Introduction
Private regulation forms an integral part of today's global governance. Although private regulation is not entirely new, there is a broad consensus that its importance has risen in recent decades, leading many political economy scholars to question the sources of its emergence and legitimacy.Footnote 1 Either implicitly or explicitly, they all contributed to a broader discussion of the role of states in the global economy. If some saw the rise of private regulation as representing a form of governance beyond the state,Footnote 2 others emphasized its potential to complement public policies.Footnote 3 Among all the potential contributions of private regulation, one of the most often cited is its flexibility and capacity to experiment with new ideas. Its relatively low degree of legalization is seen as allowing “private regulators [to] more easily change [their] rules in response to new information or circumstances.”Footnote 4 The possibility for greater experimentation in private regulation is, in turn, considered to provide learning opportunities and help make the regulation of various issue areas more adaptive.Footnote 5 This idea is at the heart of a growing experimentalist governance literature promoting the design of regulatory environments in which feedback loops can emerge among public and private regulators and shape their respective rulemaking processes.Footnote 6 Paraphrasing a well-known Chinese expression, Green suggested that states may benefit to “simply let 1,000 flowers [i.e., private regulation] bloom and see which rules appear robust.”Footnote 7
Implementation gaps have led several scholars to question whether private regulation was not merely a “myth” and to criticize its actual contributions to global governance.Footnote 8 Before even looking at implementation failures, though, one key question for those arguing that private regulations can act as “incubator[s] for ideas”Footnote 9 or “laborator[ies] of standards”Footnote 10 is under which conditions they depart from existing legal requirements. Hereafter, I argue that it depends on the nature of the demand driving the creation of private regulations. Private regulations created to reduce transaction costs and, notably, to help companies fulfill their legal obligations will tend to spur limited novelty. Meanwhile, private regulations responding to industry demands to gain a first-mover advantage or increase their reputation should lead to greater novelty as businesses try to gain a competitive edge.
I develop this argument through an abductive analysis of the evolution of private regulations governing the use of personal data in the transatlantic area between 1994 and 2018. In both the United States and the European Union, if to different degrees, policymakers presented private regulations as instrumental in achieving a more flexible and robust form of governance. While showing that some of these regulations supported the creation of new data privacy rules, I highlight that these rules were mainly limited to those adopted in the United States early on. I then argue that these variations across time and jurisdictions reflect the different demands for private regulations. In Europe, private regulations were expected to implement public requirements following the adoption of the Data Protection Directive in 1995. In the United States, private actors hoped to achieve a first-mover advantage and avoid further public regulation by demonstrating their capacity to self-regulate. However, growing demands to develop privacy programs to allow the transfer of personal data across multiple jurisdictions pushed them to increasingly approximate legal requirements from multiple jurisdictions, including Europe. Therefore, recent private regulations for data privacy adopted in both jurisdictions now aim to help companies implement their legal requirements more than anything else.
Through this work, I contribute to the literature on private governance in two distinct ways. Theoretically, I identify how the different demands for private regulation shape the extent to which they act as policy incubators. Various scholars have emphasized how governments and businesses support the creation of private regulations to obtain varying benefits. I demonstrate that these different demands also affect the content of these regulations, and thereby their potential contribution to global governance. Most notably, I show that private regulations aiming to reduce transaction costs play a limited role as policy incubators. Empirically, I build my argument while investigating the still relatively unexplored case of private regulations governing businesses’ use of personal data. While early research on private forms of regulation pointed to data privacy as an area in which private regulation was growing,Footnote 11 none analyzed the evolution of their content at length. Hereafter, I use a novel dataset of 127 data privacy regulations adopted in the United States and the European Union to highlight the limited role that private regulations played as incubators for new data protection rules. I then present qualitative evidence from thirty-five semistructured interviews to explain how this reflects the different demands for their creation in both jurisdiction and their evolution over time.
The remainder of this article is divided into four sections. The first presents my argument and details how different demands for private regulation affect its role as an incubator for new regulatory ideas. The second section introduces my empirical case and methodology. The third section identifies when and where regulatory novelties emerged in data privacy governance between 1994 and 2018 in Europe and the United States. It highlights that apart from a few private regulations adopted before 2000 in the United States, most did not include any novel rules and primarily aimed to implement privacy requirements originally set out by public actors. The fourth section explains how this finding reflects the evolution of the demand for private regulation to govern data privacy in the European Union and the United States.
