3. Norm Diffusion: How Privacy Became an International Norm in:

Jan-Hendrik Kuntze

The Abolishment of the Right to Privacy?, page 13 - 38

The USA, Mass Surveillance and the Spiral Model

1. Edition 2018, ISBN print: 978-3-8288-4034-8, ISBN online: 978-3-8288-6750-5, https://doi.org/10.5771/9783828867505-13

Series: Tectum - Masterarbeiten

Tectum, Baden-Baden
Bibliographic information
Norm Diffusion: How Privacy Became an International Norm A vast number of attempts have been made to define privacy4. A mul‐ titude of approaches show that it is impossible to define privacy straight to the point. Although privacy is often seen as a vague con‐ cept, it has become important all over the world (Solove 2008: 1 f.). Helen Nissenbaum (2010: 129ff.) tried to overcome the overtheoriza‐ tion of privacy, using an approach of contextual integrity. She holds that privacy is a right to live in a world in which our expectations about the flow of per‐ sonal information are, for the most part, met; expectations that are shaped not only by force of habit and connection but a general confidence in the mutual support these flows accord to key principles of social life, including moral and political ones. […] [This approach to privacy] builds on the substantive thesis that more-or-less coherent, distinctive systems of norms, which shape the contours of our expectations, evolve within the distinctive contexts that make up the social. (Nissenbaum 2010: 231 f.) This concept overcomes the traditional static frameworks of privacy, which consist mainly of four popular concepts: the definition of priva‐ cy in terms of non-interference, limited accessibility, informational control and of intimate or sensitive aspects of persons’ life (Bygrave 2010: 170). One definition that considers all of these spheres has been established by Beate Rössler (2001). She classifies privacy into three different spheres: decisional privacy (defense of room to maneuver and decision against unwanted influence of others; similar to the non-in‐ terference approach), informational privacy (to control the knowledge 3. 4 It goes beyond the scope of this paper to illustrate every possible theoretical defini‐ tion of privacy, and it is also not the target of this chapter to provide it. Good start‐ ing points to get an overview of the theoretical approaches to privacy are provided by Solove (2002 & 2008), Solove and Schwartz (2009: 39ff.) and Nissenbaum (2010: 67ff., 89ff.). 13 of others about personal information of oneself; similar to the infor‐ mational control approach), and local privacy (a physical place of re‐ treat, e.g., the home; similar to the limited accessibility and sensitive aspects approach) (Rössler 2001: 144ff.). As a matter of course, in view of today’s technical development, the second sphere is the most impor‐ tant dimension of privacy (Schiedermair 2012: 12) – especially in re‐ gard to the Snowden revelations. To view privacy as the control of personal information is an ap‐ proach that has its roots in the era of upcoming data protection. The founding father of this concept, Alan Westin (1970), frames privacy as “the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others” (7). In a broader sense, the reference of ac‐ cessibility is something very important to the definition of privacy, which Altmann (1977) highlights, as he describes privacy as “the selec‐ tive control of access to the self, […] whereby people can make them‐ selves accessible or inaccessible to others” (67ff.). As a result, in this paper privacy is defined as the control of access to the self and the flow of personal information with regard to the contextual expectation of privacy. This is only a broad philosophical definition. However, this vague‐ ness is necessary to cover the social change of what types of things are expected to be private. Depending on the changing relationship be‐ tween the individual and the state, the term privacy is fashioned by so‐ cial transformation (Schiedermair 2012: 8). On the following pages, it is important to take a closer look at the development of privacy as a social norm, a juridical norm and an international norm. Privacy as Social Norm The roots of privacy as a norm of social life date back to antiquity and can be found for the first time in history in old Jewish laws dating back more than 2000 years5 (Diffie & Landau 2012: 142). Early on, they em‐ 3.1. 5 The etymological roots of the word privacy date back to antiquity as well. Already the Latin term privatus means apart from the state (Ennöckl 2014: 15). At the same 3. Norm Diffusion: How Privacy Became an International Norm 14 phasized that the individual’s freedom to speak and act was already li‐ mited if someone assumed, but did not know, that she was monitored (Schmale & Tinnefeld 2014: 83). Within the musings of the first philosophers of the Western world, the idea of privacy was present. Aristotle drew a separating line between the public sphere, polis, and the household, oikos. This distinction was adopted by the Romans, who were among the first who differentiated between a ius publicum and a ius privatum (which are the origins of contemporary public and private law) (Schiedermair 2012: 24ff.). But unlike contemporary views on privacy, the ancient concept of privacy held that the place of freedom and self-fulfillment was the pub‐ lic sphere and not the private one. The polis is the area where all citi‐ zens manage the political matters of the society free and equal. It was the place where citizens could develop their virtues and gain social reputation. The assumption of a public office was considered as the “perfection of human being” (Ennöckl 2014: 16). On the contrary, the household was the sphere of necessity, and people could only develop to the full in the public sphere. This point of view – the private sphere as burdensome, the public as something positive – has influenced Western philosophy until today (Ennöckl 2014: 16; Schiedermair 2012: 25). The abstract concepts of privacy and publicity that had been held in ancient times also influenced life in medieval times, although the governmental system changed dramatically. The hierarchical structure of the oikos was transferred to the political order. Hence, Schiedermair rightly speaks of the “privatization of power” (2012: 29).6 Nevertheless, the public sphere was diminished but not dead. At that time, the word publicus described everything that was related to power, and it has sur‐ vived in many forms, e.g., as persona publica (person who represents the interests of society) (Schiedermair 2012: 28ff.). However, the an‐ cient meaning of private as something that is not related to public is‐ sues blurred, because public matters were handled in a private way time, the Romans created the word publicus, which later on became the basis for the term publicity, the counterpart of privacy (Schiedermair 2012: 27). 6 How important private relationships became, particularly with regard to the family, can be seen in the formation of family arms at that time (Schiedermair 2012: 30). 