries and others) is certainly a difficult one. This is not new, but, paradoxically, the problems are even worse today because the ubiquitous presence of neo-institutionalism tends to provide, if applied inadvertently, explanations that are as easy to reach as potentially misleading.
By and large, when confronted with the need to explain the dynamics of change and stability in a plurality of national situations, the neo-institutional approach runs the risk of providing ready-made answers: change is invariably generated by exogenous shocks and stability is path dependent and linked with the institutional setting.
Too often policy convergence – one of the key concepts in comparative policy analysis – mostly is explained solely by the fact that national policies tend to react in a similar way to common stimuli, while divergence is assumed to be invariably the product of country-specific features.
Obviously there are plenty of cases in which these generalizations do apply, but unfortunately (or, rather, fortunately as otherwise policy analysts would be out of business) things are sometimes, and one could say often, not that simple.
This is certainly the case with data protection or privacy policy, an issue that has experienced a number of major developments in the second half of the last century. Plenty of statutes were enacted, bureaucratic bodies created, national and international conferences held and thousands of pages written in books and journals. The “Inaugural JCPA and ICPA Forum Comparative Research Symposium – EU” was devoted to the Transformation of Privacy Policy and this is where the contributions published in this Special Issue were first presented. The symposium was able to assemble several of the very few scholars specializing in this rather particular field.
The results, as the reader will be able to appreciate, were particularly interesting as they challenged the simple explanations referred to above. Here I will highlight only four points, but of course the content of the collection is richer than I could possibly account for.
A first, very important, one could say fundamental point, concerns the global evolution of data protection policy. Is it possible to detect a trend? And in which direction (as far as the effectiveness of protection is concerned) is it that policy evolving?
The answer provided in Bennett's paper is rather straightforward: he convincingly states that in the last 40 years “the overwhelming dynamics is one of policy convergence”, hastening to add that “privacy protection … now embraces far more than the law” and that it is not simply a human rights or civil liberties issue, but, quoting Newman, “has taken its place as a critical trade-related question”. In a similar vein, Righettini, in her comparison of Italy and France, detects a shift from a more reactive attitude (redressing the violations of privacy: “regulation of”) towards a more proactive one (“regulation for”, where the intrusiveness of Data Protection Authorities – DPAs – is much greater). All in all, from reading these papers – and the one by Newman is equally optimistic in its outlook – one could safely conclude that the evolution of privacy policies has been marked by a tendency towards more protection.
But the picture is not as rosy as it may appear. As Raab emphasizes, not only are DPAs “typically underpowered”, but Koops draws our attention to the fact that Dutch legislation went exactly in the opposite direction, mostly in some sectoral policies like criminal law, to the point that he quotes a scholar who predicts that “in 20 years time we will have no privacy left and in 25 years the right to privacy will be abolished”. Viewed from this gloomier perspective, one could argue that the increase in protection, clearly detectable in the evolution of privacy policy, is always a step behind the growing trajectory of threats brought about by the effects of globalization and technological developments.
In other words, there is no reason to doubt the accuracy of apparently contradictory judgements, not only because there is always the possibility of exceptions, but because by looking at different facets of the same phenomenon one can draw opposite, but equally well founded, conclusions.
If we now shift our attention to the forces behind the developments we again find relevant differences.
For instance, both Raab and Righettini, but somehow also Bennett, stress the role of personalities, true “privacy heroes” able to drive forward the cause of protection by persuasiveness, prestige and sheer will. Many innovations in this policy environment are linked to the presence and the ability of innovators, i.e. true policy entrepreneurs able to mobilize the resources needed for altering the status quo. Again the same conclusion can be reached in many different policy fields.
Notwithstanding, a totally different story can be told when we analyse the factors able to explain the trends towards diminished protection: here the factors mentioned seem to be much less subjective and much more structural. A list should include: international terrorism, ever-present technological developments, the growth of global commercial transactions and the like. In other words, there is an asymmetry: while more effective privacy policy seems to require active intervention by concerned individuals, societal forces seem to be squarely behind the opposite trend. In order to level the field it looks as if it is necessary for some equally general factors to operate in supporting privacy policy activists.
The obvious candidate is informed public opinion, but, as pointed out by Koops, this seems not be the case. In the first place, the “I have nothing to hide” syndrome, according to which many people willingly provide lots of personal data, points in the direction of a certain indifference about personal privacy in a vast share of the population. More generally, the issue attention curve in the governmental sphere seems to be pointing downwards, in sharp contrast with what happened in the 1970/1990 period.
But one could challenge how realistic this picture is – of a few individuals against structural forces and in face of the relative indifference of the citizenry. Is it possible that the attempts to decrease the level of protection have no specific actors pushing for them? Here and there the mention of potential culprits emerges – the police and security forces, multinational companies, etc. – but what is striking is that the “surveillance society”, in which all concern for individual privacy is absent, has no evident political activists. Does this mean that, after all, public opinion is less apathetic than it seems? And that there is no consensus to be gained from decreasing the level of protection of personal space and information? If the answer to both of these questions is positive, then one could conclude that a lot of water went under the bridge since the infancy of privacy policies. The present common sense is that the personal sphere has to be protected and therefore all the moves in the opposite direction should be made by stealth, and paying (at least) lip service to the value of privacy.