Private regulation, experimentation, and regulatory novelty
Private regulations take many forms and names. Certifications, codes of conduct, best practices, guidelines, and standards are just a few examples that have been promoted in areas like financial reporting,Footnote 12 emissions accounting,Footnote 13 labor practices,Footnote 14 and commodity trading.Footnote 15 While differing in their specific aims and functions, they all reflect attempts by nongovernmental actors to formulate rules shaping business conduct. The term “regulation” here is preferred to “governance,” as the latter is considered broader, including activities such as agenda setting, implementation, and monitoring.Footnote 16 Concomitantly, regulation is not assumed to be limited to state or legal actions.Footnote 17 It includes policy documents codifying rules that firms and other nongovernmental actors follow voluntarily, sometimes dubbed “soft laws.”Footnote 18
While some scholars have long been critical of the actual contributions of private regulations to global governance,Footnote 19 others believe they can help fill regulatory voids. At both the internationalFootnote 20 and national levels,Footnote 21 the presence of multiple veto points can limit the capacity of public actors to adopt new regulations, creating a risk of leaving some issues lightly or ineffectively regulated. Private regulations are considered a potential fix for this governance failure as they face fewer constraints in their adoption process.Footnote 22 More than a mere substitute or second-best option to public regulations, though, a growing body of literature emphasizes how private regulations can interact with and complement public regulations.Footnote 23 One such way, and the focus of this article, is by acting as an “incubator for ideas”Footnote 24 or a “laboratory of standards.”Footnote 25
Public regulators must continuously look for ways to adapt their regulatory frameworks to changing circumstances and avoid a potential “problem of fit.”Footnote 26 Optimal solutions are often elusive because of uncertainty, limited access to information, and sheer problem complexity.Footnote 27 Moreover, the difficulty of adopting new laws can push governments to be risk averse and follow established models. In this context, private regulations can theoretically have a positive impact by growing the size of the “soup of policy ideas.”Footnote 28 Their “low costs of entry”Footnote 29 allow them to proliferate rapidly and often before sufficient support for new public institutions emerges.Footnote 30 In practice, not all private regulations are cheap or easy to adopt.Footnote 31 Some face multiple veto points, with consequences for their design.Footnote 32 However, on average, private regulations face fewer barriers to their adoption than public ones and are easier to amend once adopted because of their lower degree of legalization.Footnote 33 Therefore, some hope they can support a more experimentalist form of governance.Footnote 34
Experimentalism is understood here as a specific governance process through which regulators recursively update their policies or regulations as they learn from their implementation.Footnote 35 Private actors can contribute to this process by updating their private regulations as they implement them. Over time, public regulators can benefit from these repeated experimentations among private actors by institutionalizing those that prove most successful, spurring further experimentation by private actors. Many representatives from the industry specifically tout this potential contribution in the context of the regulation of new technologies, which are considered to evolve too quickly for governments to regulate effectively. One interviewee for this research made this very argument when asked about what their private regulation was aiming to achieve: “The problem with legislation is that it takes a long time. It is not enough in a world of fast-paced technological change.”Footnote 36 Such statements should not, however, be taken at face value. As previous contributions have highlighted, private regulations can emerge in an attempt by industry actors to avoid further government intervention.Footnote 37 In this context, they may be more interested in limiting their regulatory constraints than supporting an experimental form of governance.
A key question, then, is under which conditions private regulators will experiment with new regulatory ideas instead of simply implementing existing legal requirements. Up to now, the literature on private authority has emphasized the possibility for industry groups or firms to create new principles and rules.Footnote 38 However, the conditions under which they do so remain largely unexplained. The emphasis is on private actors’ potential to experiment with new rules, not the actual demand by private actors for them. In one contribution, Stefan Renckens notes how preferences for differentiation were the source of “upward divergence” in the regulation of organic products.Footnote 39 What drives the creation (or not) of rules in other issue areas remains an open question.
Meanwhile, experimentalist scholars disagree on the need for central oversight to ensure that private governance systems will lead to “ratcheting up”Footnote 40 or “upward harmonization.”Footnote 41 Their focus is on the effectiveness and normative contribution of private governance. They investigate the role that public pressure must play to spur private actors to improve their standards rather than progressively weaken them. Yet they do not so much consider what drives private actors to include new rules. As the term “upward harmonization” implies, private actors can adopt existing public or private rules that appear as best practices. Therefore, they do not specify when we should expect private regulators to experiment with new regulatory ideas.
In this article, I argue that the tendency of private regulations to include new rules depends on the origin of the demand for their creation. Following an abductive method,Footnote 42 I use existing explanations for the emergence of private authority as an initial theoretical frame to consider when we should expect private regulations to include novel rules. Previous research has emphasized that private regulations emerge to provide at least three benefits.Footnote 43
First, they can help reduce transaction costs.Footnote 44 Transaction costs include information, bargaining, and policing costs incurred in carrying out market transactions.Footnote 45 Governments can notably benefit from private regulation to achieve legal compliance without developing the necessary knowledge or expertise to audit every business.Footnote 46 Meanwhile, private companies can aim to reduce their transaction costs by leveraging the knowledge of industry associations or certification companies to meet their legal requirements. Rather than investing time and resources to develop in-house expertise, they can rely on readily available compliance programs to achieve comparable outcomes.Footnote 47 Second, private regulations can provide a first-mover advantage. By regulating first, private companies can avoid potentially more restrictive public regulation and the potential costs of switching to another standard of practice.Footnote 48 Third, private regulations can offer reputational gains. Private companies can use them to differentiate themselves and reap economic rewardsFootnote 49 or at least avoid negative publicity.Footnote 50
More than simply affecting where and when private regulations emerge, I infer from my empirical analysis that these three different demands also shape their content. Private regulations adopted to reduce transaction costs in highly regulated environments tend to closely approximate legal requirements and include few regulatory novelties. Businesses have few reasons to go beyond legal compliance as they cannot realize additional benefits. Adding new rules can even go against the original demand for private regulation, which broadly aims to make compliance more straightforward for private companies. In contrast, private regulations created to make reputational gains and gain a first-mover advantage are more likely to include new rules. By including new rules, they can differentiate themselves and gain positive visibility. Notably, they can aim to show that they are being more proactive in the hope of raising their public profile. Adding new rules can also help them keep control over the regulatory agenda by acting before other private actors, thereby avoiding potential costs associated with adopting another standard. Finally, it allows them to showcase their goodwill to public actors and fend off additional oversight. I develop this argument by combining insights from a content analysis and interview data. In the next section, I start by introducing the case of data privacy and my methodology.