3.1. Privacy as Social Norm 15 whereas public was still something related to the power of the monarch. The next big change in the denotation of the private and public spheres came with the Renaissance. People changed their worldview from a theocentric to an anthropocentric one; the individual was dis‐ covered and became increasingly important. This development paved the way for the contemporary understanding of privacy because it gave rise to an appreciation of the private sphere that had never existed be‐ fore. The emergence of ways to express individuality increased in many ways. Portraits and biographies became popular while chronicles were being written for the first time. This was a trend that was not only ob‐ served in Europe but also in China, Japan and in the Islamic world (Schiedermair 2012: 31 f.). On the spatial level, individualism was ex‐ pressed through the establishment of rooms in houses. Lockable bed‐ rooms and bathrooms were created, and individuals got their own rooms. Whereas in the Middle Ages loneliness was only common dur‐ ing prayers and was otherwise considered as detrimental, this point of view changed in the late 17th century. In times of Enlightenment, this new worldview continued to influence the everyday life of people. Rooms were decorated with personal belongings and were seen as an expression of the person who lived in that room. Self-reflection be‐ came common and was practiced by keeping a journal, interpreting dreams and confessing. In the 18th and 19th centuries, the blooming of individuality was expressed by the use of prenames (Schiedermair 2012: 30ff.). The significant historical events at that time were the French Revo‐ lution and the Declaration of the Rights of Man and of the Citizen in 1789, which marked the birth of the idea of universal rights. The decla‐ ration included, among others, the right to freedom (freedom of action) and the freedom of religion. These rights, therefore, opposed the abso‐ lutistic state, which wielded influence to every sphere of human life. Although it would take another 100 years until the first approach to the right to privacy was launched, the claims of the declaration’s rights are not imaginable without a conceptual prerequisite of a private sphere. To claim these rights implies a differentiation between a public sphere, which is also the sphere of the state, and a private sphere, 3. Norm Diffusion: How Privacy Became an International Norm 16 which belongs to the individual alone and precedes the state (Ennöckl 2014: 18 f.; Schiedermair 2012: 34). This differentiation led to a new development: The private sphere is now considered to be an individual sphere. In medieval times, privacy could be pretty much associated with family life, with its organizational structure transferred to the po‐ litical order. After 1789, fundamental rights claimed to acknowledge a sphere that belonged only to the individual. This idea was reflected in many constitutions in the 19th century. Although not one guaranteed a right to privacy, they contained rights that we consider today as some‐ thing included to the right to privacy. This applies to the householder´s right and to the privacy of correspondence (letters)7 (Ennöckl 2014: 18). Important for the further development of the term privacy is the inversion of Aristotle’s paradigm. No longer was the public sphere the place where the individual develops. The place for self-development shifted to the private sphere. In England, privacy became a synonym for a happy, middle-class way of life that is best, expressed by the phrase my home is my castle. Furthermore, in Germany people also turned towards privacy: Disappointed by the political developments (Restauration), the Biedermeier age set in, and people experienced happiness in their private spheres (Schiedermair 2012: 35 f.). While the origins of privacy are rooted in occidental philosophy and European developments led to the individualization of privacy and to the creation of privacy as the social norm we know today, the actual right to privacy was invented in the USA, as the following section ex‐ hibits. 7 The USA was not excluded from this development, either. In 1710, the British gov‐ ernment established the first postal delivery system in the USA and, at the same time, created the first privacy protection for letters: they were just allowed to be opened with a permission of the secretary of state (at least in theory). After the in‐ dependence of the USA, Congress adopted the first Postal Act that prohibited postal officials to open mails. In 1825, Congress adopted the second Postal Act that gener‐ ally prohibited prying into another person’s mail. Unfortunately, people did not fol‐ low the law and in times of Civil War even government officials tried to open private mail. In 1878, the Supreme Court ruled that a search warrant is necessary for the government to open mail (Diffie & Landau 2007: 144ff.). 3.1. Privacy as Social Norm 17 Privacy as Juridical Norm It took until the end of the 19th century for privacy to become a legal norm. This was only possible through the previous developments, which lead to the emergence of individuality leading the way. In December 1890, Boston lawyers Samuel D. Warren and Louis D. Brandeis published an article named The Right to Privacy. This mo‐ ment is generally seen as the birth of a modern understanding of pri‐ vacy and it is still considered to be “the most important article ever written about privacy” (Solove & Schwartz 2009: 10). The changes of social life in the USA paved the way for the development of the right to privacy: an stupendously growing population including a fundamental change of living conditions due to urbanization that resulted in a less segregated life; technological developments including the invention of photography and snap cameras, making it possible for any individual to take pictures everywhere and at any time; and the proliferation of newspapers, which became affordable for everyone and which led to the evolution of the so-called yellow press that reported about famous and rich people’s lives (Glancy 1979: 7ff.; Solove & Schwartz 2009: 10ff.). Both Warren and Brandeis wanted to adapt the law to the modern challenges. From their point of view, it was an old principle of com‐ mon law “that the individual shall have full protection in person and in property […], but it has been found necessary from time to time to define anew the exact nature and extent of such protection” (Warren & Brandeis 1890: 1939). At that time, society was discussing the problem of pictures being taken without the consent of the photographed peo‐ ple and also the reporting of gossip and rumors in the newspapers without the consent of the injured. The problem was that the law did not provide any protection against this. In the 19th century, one very common way of protecting ones pri‐ vacy in the USA was to sue people for criminal libel.8 But unfortunate‐ ly for the claimant the courts accepted the truth as a defense against 3.2. 8 At that time, libel was defined in the USA as “malicious defamations of any person […] made public by either printing, writing, signs, or pictures, in order to provoke him to wrath, or expose him to public hatred, contempt, and ridicule” (Glancy 1979: 12). 3. Norm Diffusion: How Privacy Became an International Norm 18 criminal libel. If the truth of the libel could be proven, then malicious intent was disproven, which was necessary for the finding of criminal libel. The opinion that everything that is true is also allowed to be said and printed was also an argument made by many in the public debate to defend the activity of the yellow press (Glancy 1979: 10ff.). Therefore they invented the right to privacy that was based on the right to be let alone, a phrase invented by the judge Thomas Cooley (Glancy 1979: 3 f.). According to Warren and Brandeis, there had been several problems with the state of the law. First, the law of libel would deal only with damage to reputation regarding the external relations of an individual, but it did not protect the injury of the individual’s own feelings. There would be no remedy for mental suffering. Second, they felt that the right to property should extend to happenings in the do‐ mestic circle. Their argument is based on the – already present at that time – existing protection of thoughts. No one could be forced to ex‐ press his thoughts or sentiments. Also poems, letters and diary entries would be protected, wholly independent of possessing the material (e.g. paper) on which it is written (Warren & Brandeis 1890: 197ff.). This right would only be lost if the author decided to publish his thoughts. Hence, they concluded that […] the protection afforded to thoughts, sentiments, and emotions, ex‐ pressed through the medium of writing or of the arts, so