Best form of data protection is what is workable in a particular country

Posted by on May 8, 2020  /  0 Comments

I have been teaching regulation since the 1980s, using all kinds of text books and articles. Since around 2000, I was deeply engaged in training regulators all over the world. It was thus not a big deal to respond to a request to write an overview or pull together a bibliography. But what I found most useful was a question from a colleague about the one article/book I would say was central to understanding regulation. Not ten, not five, but one.

I was surprised by the answer that my brain came up with: Spiller, P. & Levy, B. (19994) The Institutional Foundations of Regulatory Commitment: A Comparative Analysis of Telecommunications Regulation, Journal of Law Economics and Organization. 10(2):201-46. I knew lots of people in the regulation field and considered many among them friends. But these guys I had never met. They were hard Chicago boys.

The basic point they were making was that there no “right answer” in terms of regulatory design. You had to see what the judicial system in a country was like, what the administrative law was like, what kind of hiring you could do for the regulatory agency. Depending on those answers, you had to come up with the design. In one country, the right answer could be a regulatory agency with its own fund and autonomy. In another, it could be some form of concession contract with arbitration.

Now the world is looking at the problem of data protection. Too many countries are being tempted to mimic the European model, the GDPR. In some cases they are being compelled, on pain of their companies losing work from the EU. But the problem is that even the Europeans find the GDPR model with stand-alone and procedure focused data protection authorities difficult to implement:

Frustrated by the lack of progress, Mr. Ryan spent several weeks examining budget and staffing data from 28 European countries. Mr. Ryan, who lives in Ireland and filed a complaint with regulators there against Google over its ad-targeting practices, found that all but three — Germany, Britain and Italy — had data protection agencies with annual budgets of less than €25 million.

In his report, to be published this week, Mr. Ryan found that most countries had only a handful of investigators with industrial expertise dedicated to reviewing technology industry cases. He is filing a complaint with the European Union asking it to penalize countries that do not give data protection agencies enough resources.

So that could be interpreted to mean that each country requires a minimum of 25 million Euros a year to run the data protection authority. That is over 2 billion Indian rupees, and over 5 billion Sri Lanka rupees in operational funds. There is no way a Sri Lankan data protection authority will be given even a fraction of that by Treasury.

So what are we doing by seeking to replicate European models when the evidence is clear that even the Europeans can’t operationalize their model effectively?

So we should go back to Spiller and Levy: the right answer has to be sought from the institutional capacity of the country, not from the model, GDPR or other.

Comments are closed.