Data and methods: Regulatory novelties in European and US data privacy regulations
Both the United States and the European Union rely on a mix of public and private regulations to govern the use of personal data in the private sector. In the United States, next to sectoral laws covering specific types of data (e.g., health data) or categories of users (e.g., children), industry self-regulations are the main source of obligations for the use of personal data in the private sector.Footnote 51 In comparison, the European Union has had a comprehensive privacy regulation covering the use of personal data throughout the private sector since the adoption of the European Data Protection Directive (DPD) in 1995. At the same time, European regulators continuously involved private actors in the regulation of privacy. Article 27 of the DPD indicated that member states and the European Commission should promote the adoption of codes of conduct in various economic sectors. Article 42 of the General Data Protection Regulation (GDPR) now requires them to also support the creation of certification schemes.Footnote 52 The inclusion of private forms of regulation was significantly seen as a valuable complement to public regulations by offering “greater flexibility in the way that [its] rules are implemented on the ground.”Footnote 53
To observe when private regulations go beyond legal compliance and experiment with new rules, I built an original dataset of 127 public and private regulations adopted in the United States and the European Union between 1994 and 2018. The choice to focus on these two jurisdictions reflects their historically prominent role in global privacy debates. If China was notably presented as a third “data realm,”Footnote 54 it only recently contributed to shaping global privacy debates.Footnote 55 Meanwhile, the time frame is used to reflect on the extent to which private regulation acted as incubators for regulatory ideas before and after the adoption of the DPD and GDPR in Europe. It also broadly follows the growth in online data collection following the commercialization of the Internet in 1995 and the accompanying surge in industry codes and certifications, as illustrated hereafter.Footnote 56
I identified each private regulation based on extensive research in the literature and previous work mapping out the ecosystem of private regulation dealing with data privacy.Footnote 57 I also asked all interviewees for this research to name the main private organizations in the privacy field to be as exhaustive as possible. For this project, I only consider regulations adopted by private organizations aiming to codify rules for multiple businesses (i.e., industry codes or certification schemes). In other words, the privacy policies of individual companies are excluded. Looking at corporate practices, Bamberger and Mulligan significantly found that companies in countries with privacy regimes as different as the United States and Germany showed themselves to be innovative and to go beyond legal compliance.Footnote 58 They emphasized that privacy officers in both countries pushed to integrate privacy concerns in the decision-making process of their respective businesses, including audits and other managerial practices.
The focus of this study differs slightly in that it aims to assess the extent to which private actors create new substantive standards or rules. In that regard, private regulations adopted by industry associations or certification companies help determine the privacy policies of large companies like Facebook or Apple that follow them, but also smaller ones that lack the resources to have full-time legal teams. In their work, Bamberger and Mulligan mainly looked at the practices of large companies, with half representing global corporations in the Forbes 2000 list.Footnote 59 Moreover, industry associations and certification companies are generally well-positioned to experiment with new rules as they can learn from the practices of their respective members while also developing a specific expertise in drafting data privacy regulations. This research thus complements Bamberger and Mulligan's work by looking at the extent to which private actors create new substantive data privacy rules while looking at industry-wide codes of conduct and certification schemes. At the same time, it is important to note that individual companies could still experiment with new substantive data privacy rules, a point I come back to in conclusion.
In the United States, the dataset includes privacy guidelines and certification programs developed by organizations like TrustArc (previously TRUSTe), the Better Business Bureau, and the Entertainment Software Rating Board. For organizations maintaining multiple programs, I only kept those applicable to all companies and types of data practices. In Europe, the dataset includes those of organizations operating at the European level, like the Federation of European Data and Marketing, EuroCommerce, and the European Society for Opinion and Market Research, as well as those operating in multiple European member states, such as TrustedShops. Private regulations operating in only one European member state are excluded. While they may include different rules, most are affiliated with European associations and thereby follow them. As discussed in the empirical section, the early adoption of the European DPD in effect set the baseline for data protection in Europe and pushed national industry associations to work through their umbrella organizations at the European level.Footnote 60
Public regulations covered in the dataset include “hard” or “soft” laws adopted by the US federal government, the European Union, and international institutions in force after 1994 to identify the extent to which private regulations moved beyond their legal obligations and experimented with new rules. These notably include US laws adopted to govern the use of personal data by private companies in limited sectors (e.g., children's data or health data), European directives and regulations, and the Organisation for Economic Co-operation and Development's privacy guidelines. State laws in the United States and national laws in the European Union are excluded.
While being a limitation of this study, the first state privacy law in the United States was adopted in California in 2018, or the last year of the period covered by this research. The adoption of the first data breach notification law in 2002 in California is an important exception, and necessary caveats will be made when needed. Meanwhile, national governments in Europe were required to implement the DPD. If they could technically go further and experiment with new rules, the European Commission in the years following the adoption of the DPD was mainly concerned with a lack of transposition of European standards, especially in the first few years of its entry into force when most private regulations included novelties, as will be shown in the next section.Footnote 61
Figure 1 depicts the growth in the cumulative number (i.e., the stacked distribution) of private regulations in force in the United States and the European Union from 1994 to 2018. Private regulations are considered to be in force until the industry group adopting them stops maintaining them or ceases their activities altogether. Each shared area reflects a region's total number of regulations. Private regulations that are transnational are presented separately.
The data presented in Figure 1 reveals a significant increase in the total number of private regulations in force since 1994. Moreover, it shows that private regulations initially grew more quickly in the United States than in the European Union. The number in the latter quickly caught up, however, indicating a similar interest in using private regulations to govern the use of personal data by private companies following the entry into force of the DPD in 1998. While the total number of private regulations has remained relatively stable since then, partly because some industry groups closed down their self-regulatory programs as new ones emerged, Figure 1 does not fully encapsulate the continued dynamism of private regulators in this space. Many of them regularly revised and adopted new versions of their regulations, including additional requirements. Considering these revisions separately, four new private regulations were created on average each year, for a total of 105 from 1994 through 2018.
The recursive process of adopting and revising private regulations broadly aligns with the argument that they can facilitate a more experimental form of governance. Some might indeed assume that it reflects these associations’ tendencies to adjust their regulations as they learn from their implementation. Such an assumption, however, fails to consider the extent to which revised regulations create new requirements rather than simply transposing more of their existing obligations, including legal ones, into business practices.