far as it consists in preventing publication, is merely an instance of the enforcement of the more general right of the individual to be let alone. […] The principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an invi‐ olate personality. (Warren & Brandeis 1890: 205) So they argued that this right of personality needed to be extended to things happening in the domestic circle to adjust this right to contem‐ porary times and claims of society. With it they hold that the individu‐ al determines what is considered private, and hence they do not follow previous approaches of determining privacy as something bound to the local sphere (e.g., the home). By conceptualizing privacy as some‐ thing that guarantees the inviolate personality, it calls for the individu‐ al to define his own private sphere (Ennöckl 2014: 20). Hence, what Warren and Brandeis did was nothing more than defining the common basis of present rights. This common principle is 3.2. Privacy as Juridical Norm 19 the right to privacy. They hold that the right to privacy is nothing more than the foundation of all existing laws to prevent an intrusion into the personality, which is part of the right to life. Now it had to be adjusted to modern times: The principle which protects personal writings and any other productions of the intellect or of the emotions, is the right to privacy, and the law has no new principle to formulate when it extends this protection to the per‐ sonal appearance, sayings, acts, and to personal relation, domestic or oth‐ erwise. (Warren &Brandeis 1890: 213) With this invention of a legal theory for the right to privacy, they pro‐ tected the social norm of privacy9 from disappearing in a technological world. For a very long time, privacy was a fact of life. Through techni‐ cal developments, it was something that could hardly have been achieved by individuals on their own from the 19th century on. In‐ stead, privacy is now something controlled by societies (or govern‐ ments, respectively) that can guarantee or deny this norm. Conse‐ quently, we can observe the opposite trend during medieval times: While the public sphere became privatized in the Middle Ages, the public sphere was now trying to extend to private issues. Many people perceived this as wrong, but there was no clear juridical concept that could be employed in this situation. The existing concepts and causes of action hit the wall and did not offer adequate protection of the pri‐ vate sphere. With the approach that considers the right to privacy as a part of the inviolate personality, Warren and Brandeis offered a way out and both rescued the norm of privacy in a technological age and transferred the social norm into a legal concept. With this article, Warren and Brandeis activated a juridical debate about the right to privacy, which was essential for the creation of a fun‐ damental right to privacy in the UDHR more than half a century later (Ennöckl 2014: 20 f.). However, the article did not have an immediate influence on the actual jurisdiction (Prosser 1960: 384 f.). It took more than a decade until the first court decisions, which acknowledged a 9 As a matter of course, Warren and Brandeis also provided limitations to the right to privacy. According to them, this right could not be used to prohibit publications of public interest; nor should it be used to prevent publications in public bodies (like courts, municipal assemblies) (Warren & Brandeis 1890: 214ff.). 3. Norm Diffusion: How Privacy Became an International Norm 20 right to privacy, could be found in the states of New York and Georgia (Solove & Schwartz 2009: 26; Prosser 1960: 385).10 As a matter of course, technological progress continued to chal‐ lenge the right to privacy. In 1928, the first case was brought to the US Supreme Court where the judges had to decide about the legality of wiretapping. Ironically, Brandeis was one of the judges in this case in‐ volving businessmen Roy Olmstead. To convict him of illegal liquor distribution, federal agents wiretapped the phone line of his headquar‐ ters. Later, those wiretap tapes played a crucial role in court. The mat‐ ter of particular interest was whether those tapes could be valid in court. They were obtained without a warrant, but a warrant was actual‐ ly only necessary for entering into private homes or offices (as the Fourth Amendment dictated). The Supreme Court ruled that the wire‐ taps were legal without a warrant, but the judge Brandeis published a dissent:11 The protection guaranteed by the Amendments is much broader in scope. […] They recognized the significance of man’s spiritual nature, of his feel‐ ings and his intellect. […] They sought to protect Americans in their be‐ liefs, their thoughts, their emotions and their sensations. […] To protect that right, every unjustifiable intrusion by the Government upon privacy of the individual, whatever the means employed, must be deemed a viola‐ tion of the Fourth Amendment. (Cited in Diffie & Landau 2007: 149 f.) It took one more decade until the Supreme Court followed the argu‐ mentation of Brandeis and ruled, in 1937, that wiretapping was illegal. Further judgments confirmed this point of view (Diffie & Landau 2007: 150)12. 10 An overview of the first privacy tort cases by Prosser (1960) epitomized the spread of the judicial norm of privacy in the USA in a very good way. 11 With this decision the Supreme Court judged against the public opinion. Eaves‐ dropping – although conducted for a law enforcement purpose – was not accepted by most Americans. Even Republicans were concerned about this judgment. When the philosopher Nicolas Murray Butler defended the Supreme Court’s decision at the congress of the Republican Party, he was catcalled (Kammerer 2015: 30). 12 One of these judgements was Katz vs. United States in 1967, when the Supreme Court ruled: “[A]n enclosed telephone booth is an area where, like a home, […] a person has a constitutionally protected reasonable expectation of privacy” (cited in Mills 2015: 198 f.). Even though the influence of the Warren and Brandeis article on the jurisdiction in the USA is well examined in the research literature, this is, in the cold light of the 3.2. Privacy as Juridical Norm 21 Through the upcoming abilities to interfere with one’s privacy by use of wiretapping, technical inventions also tried to secure man’s pri‐ vacy among the juridical possibilities of resistance. At the beginning of the 20th century, voice scramblers were introduced. Furthermore, the upcoming World War II accelerated the development of the first bug proof telephone, Sigsaly, by the US military in the 1940 s. Unfortunate‐ ly, it did not go a long way towards bettering the protection of ordinary people’s privacy. It was so expensive that only two people in the world could afford such devices: Roosevelt and Churchill (Diffie & Landau 2007: 61 f.; Weadon 2009). All in all, one can observe that the 19th and the first half of the 20th century were crucial to establishing a right to privacy. Thus, the social norm of privacy was cast in the legislative mold. The next step of priva‐ cy becoming an international norm including a human rights regime that aims to protect this norm began after World War II. Privacy as International Norm Whereas the invention of the right to privacy occurred in the USA, European countries mainly initiated the development of privacy as an international norm, especially with regard to data protection. At the very beginning, the cruel wrongdoings of Nazi Germany and Stalinism brought to mind that in functioning democratic soci‐ eties the citizens need a certain degree of freedom from the state (Ennöckl 2014: 20). That is why one of the very first targets of the United Nations (UN) was the protection of human rights (Schieder‐ mair 2012: 60). In 1946, a human rights commission was appointed, headed by Eleanor Roosevelt, to develop an International Bill of Rights composed of a legally unbinding UDHR and the two legally binding covenants, the International Covenant on Economic, Social and Cultural Rights (ICESCR) and the International Covenant on Civil and Political 3.3. day, not the case in Europe. How exactly the right to privacy made his way to Euro‐ pe, is not explained in detail by contemporary research literature and remains an academic void. The same applies to the question how, when and why the norm of privacy was added to the claims made by human rights advocates. This has to be the subject of further research. 