Wednesday, October 29, 2008

Lessons from the failure of global financial regulation

The financial crisis has everyone talking about global financial regulation. Why didn’t regulations work? And how can regulation be reformed to prevent future melt-downs? Who should regulate in a global context? In a sense, these are the same questions I’ve been pondering for years, in the context of global privacy regulation. Like many people in the privacy community, I’ve been calling for better global privacy standards now, so that we’re not faced with a crisis later.

What lessons have we learned from the financial regulatory crisis that are relevant for privacy?

The issues are global. The crisis is global. Financial and data flows are global. Money, in all its diverse forms, flows across borders, making all of finance inter-connected. Global financial flows are now essentially digital data traffic. When it comes to money, and data, countries are not islands, as Iceland has clearly demonstrated. And if there’s anything that flows globally even more quickly than money, it’s data.

You can identify problems before they turn into crises. In retrospect, the problems were pretty obvious, even if people were enjoying the party at the time too much to want to sober up enough to confront them. It’s fashionable to claim that you can only identify a bubble in retrospect. I think that’s nonsense: I knew Florida condos were a bubble when my house painter bought a condo there, on which the annual maintenance fees alone exceeded his annual income, as he proudly told me, but he was unworried, “because real estate prices only go up.” Similarly, in the world of privacy, we already know what the issues are… so, the only real question is whether we need to wait for a crisis to muster the willpower to drive change.

Regulations that are out-of-date are useless. The financial crisis is exposing lots of regulations from other eras that have proven useless. I hardly need to remind readers of the bizarre patchwork of regulations that apply differently, or not at all, to banks, to investment banks, to special financial vehicles, to hedge funds, etc. Similarly, much of the world’s privacy regulations were designed for a pre-Internet world. Having regulations that are out-of-date means that they are either not applied at all, or applied poorly, or simply “re-interpreted” according to the tastes of individual regulators, like the German “regulator” who blithely declared all search engines to be “illegal”, whatever that means. So, having European data protection regulations that require things like “prior authorizations” from “supervisory authorities” before an international transfer of data is quaint (at best), or dangerous (at worst), in the age of the Internet. In fact, I think it’s dangerous to base international data protection rules on obsolete fictions, like the fiction that data flows somehow stop at borders.

Solutions have to be global. Without global solutions, we create the risk of regulatory havens, like tax havens, where actors can engage in regulatory arbitrage, moving from highly-regulated to lightly-or non-regulated spheres, be they countries or industries (e.g., the move from banks to hedge funds). Much of the privacy debate in recent years has been almost exclusively trans-Atlantic. For example, if you read the work of the EU Working Party data protection regulators over the last decade, you would come away with the impression that they are obsessed with privacy issues of US companies and the US government, while almost completely ignoring any privacy issues relating to data flows to or from anywhere else on the planet, such as India, to cite but one example. But surely, even EU data protection authorities in the anti-American ideological camp (perhaps I should use the German word “Anti-Amerikanismus”) will recognize that the US provides much more solid legal protections for personal data than the vast majority of countries on the planet. So, the obsession with the trans-Atlantic data flows issues is actually becoming dangerous, if it blinds us to the global nature of data flows. That’s one reason why I’m so excited about the APEC initiative, a process where many countries with no tradition of privacy laws are coming together to define privacy standards that are up-to-date, multi-national, and forward-looking. APEC is the most positive thing to happen in the world of global privacy standards since the EU Data Protection Directive of 1995.

Enforcement has to be local. While regulations need to be thought of in global terms, enforcement has to be local, to remain anchored in local legal and regulatory traditions. Some have suggested that we should create “super-regulators” with global mandates, like a mini-UN agency. Personally, I think international bodies have a strong role to play in driving forward international standards, but I’ve watched too many international meetings descend into farce to have much hope that they can function as day-to-day regulators. Moreover, different countries cannot have the same regulatory structures, often because of fundamental constitutional reasons. The US simply cannot have an independent Federal Data Protection Authority in the French mode, because the US Constitution wouldn’t allow it. So, calls for global harmonization of regulatory structures are doomed. The French can try to convince French-speaking Ivory Coast of the need to create a French-style data protection authority, and they may succeed, but that’s not a formula for global success. Whether that’s good for the Ivory Coast is another question entirely. The Spanish can try to convince Spanish-speaking Colombia of the need to create a Spanish-style data protection authority, and they may succeed, but they can’t expect a country with a very different constitutional structure, like the US, to follow that lead. There are some people who honestly believe that you can’t have privacy without an EU-style data protection authority…well, hey, they might want to open their eyes wider.

Regulatory experimentation is a good thing. No one really has all the answers. The US experimented with Security Breach Notifications laws, and they generally seem to work, so Europe is adopting them too. Europe experimented with the creation of dedicated privacy Data Protection Authorities, and many countries around the world, from Argentina to New Zealand, have adopted them since. Maintaining some level of regulatory experimentation, even as we move towards global privacy standards, is a healthy foundation for the innovation in privacy frameworks that we need.

There’s no “Mission Accomplished” moment. Moving towards global privacy standards will be a multi-year process, with steps forward, and back, with vigorous debates, with ideology, with pragmatism, with passion. It’s a process, hopefully with progress in a more or less straight line, towards ensuring better privacy protections in our new global reality. Some people will stress the need for a legal framework and legal enforcement powers; others will stress the usefulness of self-regulatory standards. That’s fine, and it reflects traditions: some peoples expect the government to solve most of their problems; others expect the private sector to do most of the work. One thing is certain; we’ll need to carry on this debate virtually, without expensive global summits or conferences, since thanks to the global financial crisis, none of us can afford to travel anymore. Oh well: blogging is great and free.


deincognito said...


Fully agree.

It is nice to know that Google HHRR team did great job when hired you.

Until today, Google is being a reference in privacy respect, even though Google has become some kind of Big Brother and that many people are not understanding the issue in its deepness.

Definetely, your company and personal efforts are keeping out of my mind the idea of Google as a Panopticon. Specially, because you have been the exclusive Internet search company and service provider that has protected its users privacy against Government surveillance.

Notwithstanding, there are still so much work to accomplished.


deincognito said...


Although I am agree on some of Google opinions, proposals, initiatives and compromises regarding users privacy protection, this could be an example of some of the things to work on.,1000000189,39540137,00.htm

IP addresses and cookies, in my opinion, are personal identifiable information, and as such should be under privacy protection laws. I think, finally, europeans have properly explained what is personal identifiable information, event though i.e. transposition in Spain has not followed the direction pointed out by Mr. Hustinx. "Identifiable person" concept in regulation 5.o of Royal Decree 1720/2007 definition is exactly missing the point, as such Munich court mentioned by Mr. Hustinx.

On the other hand, "putting users in charge", as proposed by APEC Privacy Framework and yourself, is not the way. It is impossible for individual human beings to control all his or her personal data treatments on their every day live, and this will be much more difficult on the future.