Drawing meaningful inferences about the degree to which private regulations experiment with new rules requires going one level deeper and looking at how their content changes over time. For that purpose, I manually coded the text of all these different regulations using Nvivo.Footnote 62 Among all 127 identified public and private regulations, I identified 14 principles and 73 rules. Principles are “open-ended as to the range of actions they prescribe, while rules prescribe specific actions.”Footnote 63 As opposed to technical standards defining, for example, detailed production techniques, many rules are general in their prescriptions. Yet they always prescribe a relatively clear action rather than a broad objective. For example, the first principle identified in the dataset is transparency, which is divided into eleven more specific rules. The latter notably include the obligation for companies to have a privacy policy informing individuals of how their data is being used, to provide information about the type of data that they use, and to communicate how they might disclose this data. Clear inclusion and exclusion coding rules for each principle and rule are available in a codebook.Footnote 64
I created the codebook following a two-step process.Footnote 65 In the first step, I deductively identified a set of principles and rules based on legal resources put out by law firms and data protection authorities to help businesses implement the GDPR. In the second step, I used this first set of principles and rules to code a randomly selected pool of twenty regulations while respecting a balance between regulations adopted over time in the United States and the European Union. Based on this first coding, I revised the original codebook to include principles and rules that did not fit any deductively identified codes. This combination of deductive and inductive work proved essential in the absence of previous studies looking comprehensively at the content of data privacy regulations and the interest of this research in identifying novelty.
Using the final codebook, I coded the entire dataset of public and private regulations. I then identified when and where regulatory novelties emerged. For this article, the latter are understood as the first instance that a specific data privacy rule is enunciated. In the rare cases where two regulations adopted the same rule for the first time in the same year, both were considered to include a regulatory novelty. This is not the only form regulatory novelty can take. The application of an existing rule in a new context could be considered novel but is not investigated here. With that caveat in mind, I consider the enunciation of new rules to be a crucial way to observe whether and when private regulations act as “incubators” or “laboratories” for new regulatory ideas.
I supplement this content analysis with interview data conducted with thirty-five representatives from public and private organizations in the United States and Europe conducted between November 2018 and June 2019. I selected interviewees based on their current or past employment with public and private organizations that adopted privacy regulations between 1994 and 2018. They include directors, heads of units, public affairs officials, and legal advisers. As a whole, they represent almost all public and private organizations involved in regulating privacy in the United States and the European Union. It was impossible to identify interviewees for only a few defunct private organizations.Footnote 66 I collected each interviewee's name and contact information from publicly available resources or from other interviewees. In terms of geographical diversity, 40 percent of interviewees worked for organizations in the United States and 60 percent in Europe.
All interviews lasted about an hour. I conducted a third of them in person during a research stay in Brussels and the other two-thirds over the phone. I asked every interviewees to comment on the process of developing privacy regulations and how they interacted with other public and private regulators in their work. I transcribed and coded interview notes using Nvivo according to inductively identified concepts (e.g., fragmentation, implementation, transaction costs, reputation gains, etc.). To ensure confidentiality and to promote transparent discussions, interviews were not recorded. Interview quotes are used to support and help explain the results from the content analysis in the last section.Footnote 67 The next section first presents the extent to which private regulations included regulatory novelty and how their content evolved more broadly.
Private regulations: Experimentation or implementation?
The regulation of data privacy in the transatlantic area substantively changed following the adoption of the European DPD in 1995. New rules transformed the way that private companies can collect and use personal information, such as the so-called right to be forgotten. Until the inclusion of this right in the GDPR, companies had to erase personal information if found to be erroneous or if it could lead to wrongful decisions. Someone could, for example, challenge inaccurate information used to calculate their credit score. The right to be forgotten allows individuals to request the erasure of information if they believe it to be “no longer necessary in relation to the purposes for which they were collected or otherwise processed.”Footnote 68
The right to be forgotten is one prominent example of a new rule, but it is not the only one. According to my content analysis, 59 rules were created between 1994 and 2018. They include new transparency rules requiring businesses to specify how long they can keep personal information and to whom they can transfer it. There are also new rules dealing with how companies can collect consent and how they should act in the event of a security breach or data leak. Figure 2 depicts the total number of regulatory novelties in public and private regulations from 1994 to 2018. Each type of regulation is represented in a different color. No bar in a year means an absence of regulatory novelties.
The first black bar in Figure 2 reflects the DPD, which is the regulation with the most novel rules in my dataset (16). Meanwhile, the last represents the GDPR, with five novel rules. These are the right to be forgotten, the right to data portability, the right to restrict the use of personal information, the right to representation, and the obligation for private companies to inform individuals of the safeguards abided by third parties to which they transfer their information. Between the adoption of the DPD and the GDPR, two-thirds (66 percent) of all novel rules came from private regulations.
For example, a private regulation was the first to require private companies to inform their consumers when they collect their personal data passively. Many companies now collect their consumers’ data without having them fill out forms and instead rely on all sorts of information stored by digital devices when offering online services to their customers. This can range from a list of visited websites to geolocation data. These data collection methods are, by nature, difficult to observe. Early on, private associations set out a requirement that their member companies should minimally inform people if they used such passive forms of data collection. It often took the form of what we now know as “cookie banners.” Other regulatory novelties found in private regulations include a requirement for companies to evaluate the data practices of third parties on which they rely to collect personal information and an obligation to provide training on good data practices to their employees. Despite excluding the California data breach notification law from the dataset, the first time a requirement to inform individuals whose personal data has been affected by a data breach appears in my dataset is in a public regulation.Footnote 69 Interestingly, however, my dataset indicates that after the adoption of the California law, some private regulations went further and required companies to maintain a data breach management policy and notify public authorities as soon as possible.