3. Norm Diffusion: How Privacy Became an International Norm 22 Rights (ICCPR) (Schiedermair 2012: 62). The right to privacy is also covered by these international agreements and was established as a fundamental right. In the first draft of the UDHR, the right to privacy was already mentioned. The June 1947 Human Rights Commission Draft states: “The privacy of the home and of correspondence and respect for repu‐ tation shall be protected by law” (cited in Glendon 2002: 283). While the course of discussion first led to a close connection of the right to privacy to the right to property and seizures, this connection became loosened over time. That features the personal dimension of privacy to a larger extent and detaches it from a material meaning (like a house). Hence, Article 12 of the UDHR states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspon‐ dence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or at‐ tacks” (United Nations n.d.). As a matter of course, informational pri‐ vacy is not mentioned by the UDHR. But the fact that the personal di‐ mension of privacy was strengthened by this formulation makes to‐ day’s privacy activists claim that the private sphere also covers the in‐ formational dimension (Schiedermair 2012: 65). In any case, with that development privacy became a fundamental human right (Solove 2008: 3 f.). With the UDHR, the human rights were for the first time recog‐ nized at the international level (Abu-Laban 2014: 422). The acknowl‐ edgment specifically applies to the right to privacy. When the UN General Assembly had a vote on the UDHR in 1948, it was proposed to ballot for every article separately. The vote for Article 12 was unani‐ mous (Schiedermair 2012: 66). In 1966, the ICCPR was adopted. The right to privacy continued to play a major role and was perpetuated in Article 17. During the dis‐ cussion by the members of the human rights commission about the protection of privacy, all agreed to the necessity of the enshrinement of the right to privacy. This shows that all states generally agreed to the protection of everyone’s privacy as a universal human right (Schieder‐ mair 2012: 72 f.). Nevertheless, certain human rights can be derogated in case of public emergency. This is in fact allowed by the ICCPR. Only 3.3. Privacy as International Norm 23 the right to life and the right not be subjected to torture are indispens‐ able (Chesterman 2011: 44 f.). With the enshrining of privacy as a human right, this norm was finally an international norm. From then on, IOs played a major role in the conservation and the advancement of the norm of privacy. Most notably, the UN, the Organization for Economic Co-Operation and Development (OECD), the Council of Europe (CoE) and the EU achieved the most to adopt the norm of privacy to further technologi‐ cal developments – which challenged privacy enormously with the in‐ vention of computers and the Internet. In 1968, the participants of the International UN Conference on Human Rights in Teheran already noticed that technological develop‐ ment could have more than positive outcomes for human rights. Espe‐ cially with regard to the respect for privacy and the protection of hu‐ man personality, they recommended research on the implications of technical developments on human rights. The UN General Assembly reacted immediately and in the same year adopted resolution 2450, which opines that the General Assembly, […] sharing the concern of the Conference that recent scientific discoveries and technological advances […] may […] endanger the rights and freedoms of individuals […], invites the Secretary-General to undertake […] a study of the problems […], in particular [regarding the] respect for privacy of individuals […]. (United Nations General As‐ sembly 1968) This was the first time that the UN General Assembly concerned itself with the protection of privacy in the upcoming digital age13 (Schieder‐ mair 2012: 120). Thereby, they followed the zeitgeist. Mainly, techno‐ logical development at that time was characterized by three trends. First, information was starting to be digitalized. Hence, more personal 13 In the sequel, the UN published many reports regarding this topic. One of the most influential was the Study of the Relevant Guidelines in the Field of Computerized Personal Files by Special Rapporteur Louis Joinet, which paved the way for the Guidelines for the Regulation of Computerized Personal Data Files, adopted by the UN in 1990. Those non-binding guidelines are one of the most important docu‐ ments by the UN regarding privacy in the digital age. Albeit the intention was to encourage member states lacking data protection laws to enact such laws, the influ‐ ence of this guideline was limited compared to similar activities by other IOs (By‐ grave 2010: 184 f.; Schiedermair 2012: 120ff.). 3. Norm Diffusion: How Privacy Became an International Norm 24 information could be collected more easily. Second, the technical de‐ vices got smaller (miniaturization), a process accompanied by decen‐ tralization. Thus, the use of digitalized personal information was in‐ creasing enormously, and it was also easier to obtain such information. Third, networking made personal information accessible all over the globe. Some of these characteristics had been inherent in the technical development over time, but now these processes accelerated (Ennöckl 2014: 7ff.). Finally, it was the invention of computers that brought privacy to mind, starting with public discussions in the USA in the 1960 s about how personal information should be processed and how privacy could be obtained under these new circumstances (Bygrave 2010: 167). The offending object was the proposal for a centralized databank contain‐ ing census data in the USA in 1966 (Bennett 1992: 46). Later, the cen‐ ter of the question was the allocation of consumer credit and, subse‐ quently, record keeping by government authorities, which was brought up by the Watergate scandal (Rule 2014: 66). In the USA and in the UK as well, study commissions were constituted to investigate what outcomes those new developments would have and how the countries should react to it (Regan 2014: 401). Thus, the same discussion that hit the USA was also present in Europe (Bygrave 2010: 167), and an an‐ swer was demanded, leading to the creation of data protection14 in the 1970 s. Thus, the principles of privacy were transferred to the digital sphere.15 14 Data protection is a term whose origins go back to the German word Datenschutz. It is mostly used in European countries whereas outside Europe scholars refer to terms like protection of privacy, data privacy, or information privacy. In this paper, I will employ the term data protection, unless I acknowledge that it has weaknesses as well. On the one hand, data protection hides the actual interest at stake (which is privacy), but, on the other hand, it allows a much better differentiation between the informational and, e.g., the physical dimension of the term privacy. Moreover, data protection cannot only be related to privacy. Most notably in the Scandinavian discussion about privacy the insight arose that the demand for data protection is not only determined by the interest in privacy. Also values, like a citi‐ zen friendly administration, the proportionality of control and the rule of law can call for data protection laws (Bygrave 2010: 166, 168 f., 172 f.). 