Governing privacy: systems, participants and policy instruments

Charles D. Raab


In this paper, we sketch a view of the emerging system of information privacy protection as it might be developed. We use the word ‘system’ to emphasise the importance of relationships amongst the organisational, legal, personal, governmental and other elements through which the future of privacy is arbitrated. One important task is to understand these relationships better. Another task is to develop a theoretical framework through which we might explain the use and impact of different privacy protection instruments and approaches. A third task is to explore the potential for privacy protection policy in the future.

Some drivers of change are in the realm of technology, values and ethical issues, but others are identifiable groups. The main ones include the general public, who are becoming more aware of privacy risks but who – as consumers – want better services and more goods; businesses, which want to exploit personal data assets but which also need public trust; and governments, which likewise want to rationalise and co-ordinate their use of personal data but which also have to uphold certain commitments to protecting privacy. Privacy pressure group activists are also an identifiable factor.

Building upon some of our previous writings, we try to identify somewhat more precisely the participants (akin to ‘stakeholders’) who form the basic units of the system through which privacy-related decision-making takes place. A relevant and provisional minimal list of participants includes:

  • the agency(ies) that implement privacy laws and regulate practices
  • governments, which make policies and laws (including privacy laws) in which privacy is implicated
  • businesses, which use personal data
  • the public, who are data subjects
  • privacy pressure groups and other political actors, including the media
  • technology developers and providers

The following schematic diagram displays their possible categorical relationships within a system of privacy protection:


This picture can be looked at in at least two ways. In one sense, it describes players and their interdependence in what might be called an implementation system for privacy protection: that is, a system which shapes the outcome, or the quality of privacy that is available in the society. In this sense, the arrows could represent mutual support, as they all pull together towards protecting privacy. We could then perhaps observe that some arrows are ‘stronger’ or more important than others – that more support is offered in some relationships than in others. Nonetheless, from this perspective one can talk about synergy.

In another sense, however, and not completely different from the first, the diagram portrays a political system in which the attitudes and actions of participants contribute significantly to the outcome, as they use resources of various kinds – formal powers, money, technical expertise, publicity, and others – in a complex set of exchanges, influences, compromises, sanctions, shifting alliances, and so on. Looked at in terms of a policy and implementation network, the diagram can draw upon as well as provide a way of illuminating contemporary general theories and models of governance. What is particularly important is the distribution of power to determine the outcome. It is also a system or network in which the relationships may vary along a continuum between consensus and conflict; therefore, it is a political system and not simply a purpose-built or synergistic mechanism for producing privacy protection.

The paper keeps both of these related perspectives in mind, whilst also noting that there is no easily identifiable ‘top’ that can ensure that the outcome satisfies its intentions or desires. Even though there are legal and formal requirements, for instance, these cannot always be imposed even if imposing them were a sensible and desirable way to protect privacy. We argue that privacy protection has to be negotiated through the system described in the diagram, rather than decreed. This is most important if, beyond simply describing what happens, we are thinking of a scenario of instruments or strategies for privacy protection. This is especially so in view of what has become, in very recent years, a conventional wisdom that protecting privacy in the ‘information age’ depends upon some combination of legislation, regulatory activity, self-regulation by data users, privacy-enhancing technologies, and individual self-help by data subjects. In most discussions, these policy instruments have been considered in isolation one from another. There is a certain amount of rhetoric about a ‘mosaic of solutions’ or a ‘regulatory mix’. With a few exceptions, a serious treatment of how these approaches relate one to another within a coherent implementation system remains to be done. That task relies upon a better understanding of the roles played by the various participants within the system for the implementation of privacy protection policy, and of the conditions affecting their performance and interaction. We draw upon relevant political science literature on the nature and choice of policy instruments to develop these theoretical arguments, including a typology of instruments and comparisons among them according to certain selected variables. We emphasise that no policy instrument can stand alone: each one depends upon action elsewhere in the system, and that action may need to be cultivated, and relationships designed, rather than simply waited for to happen.

The paper is informed by research-based evidence from two cases: the UK and Canada. The former has been implementing a data protection regime since 1984. Canada has had data protection for the public sector since the 1970s, but has only just introduced statutory protection for private sector organisations, to be enforced from 2000. The analysis of these cases allows a comparison of one developed regime and one that is less developed, although they co-exist in a policy framework that is shaped in part by international understandings, the global spread of information and communications technologies, normative guidelines and institutional machinery. The paper suggests how the ‘co-production’ of privacy protection perhaps occurs in similar ways within two political systems that otherwise differ in a large number of structural and cultural respects.

By exploring these theoretical issues and empirical developments, the paper draws implications for practice that might contribute to future developments of data protection regimes on the basis of better understanding of systemic roles, relationships and interactions, as well as of policy instruments.