The dataset shows that private regulations can experiment with new regulatory ideas and, to some extent, provide greater flexibility to the regulation of an issue area, such as data privacy. At the same time, the almost entire absence of regulatory novelties in private regulations created since 2000 casts doubt on the idea that they are in a continuous experimentation process. The representation of yearly aggregates also hides the unequal distribution of these regulatory novelties across time and space. Figure 3 presents how each private regulation, including each revision separately, scored on a novelty ratio over time and by the region where it was adopted. The ratio represents the total number of times a regulation included the first-ever enunciation of a rule divided by the total number of rules created over that period (59).Footnote 70 Black squares and gray crosses represent private regulations adopted in the European Union and the United States.
What stands out is that most private regulations do not include novel rules. Apart from a handful created between 1994 and 2000, most of the squares and crosses closely follow the x-axis.Footnote 71 Strikingly, Figure 3 also shows that almost all private regulations that included new rules during that period were adopted in the United States. Only one regulation in Europe, created in 1994, before the adoption of the European DPD, experimented with more than one new rule. Since then, only two private regulations adopted in the European Union in 2001 included the same new rule requiring companies to anonymize or pseudonymize personal data before using them.Footnote 72 They concomitantly have a relatively low novelty ratio (0.02) and remain close to the x-axis.
This does not mean that all private regulations created since then were alike. As Figure 4 highlights, the average number of rules found in private regulations adopted every year between 1994 and 2018 more than doubled and now averages close to 24. It is still much less than the GDPR, which has 50 substantive rules, but it is a significant change. Many private regulations became more comprehensive over time. For example, the 2018 version of the privacy program of TrustArc, one of the most well-known private regulations dealing with data privacy in the United States, had 48 rules. Other private regulations recently adopted in the United States and the European Union had a similar number.
Rather than creating ever-more novel data privacy rules, what stands out is that private regulations increasingly repeated those from previous regulations and, chiefly, those first put forward by public authorities. According to my calculus, on average, only 38 percent of the rules included in private regulations adopted before 1999 repeated requirements found in a law or another type of public regulation. The share of public rules included in private regulations quickly rose above 50 percent in the following years and is now often above 60 percent. In the case of the 2018 version of TrustArc's privacy certification, as much as 69 percent of its content repeated public rules. This indicates that as private regulations evolved and grew in length, they came to include more rules originally enunciated by public actors than private ones. It is also worth emphasizing that some early novel rules in private regulations were incorporated into laws before other private regulations adopted them. It is notably the case for rules developed to govern the use of children's data that are now found in laws in the United States and Europe.Footnote 73
In the absence of a comprehensive federal privacy law in the United States, the growing inclusion of public rules in US private regulations significantly reflects the inclusion of rules from the DPD and the GDPR. Figure 5 shows the evolution in the ratio of European legal requirements included in US private regulations. The ratio represents the number of rules originally found in a European directive or regulation divided by the total number of rules present in each US private regulation. Each box then displays the spread in the ratios of all US private regulations adopted every five years. The vertical lines above or below the boxes indicate the minimum and maximum of the distribution, the bottom and top of the boxes indicate the first and third quartiles and the horizontal line indicates the median.
Figure 5 shows that the median ratio of European legal requirements in US private regulations quickly increased by 10 percent after 2000. Despite going down slightly in the following years, the diminution in the spread toward a lower ratio indicates that very few of regulations do not include multiple rules originally from the DPD compared to previous periods. After 2015, the spread goes up again, showing that some US private regulations have more than 40 percent of their content replicating European legal standards. For example, the two most recent private regulations adopted in the United States in the dataset used for this research, Verasafe and TrustArc, include the so-called right to be forgotten introduced in the GDPR. It echoes the “Brussels effect,” whereby European rules gain global influence because of the European Union's market size and regulatory capacity.Footnote 74 Private regulation can help US private companies by developing services allowing them to fulfill their legal requirements in multiple jurisdictions at once or at least minimize adaptation costs if they ever want to work with personal data from Europe. The next section details how this reflects the evolution of the demand for private regulations and how it shaped the inclusion of regulatory novelties in the European Union and the United States.
The different demands for private data privacy regulation
My content analysis shows that apart from a short period of time, and primarily in the United States, most private regulations did not experiment with new data privacy rules between 1994 and 2018. Instead, they began to increasingly approximate public requirements. In this section, I combine interviewee data with additional qualitative evidence to show how this reflects the different demands for private regulation dealing with data privacy and their evolution in the European Union and the United States.
European Union
In Europe, only one private regulation adopted in 1994 experimented with more than one new rule. As noted by an interviewee working closely with the association behind this regulation, it reflected an attempt by the industry “to preserve the public trust.”Footnote 75 The interviewee added that by acting first, they hoped to gain “a first-mover advantage” by contributing to setting the rules of the game.Footnote 76 In that respect, the adoption of the DPD in 1995 limited the possibility for other European industry actors to gain a first-mover advantage. Private regulations adopted after could no longer, at least in the short term, remove the threat of regulation or hope to set the rules for their industries.
The DPD effectively required all European member states to adopt a law to ensure its application in their territory by 2000. This is why most private regulations adopted in Europe came after the turn of the millennium. Before then, private regulations came mostly from the United States, as highlighted in Figure 1. As European private regulations could not impede the adoption of privacy laws, industry actors decided to wait and see what public regulations would require. A similar process took place after the adoption of the GDPR. One interviewee working for an industry association behind one of these early private regulations noted this incentive to wait: “Nobody wanted to make the jump without knowing what [public regulators] actually wanted. People feared it could quickly become useless. At the same time, they did not want to go too far if it was not needed.”Footnote 77 They added that all industry actors waited on “clarifications from the European Data Protection Board before doing anything.”Footnote 78 Another interviewee noted that their suggestion to create “a bridge between the GDPR” and their existing code was swiftly rejected by the data protection authorities with which they were in contact. Their national contact point made clear that the GDPR needed to be the starting point for future regulatory development, not previous private regulations. Without clarity on which direction European privacy regulators wanted industry actors to implement the GDPR, the same interviewee added that their organization consciously decided to wait before making any changes. This is reflected in the absence of new private regulations created in Europe in the two years following the adoption of the GDPR in 2016.