15 In the academic discussion, data protection is viewed as the continuance of the so‐ cial norm of privacy (Schmale 2014: 79 f.). Nevertheless, contrary opinions still find their way into newspapers, arguing that privacy was a very new phenomenon 3.3. Privacy as International Norm 25 All states faced the occurrence of digital data procession, making the responses converge to a certain degree, although national forces contributed to local variations (Bennett 1992: 221ff.). This develop‐ ment “made privacy erupt into a frontline issue around the world” (Solove 2008: 4). The history of data protection began in 1970, when the first data protection law in the world was adopted in Wiesbaden, the capital of the German federal state of Hesse16. Many countries17 and German states followed this approach and adopted similar laws and regulations (Schwartz 2013: 1966). A few years later, in 1983, data protection was granted the stance of a fundamental right by the German Federal Con‐ stitutional Court. The court created the principle of informational selfdetermination. According to the Constitutional Court, everyone has the right to be in charge of the disclosure of personal information and how one’s personal data is used in cases of disclosure (Garstka 2003: 48). With this principle, the right to privacy, the right to decide about the access to the self, was carried forward to the digital sphere. Later, the right to informational self-determination became a key principle in the data protection approach of the EU and many European countries. Because the emerging flow of data was not bound to borders, in‐ ternational agreements were inevitable. Already in the late 1960 s, the OECD held meetings and international conferences to tackle the prob‐ lems the new international data flow implicated (Schiedermair 2012: 172 f.). The OECD first broke the ground in 1980 with her Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, “the first international statement of essential information privacy whose complete disappearance in a digital world would not really matter (Schariat‐ madari 2015). As this chapter shows, this point of view is more than dubious. 16 At that time the initiation of a data protection law was seen as a step to protect personal freedom. The then minister-president of Hessen, Albert Osswald, viewed that law as a step to the next decade and as a necessity to defend the country against developments imagined by the novelist George Orwell: “Die Orwellsche Vi‐ sion des allwissenden Staates, der die intimsten Winkel menschlicher Lebenssphäre ausforscht, wird in unserem Land nicht Wirklichkeit werden” (Der Spiegel 1971: 88). 17 Sweden (1973), Austria, Denmark, France and Norway (all 1978) adopted data protection laws as well. The first federal German law regarding data protection was adopted in 1977 (Schwartz 2013: 1969). 3. Norm Diffusion: How Privacy Became an International Norm 26 principles” (Schwartz 2013: 1966). The guideline contains in their pref‐ ace a statement concerning the human right to privacy minded to pre‐ vent “violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorized disclosure of such data” (Organization for Eco‐ nomic Co-Operation and Development 1980), although one main fac‐ tor for adopting the guidelines was the economic necessity of the free flow of data (Schwartz 2013: 1971). To obtain this target, the individu‐ al, according to the guideline, should have the right to obtain the infor‐ mation from a data controller if information about this person has been saved and what kind of information is saved. Furthermore, ev‐ eryone should have the right to challenge this information and, if suc‐ cessful, can be adamant that the data are deleted or modified. In addi‐ tion to that, the data collection should have legal limits; also an ear‐ marking should be established (Organization for Economic Co-Opera‐ tion and Development 1980). Albeit these guidelines were non-bind‐ ing, they influenced national legislation of OECD member states and non-member states (Schwartz 2013: 1970; Schiedermair 2012: 151). Just one year later, in 1981, the CoE launched the world’s first legally binding guidelines on data protection. Contrary to the OECD, whose approach is also based on an economic approach, the CoE guidelines focus on human rights. This is due to the fact that the CoE convention on data protection drew inspiration directly from the Euro‐ pean Convention of Human Rights, which was adopted in 1950 by the CoE shortly after its establishment. In Article 12, it entails a right to privacy: “Everyone has the right to respect for his private and family life, his home and his correspondence” (Council of Europe n.d.: 10). Already in the late 1960 s the CoE recognized a potential threat to human rights by automatic data processing. The CoE members initiat‐ ed a study on adequate privacy protection in times of technological de‐ velopment, which concluded that most of the national laws at that time did not provide sufficient protection. Albeit the result of this were two non-binding resolutions on data protection adopted by the CoE in the 1970 s, it was clear to many CoE experts that a binding interna‐ tional agreement would be inevitable to achieve a satisfactory protec‐ tion. A committee of experts on data processing was constituted that would, in close cooperation with the OECD, work out a draft for a 3.3. Privacy as International Norm 27 convention. After a revision of this draft, the council of ministers adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in January 1981 (Schiedermair 2012: 316ff.; Ennöckl 2014: 313ff.). It contains a clear acknowledge‐ ment to “everyone’s rights and fundamental freedoms, and in particu‐ lar the right to the respect for privacy […] recognising that it is neces‐ sary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples” (Council of Europe 1981). The convention influenced the further developments of data pro‐ tection considerably. On the one hand, it affected many countries around the world (Schwartz 2013: 1967). This is not too surprising considering the fact that experts from many countries – including the USA, Canada, Japan and Australia – contributed to the expert com‐ mittee, which finalized the draft of the convention (Schiedermair 2012: 318). On the other hand, this international agreement set five basic principles that have shaped the European data protection until today. First, personal data have to be obtained and processed in a lawful way. Second, personal data should just be stored and used for the specific purposes they were collected for. Third, they have to meet this pur‐ pose. Fourth, the personal information has to be correct and up to date. Furthermore, it should not be possible to identify the individual (data owner) by this data longer than necessary (Ennöckl 2014: 315). In the 1990 s, a new major player entered the stage of data protec‐ tion: the EU. This was a time of increasing economic activity between EU member states accompanied by high demands for personal infor‐ mation. To avoid damaging the economic prosperity with national reg‐ ulations on data protection, the EU adopted a data protection directive in 1995. The directive aimed to both ensure a high and equal level of protection of “fundamental rights and freedoms of natural persons, and in particular their right to privacy” (European Union 1995) in the EU and to facilitate and enhance the flow of personal information be‐ tween states. But this directive was not only groundbreaking for EU members; its influence was considerable on the whole world because of its extraterritorial approach: The directive prohibits data transfers to states outside of the EU that have no adequate level of data protection. “This restriction […] reflects an underlying belief that personal infor‐ 3. Norm Diffusion: How Privacy Became an International Norm 28 mation of EU citizens merits protection throughout the world and not merely within the