A third important aspect well documented in the papers concerns the growing complexity of the networks of actors involved in policy formulation. True, new protagonists seem to emerge: non-governmental organizations and civil society organizations, as is well documented by Bennett, and also sub-national DPAs able to play important roles even in the international arenas, as shown by Raab, and, more strikingly, the “unusual suspects” mentioned by Koops. The latter group includes right-wing libertarians who, in their public relations campaigns, frame privacy as a winning business proposition, internet providers, the association of librarians, or consumer protection groups. The policy-making process seems to be much more articulated than previously, legitimizing Bennett's and Raab's conclusion that “data protection policy is … co-produced rather than enforced”.
However the evidence collected by almost all the authors suggests that policy advocacy proceeds mainly from the inside, and that the centrality of DPAs as driving forces is quite unchallenged. Raab points out that the process of accreditation of DPAs in the Annual Conferences seems to suggest the emergence of “a network taking stock of its corporate identity, its membership boundaries, and its potentially authoritative voice as a group”. In other words, a process of institutionalization or even bureaucratization (in the true Weberian sense of the word, totally devoid of any derogatory undertone) appears to be at work and very relevant for this policy development.
The trends of progressive emergence of new actors with different concerns willing to play a role in the policy, on the one hand, and the growth of the institutionalization of the DPAs at the domestic as well as at the international level, on the other hand – can be assumed to reinforce each other in the direction of a more effective protection. But this is not necessarily the case; it is possible that the bureaucratization of the issue will have the effect of making the social groups and the administrative authorities grow apart with less than optimal consequences for privacy protection.
This brings us to the last point I wish to explore, namely the issue of multi-level governance (MLG), nowadays a pervasive feature of public policy making in almost all fields. Obviously MLG is also at work in privacy policy, as would be expected. Suffice to say, as Newman abundantly demonstrates, that trans-governmental coordination has evolved into trans-governmental coalitions for expanding the domestic authority of the DPAs: the actors use the international as resources in their national, typically bureaucratic, policy game., In a similar vein, to explain the different trajectories of the French and the Italian DPAs, Righettini uses as an independent variable the interplay between internal institutionalization (measured by the amount of legal, financial and knowledge resources accumulated) and external institutionalization, meaning the degree of linkages with other institutional actors at different governmental levels.
There is but a small step from the acknowledgement of the importance of MLG for policy development to the issue of regulatory competition as a driving force. If the interplay of international, national and sub-national (at least in federal states) dimensions is important in explaining the birth of new rules and their enforcement levels, the temptation to use this ability strategically to play at different levels is all too natural. Usually it is assumed that those in charge of protection in the sub-global constituencies, and who will probably endure a certain amount of frustration because the issue is not high on the domestic governmental agenda, will use their ability to play at the international level in order to enhance their opportunities at home. This is certainly plausible, but it is not necessarily the case: faced with the sheer impossibility to effectively regulate the behaviours at the appropriate level, the recourse to MLG can also be seen as a sort of escapist activity, making and listening to both interesting and radical speeches, yet not actually being able to achieve very much. The mix of cooperation and competition at different governmental levels can, under different circumstances, produce both a “race to the top” (meaning more protection); a “race down” (meaning less protection); or simply be irrelevant from the citizen's point of view. A good example is provided by the comparison between France, Italy and the Netherlands in this policy arena. In the Italian case the European Directive has played a fundamental role in shaping a potentially effective data protection policy, in France the pre-existence of the CNIL has de facto hampered the relevance of the European policy and in the Netherlands the existence of the Directive has been an excuse for not putting the issue on the governmental table on the basis of the assumption that, sooner or later, it will be required by the UE, so why worry now.
Summing up: even a short collection of papers like the one presented in this Special Issue is able to challenge some of the preconceived wisdom on comparative public policy. The lesson that can be drawn is, as usual, that the overall picture is more complex than given by more typical accounts of policy evolution. Nevertheless, all in-depth analyses of specific aspects, limited comparisons or descriptions of how the game is played at the global level, show how many different mechanisms are at work, and how policy actors are able to overcome obstacles in order to bring about a more effective privacy policy. While we may still be very far from finding “general laws”, at least we know much more than we used to, and, more importantly we can assert that policy actors are more aware of how to “play the game” in many different, but effective ways.
Acknowledgement
The “Inaugural JCPA and ICPA Forum Comparative Research Symposium – EU” was supported by a grant from the Italian Department for University and Research (PRIN 2006, no. 2006142798) and the hospitality was provided by IMT – Institute for Advanced Studies. We wish to thank the supporting institutions and Dr. Paola Coletti who organized the Symposium. We also thank the other participants for their useful comments. The Research Symposium was held in Lucca, Italy, July 2–3, 2009.
Additional information
Notes on contributors
Bruno Dente
Bruno Dente is Professor of Public Policy Analysis at Politecnico di Milano, where he chairs the Center for Administration and Public Policy.Related Research Data