Once the DPD entered into force and European member states started adopting national privacy laws, private regulations became useful tools to help companies reduce the transaction costs associated with the directive's implementation. This was especially true in the context of the still-fragmented European digital market. As one interviewee argued, the adoption of the DPD did not lead to a uniform set of rules across Europe: “All the industry was complaining that rules applicable to data protection were applied in a fragmented way.”Footnote 79 While all member states of the European Union had to implement the DPD in their national law, they diverged slightly in their level of stringency and timing of adoption.Footnote 80 Therefore, one interviewee noted that private regulations could “help harmonize and implement European regulation.”Footnote 81 This is in line with comments made by another interviewee for whom private regulations were useful when “businesses look for clarifications on how to implement the regulation.”Footnote 82 Other interviewees were also keen to point out that the objective behind the creation of their organizations’ regulations was to help small and medium-sized enterprises (SMEs). One noted that many SMEs were interested in the possibilities offered by the digital economy, “but there were a lot of question marks and interrogations regarding the legal framework.”Footnote 83 In this context, their organization looked to “build a framework which would not only be for big companies with the means to apply it.”Footnote 84 Similarly, another interviewee pointed out that the regulation put forward by their organization aimed to help “the SMEs, not the Amazon and eBay of this world.”Footnote 85
This specific demand for private regulation to reduce transaction costs created an incentive for private actors to stay as close as possible to the legal requirements. As one interviewee who worked on the development of an industry code in Europe stated, “It is just such a big job [for companies] to decide how to interpret their existing obligations and they do not want to make their jobs harder than it already is.”Footnote 86 This was reinforced by the active promotion by the European Union of the possibility to use private regulations to reduce transaction costs. The DPD specifically stated that European member states should encourage the development by private associations of codes of conduct “to contribute to the proper implementation” of its requirements (Article 27). It also indicated that data protection supervisors could review and approve codes of conduct. Going through this process fundamentally meant being assessed over how well they included the requirements of the DPD. Although only one code was ultimately approved, this illustrates the early interest that European public regulators had in influencing the content of private regulations. Throughout the years, they took a variety of other measures toward this goal, including organizing events to provide feedback on the content of regulations developed by European industry associations. As one interviewee working for the European Commission stated, “We try to drive them to include what we think should be in [a] code.”Footnote 87 In at least two cases, the European Commission even provided funding to support the development of private regulation that went to pay for an external expert and ensure they would be developed in line with the objectives of the DPD. An interviewee closely working with the development of these two codes stated that the European Commission wanted an expert “holding the pen for private actors.”Footnote 88
Most interviewees from European industry associations also mentioned that their interactions with public regulators significantly shaped what they chose to include in their regulations. One interviewee noted that the level of interaction was such that “it might be more accurate to name it co-regulation”Footnote 89 instead of self-regulation. Another interviewee indicated that employees from the European Commission would “recommend [them] to look at specific issues and tell them what key questions they would like them to answer.”Footnote 90 Yet another emphasized the deep influence of European regulators by noting the number of times they met with them:
We had roundtables organized with the European Commission, eight to be precise. [...] At one point, we were meeting every quarter. They wanted to follow very closely our progress. Up to a point, where we didn't have the time to digest what we were reading anymore.Footnote 91
Another interviewee finally maintained that these interactions with European regulators did not merely help define what to include, but also set limits on what private regulations could achieve. They specifically lamented that asking questions about what was allowed was often criticized and considered suspicious. They recalled being told in a meeting with European regulators that “if you are asking questions, it means that you are trying to go around the law and this is problematic.”Footnote 92 It reflects the belief expressed by one interviewee working for the European Commission that private regulations “are there to help compliance.”Footnote 93 They should help with the implementation of European laws and any attempts at departing from it could lead to new criticisms.
Finally, private regulations seemed to provide limited reputational gains. Although two interviewees mentioned that their regulations were aimed at “giving the industry an edge”Footnote 94 or were about providing “prestige,”Footnote 95 most did not mention this as one of its potential benefits. Some also pointed out that an early multiplication of codes and associated logos only created “confusion.”Footnote 96 Therefore, private companies did not have an interest in using them to differentiate themselves from others. What private regulations could instead do is help their adopters avoid criticisms from public regulators by focusing on approximating their requirements. One interviewee was specifically critical of what they saw as a tendency from industry associations to develop codes “not to protect citizens, but mostly with a defensive attitude towards themselves.”Footnote 97
United States
In contrast to Europe, the United States still lacks a comprehensive federal privacy law covering the private sector. US regulators argued early on that the private sector should lead the regulation of the digital economy.Footnote 98 At the same time, they made clear that they could regulate the digital economy if needed and, indeed, adopted several sectoral laws to oversee the use of personal data in specific sectors. Private actors could thereby hope to gain a first-mover advantage and avoid greater public oversight by adopting data privacy regulations and showing their goodwill.