EU” (Schwartz 2013: 1973). It was the rise of a uni‐ form legislation in terms of data protection not only in the EU but also in the world, because other countries followed the EU approach and not the path of the US (Schwartz 2013: 1979). This development prompted Rule (2014) to speak of a “global ‘privacy club’” (67) that continues to increase membership figures: “Except in the United States, national privacy codes establish not just a body of law and poli‐ cy for institutional treatment of personal information, but also a na‐ tional privacy commissioner and a small staff to uphold the law and advocate privacy values in the public forum” (67). While the EU adopted a civil liberties approach to handle the problems of digitalization, the USA decided to choose another option based on the accountability and responsibility of the data collecting or‐ ganizations (see next part of this chapter; Regan 2014: 398). But as a matter of course, also the USA should – theoretically – match the stan‐ dards of European legislation to process personal information about European citizens. That is why the USA and the EU started to negoti‐ ate the Safe Harbor agreement in 1998. With it, not every member state of the EU has to approve of the data flow to the USA, which makes data transfer easier. Even though the EU had never officially considered the US approach as insufficient, first doubts about the suffi‐ cient data protection in the USA came up already in 1999. Although the European Parliament rejected the agreement in a non-binding de‐ cision, the European Commission adopted the arrangement (Schwartz 2013:1979ff.). It took 15 years until the European Court of Justice de‐ clared this agreement invalid in the light of the Snowden revelations (Gibbs 2015). The march of privacy through the IOs was considerably successful. It was accompanied by the development of privacy (I)NGOs, although the history of a modern approach to privacy seems to be quite elitist. From the invention of the right to privacy by a Boston upper-class lawyer to the spread of the norm of privacy in the 1960 s and 1970 s through the support of the concept of data protection by many aca‐ demics, this perspective seems to be fairly true (Rule 2014: 66). Even so, privacy has become a social movement in the last decades of the 20th century (Bennett 2011: 310 f.). The same discussion that set the 3.3. Privacy as International Norm 29 stage for IOs to enhance the norm of privacy was causal for the cre‐ ation of a non-governmental movement for privacy (mainly through NGOs)18 although their composition is far from the classical social movements (Rule 2014: 66). First of all, there are just a few advocate groups that are barely interested in privacy. Privacy International19, the Electronic Frontier Foundation (EFF)20 and the Electronic Privacy Infor‐ mation Center (EPIC)21 are a few examples. Other groups that are in‐ terested in the advocacy of privacy are civil rights and human rights groups like the American Civil Liberties Union (ACLU) or Amnesty In‐ ternational (AI). Furthermore, privacy has quite a long tradition in the business of consumer protection groups. All of these different groups have been somehow involved in Internet privacy issues.22 They are considered to be the non-governmental privacy advocacy network. In 18 In general, that was the time of the development of human rights INGOs. In the 1970 s and 1980 s, they spread enormously and diversified (Keck & Sikkink 1998: 89ff.). 19 Founded in 1990, Privacy International was the first international human rights organization dealing solely with privacy issues. In 1998, they launched the Big Brother Awards, which are annually awarded to persons, organizations or com‐ panies that invaded people’s privacy most. In February 2015, the London-based or‐ ganization triumphed in court against the British intelligence agency GCHQ. Thanks to this judgement, individuals can now learn if the GCHQ holds informa‐ tion about them (Jansen 2015). 20 EFF is – according to self-description – the leading non-profit organization de‐ fending civil liberties in the digital world. Launched in San Francisco in 1990, it supports claimants in their efforts to try AT&T (telecommunication company) for their involvement in NSA spying activities (Electronic Frontier Foundation n.d.a). 21 EPIC is a public interest research centre in Washington, D.C. Established in 1994, it focuses on “emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age” (Electronic Privacy Information Center n.d.). In 2014, they launched the Champion of Free‐ dom Award, which is given to people or organizations that have safeguarded the right to privacy (Electronic Privacy Information Center n.d.). 22 It is impossible – and beyond the scope of this chapter – to provide an entire list of all privacy advocacy groups and their activities. But at least Bennett (2011) pro‐ vides a list of the main actors in privacy advocacy worldwide. Furthermore, there exist also other kinds of privacy protection that can hardly be studied scientifically. One example is the everyday resistance. This term describes individuals who try to beat or bypass surveillance systems in everyday life, which can be done for several reasons and by several approaches. But because one main characterization of this kind of movement is invisibility, it is hard to collect statistics on that. The main problem is that these people are not organized in a broader network or agree to a 3. Norm Diffusion: How Privacy Became an International Norm 30 the light of today’s surveillance activities by the USA, it seems ironical that most advocacy groups sprouted in the US; they are also the most well funded ones (Bennett 2011: 301ff.). Scientists also played a very important role with regard to this movement. Through the invention of the concept of public-key cryptography by Whitfield Diffie, Martin Hellmann and Ralph Merkle in 1974, private, non-governmental en‐ cryption was made possible (Diffie & Landau 2007: 68)23. From this point on, hackers also played a key role in the privacy movement. One example is the Chaos Computer Club (CCC), a German NGO with more than 5,000 members, mainly hackers, which was founded in 1981; and by association Europe’s largest organization of hackers (Chaos Computer Club n.d.). All in all, the non-governmental privacy advocacy network has not spread like other social movements. The main reason for this is a fram‐ ing problem. First of all, privacy is a term that is not opposed by most people. In some ways, everyone can agree with the statement that a company or the state should not receive personal information that is not of their businesses. Because the topic is less controversial than oth‐ ers, there is no anti-movement (like, e.g., an anti-abortion movement). This is why the term privacy is not able to create any sense of collective identity. Furthermore, privacy is something that is of a highly contex‐ tual nature. It is, thus, very subjective: If people want to exercise their privacy rights or not, is to a very large part a subjective decision of an individual, which is, lastly, situation-dependent. Moreover, there exists no go-big-or-go-home decision relating to privacy; it is often balanced against other interests like national security, safety or the efficient con‐ duct of marketing. One last point why privacy fails to serve as the de‐ terminant for a broad social movement is the absence of physical harm. It is very difficult to make harm – originated in a lack of privacy – visi‐ joint ideology and can therefore not be considered as belonging to a political movement. Nevertheless, their effort for privacy should not be withheld in this pa‐ per. Scholars expect anyhow that the space to carry out everyday resistance will get more restricted and regulated in the future (Gilliom & Monahan 2014: 405ff.). 