Going Dutch? Collaborative Dutch Privacy Regulation and the Lessons it Holds for U.S. Privacy Law

Michigan State Law Review, Dec 2013

By Dennis D. Hirsch, Published on 01/01/13

Article PDF cannot be displayed. You can download it here:

https://digitalcommons.law.msu.edu/cgi/viewcontent.cgi?article=1017&context=lr

Going Dutch? Collaborative Dutch Privacy Regulation and the Lessons it Holds for U.S. Privacy Law

GOING DUTCH? COLLABORATIVE DUTCH PRIVACY REGULATION AND THE LESSONS IT HOLDS FOR U.S. PRIVACY LAW Dennis D. Hirsch* 2013 MICH. ST. L. REV. 83 TABLE OF CONTENTS INTRODUCTION ............................................................................................. 85 RECENT U.S. PROPOSALS INCORPORATE THE SAFE HARBOR APPROACH ............................................................................................. 92 I. A. Baseline Privacy Rights ................................................................. 92 B. Privacy Safe Harbors ..................................................................... 96 II. COLLABORATIVE GOVERNANCE THEORY AND THE QUESTIONS THAT IT RAISES ..................................................................................... 99 A. The Case for Collaborative Governance ..................................... 100 1. Process .................................................................................. 100 2. Substance .............................................................................. 103 3. Compliance ........................................................................... 104 4. Reasons for Choosing a Collaborative Approach ................ 104 B. Concerns about Collaborative Governance ................................. 105 1. Process .................................................................................. 105 2. Substance .............................................................................. 107 3. Compliance ........................................................................... 107 * Geraldine W. Howell Professor of Law, Capital University Law School. Fulbright Senior Professor (2010), Institute for Information Law, University of Amsterdam, Faculty of Law, Amsterdam, the Netherlands. This Article would not have been possible without the assistance and support of others. The author conveys his deepest thanks to: the Fulbright Program, sponsored by the U.S. Department of State, which funded the author's semester in the Netherlands; the Institute for Information Law (IViR) of the University of Amsterdam, Faculty of Law, particularly Professor Bernt Hugenholtz, Professor Nico van Eijk, and Anja Dobbelsteen, who made the author feel welcome and facilitated his research; Capital University Law School, which provided the sabbatical and summer research grant required for the research and writing; the interviewees, who gave generously of their time and knowledge; Professors Peter Swire and Dan Solove, who offered early encouragement and support; Professors Bert-Jaap Koops, Ira Rubinstein and Dan Fiorino, who commented on early drafts; Kim de Beer, Bob de Jong, Jennifer Lause, and Abi Zimmerman, who provided highly effective research assistance; and, most especially, the author's wife Suzanne and children Clara and Zander, who embarked with him on an adventure to the Netherlands and were the best traveling companions anyone could ever hope for. The author claims sole responsibility for the any errors or omissions in this Article. 84 Michigan State Law Review Vol. 2013:1 4. Reasons for Choosing a Collaborative Approach ................ 108 III. DUTCH DATA PROTECTION CODES OF CONDUCT: AN EXPERIMENT IN COLLABORATIVE GOVERNANCE ............................... 1 08 A. Legal Foundations ....................................................................... 109 1. European Data Protection Law ............................................ 109 2. The 1989 Law on Personal Data Files ................................ . 111 3. The 2000 Personal Data Protection Act ............................... 112 B. Comparing the Dutch and the Proposed American Safe Harbor Programs ................................................................. 120 IV. WHAT THE DUTCH EXPERIENCE CAN TELL US ABOUT COLLABORATIVE PRIVACY REGULATION ........................................... 122 A. Why the Dutch Government Utilized, and Dutch Industry Embraced, Data Protection Codes of Conduct ............. 122 1. Why the Dutch Government Utilized Codes ofConduct ....... 122 2. Industry's Reasons for Participating .................................... 125 B. The Process of Producing Codes of Conduct .............................. 126 1. Information Sharing .............................................................. 127 2. Joint Problem Solving ........................................................... 129 3. Agency Capture and Industry Influence ................................ 131 4. Adaptability ........................................................................... 133 C. The Substance of the Codes ofConduct ...................................... 135 1. Tailoring and Workability ..................................................... 135 2. Cost-Effectiveness ................................................................. 137 3. Leniency ................................................................................ 138 4. Anti-Competitiveness ............................................................ 138 D. Compliance and the Code of Conduct Approach ........................ 139 1. Traditional Enforcement ....................................................... 139 2. Building Awareness .............................................................. 140 3. Ownership and Acceptance ................................................... 141 4. Self-Policing: Bringing up the Bottom .................................. 142 5. Self-Policing: Monitoring Peers ........................................... 143 6. Third-Party Certification .................................................... .. 145 E. Unanticipated Functions of the Dutch Codes of Conduct.. ......... 146 1. A Dialogue About Statutory Meaning ................................... 146 2. Migrating Codes ................................................................... 148 3. Codes to Integrate Statutes ................................................... 149 4. Codes to Resolve Conflicts Between Statutes ........................ 150 V. RECOMMENDATIONS FOR U.S. PRIVACY LAW AND POLICY ................. 151 A. Minimizing Weaknesses .............................................................. 152 1. Require Third-Party Audits ................................................... 152 2. Build in Stakeholder Input .................................................... 153 3. Protect New Entrants ............................................................ 155 4. Improve Adaptability ............................................................ 156 B. Maximizing Strengths ................................................................. 157 U.S. Privacy Law and Dutch Privacy Regulation 85 1. 2. 3. 4. 5. Make the Safe Harbor Program Sector-Based ..................... 157 Include All Statutory Requirements ...................................... 158 Pass a Baseline Privacy Statute ............................................ 159 Recognize Safe Harbor Participants ................ (...truncated)


This is a preview of a remote PDF: https://digitalcommons.law.msu.edu/cgi/viewcontent.cgi?article=1017&context=lr
Article home page: https://digitalcommons.law.msu.edu/lr/vol2013/iss1/4

Dennis D. Hirsch. Going Dutch? Collaborative Dutch Privacy Regulation and the Lessons it Holds for U.S. Privacy Law, Michigan State Law Review, 2013, Volume 2013, Issue 1,