In the mid-1990s, fears that a growing industry of data brokers was notably selling sensitive information without enough sufficient safeguards led three senators to ask the Federal Trade Commission (FTC) to consider the potential need for regulation.Footnote 99 In reaction, a group of leading companies came together to create the Individual Reference Services Group (IRSG) principles in 1997. According to my content analysis, this private regulation includes the most regulatory novelties (8). It notably laid out a new rule requiring companies to confirm the quality of their source of information when not collecting personal information from concerned individuals. It also required private companies to indicate when they collected personal data “passively” and established a new compliance mechanism where private companies had to go through an annual “assurance review.” The adoption of the regulation had the expected effects with the FTC effectively commending the industry in its final report for having built “an innovative and far-reaching self-regulatory program” and recommending that the federal government do not take any other regulatory actions to cover the data broker industry.Footnote 100
Around the same time, multiple industry associations adopted privacy requirements specifically tailored to children as reports emerged of private companies collecting their personal information online.Footnote 101 While industry groups did not impede the adoption of the Children's Online Privacy Protection Act (COPPA) in 1998, my content analysis indicates that they were behind six of the eight rules now overseeing the collection and use of personal data from children and that have made their way into COPPA. These include requirements to provide special notification to children before collecting their data, obtain parental consent, and abstain from conditioning participation in games or offering prizes in exchange for children disclosing more personal information than legitimately needed. This finding is in line with one interviewee who used the example of COPPA to maintain that the industry could sometimes move first to set out ethical practices: “Sometimes, ethical requirements come before legal ones. We had requirements to protect children's data before COPPA.”Footnote 102 In addition to shaping the content of COPPA, it is worth noting that private regulations also successfully carved out a role for themselves in the implementation of this law such that they can act as “safe harbor” providers. The latter means that private companies abiding by a certified private regulation are presumed to comply with COPPA and can showcase a seal demonstrating their compliance. By moving first, private companies in effect helped legitimize their involvement in the regulation of children's privacy.
After 2000, however, industry groups in the United States almost entirely ceased to include regulatory novelties. While their regulations grew in length, as illustrated in Figure 5, they did not include new rules. Instead, they increasingly approximated legal requirements, notably coming from Europe. This chiefly reflects the tendency for most representatives from US private associations interviewed for this study to describe their role as helping companies implement their legal obligations and achieve greater accountability rather than aiming to create new data privacy rules. One interviewee, for example, stated that his role was “to implement, not create rules,”Footnote 103 and another that their work was to help their clients understand how to “respect their [legal] requirements.”Footnote 104 This tendency for private regulation to help achieve greater legal compliance rather than experiment with new rules partly reflects that the threat of public regulation has not been constant over time and notably diminished following the adoption of the first few private regulations at the end of the 1990s.Footnote 105 At the same time, there were clear periods when the prospect of public oversight grew stronger. By the mid-2000s, the FTC was notably more critical of the early industry efforts at regulating themselves. Yet, despite spurring the adoption of new private regulations it did not lead to the creation of more new rules. Instead, they increasingly approximated rules put forward by public actors from other jurisdictions, notably Europe, as highlighted in Figure 5.
This progressive change toward an implementation role coincided with the growing promotion of private regulations as certification mechanisms for international transfers after 2000. In addition to establishing a baseline protection level for data privacy, the DPD restricted the transfer of European data to countries with sufficient protections and risked disrupting transatlantic data flows.Footnote 106 Without a federal privacy law, the United States could not obtain an adequacy decision allowing data transfers to continue without restrictions with the European Union. US companies faced the possibility of having to rely on individual consent and contractual agreements to transfer personal data from one jurisdiction to the other. To avoid this potentially cumbersome and costly outcome, US and European negotiators agreed to establish an international safe harbor inspired by the mechanism commonly found in US laws, such as COPPA.Footnote 107 The latter represented a limited adequacy decision where only firms self-certifying to adhere to a set of privacy rules and an enforcement mechanism were considered adequate and allowed to transfer personal data across both jurisdictions. Following the adoption of the safe harbor agreement, multiple private regulations were developed or updated to help US companies self-certify themselves, not specifically intended for companies looking to conduct business in Europe or with European partners.
Private regulation now forms the core of the United States’ strategy for international data transfer. In addition to renegotiating the original safe harbor agreement after it was struck down (twice) by the European Court of Justice, the US government negotiated agreements with other countries to promote the role of private certifiers. In 2011, it established the cross-border privacy rules (CBPR) system with Asia Pacific Economic Cooperation (APEC), allowing companies certifying with an approved third party to transfer data across participating countries. It is now one of the valid mechanisms for international data transfers mentioned in its latest trade agreement with Canada and Mexico (USMCA, Article 19.8.6). More recently, Gina Raimondo, US secretary of commerce, announced the creation of the global CBPR forum to promote the use of this system worldwide and counteract the global influence of the European Union after the adoption of the GDPR. According to one interviewee who worked closely with the CBPR, the adoption of the GDPR in the European Union pushed the United States to promote its separate model of data transfer:
The GDPR also put pressure on countries to implement the CBPR and show that the system could work. There are now efforts in APEC to broaden the participation and making it more global. [...] In a way, the GDPR made it more urgent and important to make the system work.Footnote 108
Therefore, the demand for private regulation in the United States shifted from an interest in gaining a first-mover advantage toward reducing transaction costs in a global context. With the support of the US government, businesses in the United States look for private regulations to help them operate in a transnational and fragmented context, just like European ones looked at them after the adoption of the DPD. Multiple interviewees working in the United States noted this trend. One first held that private regulations “have changed and now want to be global privacy compliance companies. They follow more than they set the path. They don't create new guidelines as much as they certify against public regulations.”Footnote 109 Another went as far as saying that the goal of his organization was to help “establish a single standard that allows any organization to say that their data governance system respects privacy regulations like COPPA, the privacy shield, GDPR and CBPR system.”Footnote 110 Yet another mentioned the recent adoption of a privacy law in the state of California as one source of influence as well as laws from other jurisdictions: “As [our regulation] lived and [grew], it integrated various laws that were adopted in California recently and other states. We also looked at PIPEDA in Canada.”Footnote 111 One interviewee finally mentioned that despite his organization maintaining multiple privacy programs, they actively tried to make them compliant with multiple regulations at once:
We try to limit our program to a specific framework as we wouldn't want to make compliance more difficult for a company that doesn't need it. A company that only works in the US might not need to fulfill all the requirements of the APEC framework for example. However, we do try to build them so that it would be easy for a company to fulfill two or more of our programs at the same time.Footnote 112
This helps explain why European rules were increasingly included in US private regulations. At the same time, it also hints at the reason why private regulations that act as compliance tools no longer experiment with new rules. Many companies that pay for these services are not interested in doing more than what is already required from them. As one interviewee specifically held:
I think that we have developed requirements that go beyond what is required in the law, but our ability to do so is limited by the fact that at the end of the day it is a voluntary program. Not only voluntary but that companies pay to use. There is thus a limit to what we can ask. [...] It is really important to keep in mind, and it is probably true for any voluntary and paid program, the impact can only be so great and you can only impact the companies that decide to join the program. The more you add requirements that go beyond and above the law the harder you made it to join.Footnote 113
In addition, private regulations did not seem to provide meaningful reputational benefits. While no interviewees from industry associations in the United States maintained that the multiplication of private regulations created confusion like in Europe, none also raised reputational gain as one of the main driving forces for their creation. A previous study found that early private regulations dealing with data privacy provided limited signaling benefits and did not help companies differentiate themselves from their competitors.Footnote 114 In effect, the study shows that a private regulation (i.e., Webtrust privacy program) developed by the US and Canadian associations of accountants and broadly recognized for its thoroughness ended up ceasing its activities because of a lack of companies adhering to it. My content analysis shows that this regulation included the second-highest number of rules after the IRSG. The IRSG also ceased to operate four years after it was created.Footnote 115 Meanwhile, the privacy program of TrustArc remains the most popular private regulation in this space despite seldom including new rules and facing multiple complaints of failing to implement its standard.
Conclusion
Private regulations are often presented as flexible and low-cost institutions that can more easily be adapted to specific circumstances and change over time than public regulations. As such, some argue that they can help support the emergence of a more experimentalist form of governance.Footnote 116 Private regulations can more easily experiment with new regulatory ideas that public regulators can later adopt if they prove successful. In this article, I examine the conditions under which private regulations play an incubator or experimenter role. I argue that it depends on the demand driving their creation. Private regulations adopted to help companies reduce transaction costs in highly regulated environments should lead to the creation of few novel requirements and tend to approximate private companies existing legal obligations. In this case, the goal of private regulation is to reduce the costs of doing business and experimenting with new rules risks doing the contrary. Meanwhile, private regulations driven by a desire to obtain a first-mover advantage or make reputational gains should tend to experiment with more new rules, as in doing so, they can help their adopters keep control over the regulatory agenda or gain a competitive edge over their competitors.
Looking at the case of data privacy, I show how the different demands and their evolution over time in the United States and the European Union can help explain the inclusion of new data privacy rules in private regulation from 1994 to 2018 in both jurisdictions. Following the adoption of the DPD in Europe, private companies were mainly interested in using private regulations to help them reduce their transaction costs by providing them with ready-made solutions to fulfill their legal requirements. In effect, only two included a regulatory novelty in 2001. All others mostly approximated existing legal requirements to help businesses achieve legal compliance. Meanwhile, in the absence of a federal privacy law, private companies in the United States could hope to gain a first-mover advantage and avoid additional public oversight. In the mid-1990s and early 2000s, it effectively led them to include several new rules in their regulations to showcase their goodwill to public regulators and remove the threat of greater public oversight. Since then, the growing significance of international data flows and the existence of competing models of privacy governance, however, prompted them to increasingly approximate legal requirements from other jurisdictions, notably Europe. Private regulations adopted recently in the United States, in effect, primarily aim to help private companies operate in a transnational context. Instead of offering a first-mover advantage, they provide their adopters with an integrated solution, allowing them to reduce their transaction costs associated with implementing their legal obligations in multiple jurisdictions.
These findings offer a cautionary tale to the idea that private actors are better positioned to help define how to regulate new or quickly evolving issues. In effect, their potential contribution depends on the benefits they can hope to achieve by self-regulating themselves. In cases where governments have yet to regulate, private actors may not be interested in experimenting with new rules if they are not likely to gain a first-mover or competitive advantage. These are notably a function of the likelihood of public regulation being enacted and the social pressure on companies to showcase their goodwill. It is especially important to keep in mind in the context of social values like privacy for which we may not want to rely on the presence of such incentives to regulate.
Private regulations could still offer other benefits, like supporting greater legal compliance. As this article has shown, private regulations can help companies integrate their legal obligations. To what extent this translates to actual business practices, however, remains an open question. Cases like TrustArc and recent researchFootnote 117 show that it is far from a given. At the same time, Bamberger and Mulligan's work on corporate practices highlight their potential capacity to be more innovative.Footnote 118
Future work could build on the present research findings by looking at how the demands for private regulation play out at different levels of governance and sectors. One limitation of this study is its focus on private regulations applicable to multiple businesses and developed to operate throughout the United States or the European Union. Codes of conduct developed for individual US states or European countries or corporate practices developed by single companies can significantly differ in what drives their demand, affecting their tendency to be innovative. Transaction costs may, for example, not have the same influence on regulations aiming to operate locally. When developing their privacy policies or corporate practices, individual companies may also have a stronger incentive to burnish their reputation. Recent research in the organic sector finally suggests that private actors can sometimes still seek to differentiate themselves through private regulation after government interventions. Examining the variations in the underlying demand prompting the adoption of private regulations at different levels of governance and in different sectors could thus yield new insights into their possible experimentation benefits.
Supplementary material
To view supplementary material for this article, please visit https://doi.org/10.1017/bap.2023.16
Appendix I. List of interviewees’ organizations.