23 The OECD also acknowledged the usefulness of encryption and encouraged the member states in 1997 to promote the use of cryptography to the end that it should help to “ensure the security of data, and to protect privacy, in national and global information and communications infrastructures, networks and systems” (Organi‐ zation for Economic Co-Operation and Development 1997: 5). 3.3. Privacy as International Norm 31 ble to the public (Bennett 2011: 311 f.). Nevertheless, on another occa‐ sion, Bennett (2014: 418) holds that the privacy advocacy network will be more recognized in the future. Because of intensifying interactions in the network its visibility to the public should increase. Rules (2014), too, concludes that “the privacy protection movement has given rise to a still-unfolding global culture of concern over collection, sharing and use of personal information” (66). In recent years, the privacy advocacy network has been well aware of possible threats to the right to privacy due to the progress of digital‐ ization and potential surveillance practices. Hence, and because of the mounting proliferation of the security norm after 9/11, advocates have strengthened their effort to defend the right to privacy. First of all, NGOs have continued their work on privacy issues. One example is the Madrid Privacy Declaration, which was adopted in 2009 by a bulk of NGOs to call on governments to adjust their privacy and data pro‐ tection laws, taking into account the danger of contemporary surveil‐ lance practices and possibilities (Bygrave 2010: 182). The same is true of the IOs. The OECD revised their privacy guidelines – originally adopted in 1980 – in 2013. One of the amend‐ ments that the guideline notes is the following: “Exceptions to these Guidelines, including those relating to national sovereignty, national security and public policy (‘ordre public’), should be: a) as few as possi‐ ble, and b) made known to the public” (Organization for Economic Co- Operation and Development 2013: 14). Moreover, the OECD adopted a recommendation concerning the enforcement of privacy laws in 2007 and a report about the implementation of these laws in 2011 (Or‐ ganization for Economic Co-Operation and Development 2013: 127ff.). They also initiated the Global Privacy Enforcement Network (GPEN) in 2010, which has the function “to strengthen personal priva‐ cy protections in this global context by assisting public authorities with responsibilities for enforcing domestic privacy laws strengthen their capacities for cross-border cooperation” (Global Privacy Enforcement Network n.d.). Also the CoE revised the 1981 privacy guideline in 2001, again stating in the preamble that “with the increase in ex‐ changes of personal data across national borders, it is necessary to en‐ sure the effective protection of human rights and fundamental free‐ doms, and in particular the right to privacy” (Council of Europe 2001). 3. Norm Diffusion: How Privacy Became an International Norm 32 The EU is no exception and has also strengthened the enforcement of privacy through the Charter of Fundamental Rights of the European Union (European Union 2012). Not only the right to privacy was adopted in this Charter, but also the right of the protection of personal data was cast in a seperate article. Article 8 governs the following: Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (European Union 2012) As one can see, privacy became an international norm in the 20th cen‐ tury, accepted by all UN member states as a fundamental human right. Until today, norm entrepreneurs have shown a considerable effort to uphold the norm of privacy and to pressure states to comply with it. Nevertheless – although the development of data protection pushed a European approach to privacy issues around the world – there is no consistent definition of privacy. As Zurawski (2015: 18ff.) notes, data protection cannot be equated with privacy. Whereas data protection is barely an expression of the power structure in a state (how the state has to handle the data of its citizens), privacy is a normative concept that is culturally different and that should be protected by data protec‐ tion (Zurawski 2015: 18ff.). Even so, the understanding of privacy shapes the data protection approach enormously. The EU approach, for example, heavily underlies the self-determination approach that was shaped by the German Federal Constitutional Court. The same is true of the US, where a different understanding of privacy gave rise to a different data protection regime. The following part of this chapter will be devoted to these cultural nuances. Cultural Differences: the USA and the EU The right to privacy is mentioned in all regional human rights declara‐ tions in the world, albeit they differ in definition (Schiedermair 2012: 100ff.; Bygrave 2010: 190ff.). This is an expression of the diversity of 3.4. 3.4. Cultural Differences: the USA and the EU 33 this norm.24 This section will focus on the differences between the EU and US approaches to privacy and data protection. The US Constitution does not contain a right to privacy. However, it states several rights that protect the private sphere. So, the First Amendment contains the right to speak anonymously; the Third Amendment includes the protection of the home; and the Fourth Amendment protects people from warrantless and unreasonable searches and seizers of their persons, homes and letters25 (Solove & Schwartz 2009: 33 f.). The most important amendment with regard to the right to privacy in communication issues is the Fourth Amend‐ ment. The interpretation of privacy in the USA is strongly connected to the sphere of the house. Hence, for everything that is not bound to the home directly, a reasonable expectation of privacy has to exist. Ac‐ cording to the legal interpretation of this right by the Supreme Court, to determine if a government action violates the right to privacy that is established by the Fourth Amendment, it has to be considered if the individual objectively had a reasonable expectation that these things were going to stay private (Kerr 2001: 507ff.). 24 In all societies, privacy has been a necessary condition for human beings. “It seems that the ability to regulate interaction is necessary for individual and cultural sur‐ vival, and unless people have figured out ways to control interaction, their status as intact human beings can well be in jeopardy” (Altmann 1977: 82). But as a matter of course, the degree of privacy of an individual has always been connected to the culture or society he or she lives in. According to Altmann (1977: 72ff.), the scale reaches from cultures of minimal privacy (like the Mehinacu culture, the Javanese culture or the culture of the Pygmies of Zaire) to cultures of maximal privacy (like the Balinese culture or the culture of the Muslim Tuareg), but there exists no cul‐ ture in which the possibility of privacy is completely denied. Nonetheless, a few main trajectories seem to apply in general. One main trajectory seems to apply to all countries: The more complex a society is, the bigger is the concern for privacy. Moore (1984, cited in Bygrave 2010: 175) got to the heart of it: “Privacy is minimal where technology and social organization are minimal.” Fur‐ thermore, the philosophical attitude of a society plays a decisive role. “Concern for privacy tends to be high in societies espousing liberal ideals” (Bygrave 2010: 175). Moreover, more and more countries have Europeanized legislative data protection regimes, albeit their cultural concerns about privacy were actually limited (Bygrave 2010: 183). 25 In reference to the state constitutional laws, the constitutions of some states (Alas‐ ka, California, and Florida) imply an explicit right to privacy (Solove & Schwartz 2009: 34). 3. Norm Diffusion: How Privacy Became an International Norm 34 This approach is also observable when looking at the US data pro‐ tection regime. Contrary to the European civil rights approach of data protection, the US strategy is market-driven. This leads to a legal ap‐ proach of data protection, which is sector-based instead of comprehen‐ sive data protection legislation.26 As far as the private sector is concerned, the US prefers a legisla‐ tion that concentrates on the data holder and the type of data. It is not unusual that the same personal information is governed by two differ‐ ent privacy regimes depending on what kind of data holder holds the information. For instance, the holding of medical information is liable to one set of rules if the holder is a covered entity under the Health In‐ formation Portability and Accountability Act, and to another set of rules if the holder is a school (which is ruled by the Family Educational Rights and Privacy Act). If individuals want to protect their personal data, they need to be careful to what kind of holder the data is present‐ ed. While in the European Union citizens and consumers have a degree of control over how data controllers manage discrete aspects of their identi‐ ties, in the […] [US] model individuals would have a (rather limited) de‐ gree of choice over which […] [identity provider] manages their informa‐ tion, but not over how such information is managed. […] [From an US point of view,] it seems that users would […] have the choice of which third-party identity contractor controls their personal data, rather than the enforceable rights granted to citizens of the European Union. (Holt & Malcic 2015: 165ff.) Other laws govern only certain types of data, e.g., the Video Privacy Protection Act, which only applies to data that are recorded on video‐ cassette tapes (Schwartz 2013: 1974 f.). Furthermore, the USA does not prohibit data processing unless it is specifically illegalized. Contrary, the EU forbids the use of data without a legal basis. This legal basis contains eight principles, which have to be satisfied by every data hold‐ er (approach of omnibus law instead of sectoral approach), no matter wether they are private or public: (1) limits on data collection, also termed data minimization; (2) the data quality principle; and (3) notice, access, and correction rights for the indi‐ 26 One of the latest discussions about the different interpretations of privacy by Americans and Germans has been conducted by Miller (2017). 3.4. Cultural Differences: the USA and the EU 35 vidual; […] (4) a processing of personal data made only pursuant to a le‐ gal basis; (5) regulatory oversight by an independent data protection au‐ thority; (6) enforcement mechanisms, including restrictions on data ex‐ ports to countries that lack sufficient privacy protection; (7) limits on au‐ tomated decisionmaking; and (8) additional protection for sensitive data. (Schwartz 2013: 1976) In the USA, data protection is subjected to just two general principles, which can be found in many legislative acts: first, the concept of notice of data processing practices and, second, the consent to this procession by the affected party. These differences exist due to the fact that data protection is – from the European point of view – part of the require‐ ments to guarantee active citizen participation in a democratic state whereas the USA does not hold this perspective. Furthermore, the USA does not forbid the export of personal information to countries without a certain degree of data protection. In addition to that, there is no federal data protection agency. Suitable to a market-driven ap‐ proach, the Federal Trade Commission (FTC) is responsible for the oversight. The main tasks of this authority are consumer protection and the establishment of fair practices in business, but the FTC is also responsible for privacy protection. However, there are considerable doubts as to whether the FTC can satisfy these requirements. One main point of criticism is that the FTC has – with regard to data pro‐ tection – no jurisdiction over all companies and that the financial means of the FTC are not sufficient to guarantee comprehensive data protection (Schwartz 2013: 1974ff.; Bygrave 2010: 172). Nevertheless, there exists one legislative act that deals with privacy issues in general: the Privacy Act. It was adopted in 1974 and prohibits the disclosure of private and medical information held by federal agen‐ cies.27 Furthermore, it gives individuals the right of access to this infor‐ mation and the possibility to challenge these records. Only federal agencies have to comply with these rules and they are not applicable to private actors. Contrary to the EU approach, in the USA there exists 27 The adoption of the Privacy Act was the result of a decade of intensive discussion. The starting point was a proposal by the Social Science Research Center to create a central government database in which all personal information about the citizens, which are held by different government authorities, could be brought together (Nissenbaum 2010: 93). 3. Norm Diffusion: How Privacy Became an International Norm 36 no omnibus legislation regarding privacy (Stratford & Stradford 1998: 17ff.). All in all, the USA prefers a model based on market conditions in‐ stead of an omnibus legislation with comprehensive data protection. However, the rest of the world follows the EU approach (Schwartz 2013: 1979). Well over 40 countries have already adopted data protec‐ tion laws matching the European standard, and this number is increas‐ ing steadily (Bygrave 2010: 188). This evolution leads to the conclusion that the norm of privacy spread through the process of digitalization because of the develop‐ ment of data protection.28 Especially because of the EU’s effort, data protection – and with it the protection of the private sphere – has be‐ come an issue in international relations. Nevertheless, cultural differ‐ ences are still in place and have to be considered when considering the violations of the norm of privacy in the following chapter. This chapter has shown that privacy can be considered as a funda‐ mental human right. A comprehensive advocacy network is in place to uphold this norm. Nevertheless, it is not a typical one. Privacy is a dy‐ namic and weak human rights norm: What is considered to be private changes over time and is dependent on the cultural as well as the situa‐ tional context. Additionally, privacy rights can be reduced in cases of emergency. Hence, the definition Nissenbaum (2010: 231 f.) men‐ tioned at the outset of this chapter is the most exact definition of priva‐ cy. This means that if we want to study how the norm of privacy is challenged by another norm and if the norm of privacy is expiring, we always have to consider what is covered by the norm of privacy in a given context. Nevertheless, there exists one core principal of all ap‐ proaches to privacy: the self-determined decision about the access to the self, particularly to the (digital and analog) flow of personal infor‐ mation. As a next step, the regress of this norm should be considered. 28 Even US intelligence services are included in this development. At least in theory, they agree to the norms of privacy and data protection, although their business often collides with these norms (Buckley 2014: 95ff., 101ff.). 3.4. Cultural Differences: the USA and the EU 37

Chapter Preview



This book aims to explain the US violation of the human right to privacy unveiled by Edward Snowden with a newly developed comprehensive spiral model. After analyzing the social and juridical roots of the norm of privacy, it portrays the countering of privacy by the security norm in the US public debate and the US policy from the 1930s to 2013. On the basis of this case study the author refines the spiral model invented by Risse et al. Finally, the book explores the reaction of several actors following the Snowden disclosures and analyzes the tools these actors have used to influence the behavior of the USA. Thereby the author examines if the US reactions to the Snowden disclosures since 2013 follow the heuristic approach of the spiral model.