Privacy law is at a crossroads. In light of the digital explosion, policymakers in Europe and North America are engaged in a wholesale process of revisiting the rules governing the treatment by the private sector of personal information.

For too long, such efforts have lacked critical information necessary for reform. Scholarship and advocacy around privacy regulation has focused almost entirely on law ‘on the books’—legal texts enacted by legislatures or promulgated by agencies. By contrast, the debate has surprisingly ignored privacy ‘on the ground’—the ways in which those who collect and control data in different countries have (or have not) operationalized privacy protection in the light of divergent formal laws, decisions made by local administrative agencies, and other jurisdiction-specific social, cultural, and legal forces.

For the two decades following a 1994 study that examined the practices of seven US companies, no sustained inquiry was conducted into how corporations actually manage privacy in the shadow of formal legal mandates. No such work was ever done in Europe. And no one has ever engaged in a comparative inquiry of privacy practices across jurisdictions. Indeed, despite wide international variation in approach, even the last detailed comparative account of different countries’ enforcement practices occurred over two decades ago. Thus, policy reform efforts have often progressed largely without a real understanding of the ways in which previous regulatory attempts have actually promoted, or thwarted, privacy's protection.

A purely ‘on the books’ approach fails to recognize important attributes of the privacy landscape.

In the United States, despite a static statutory landscape characterized by a patchwork of privacy statutes, the absence of a dedicated data protection agency and a failure to provide across-the-board procedures empowering individuals to control the use and dissemination of their personal information, corporate privacy management has undergone a profound transformation. Thousands of companies have created Chief Privacy Officer positions, a development often accompanied by prominent publicity campaigns. A professional association of privacy professionals boasts over 38,000 members and offers information-privacy training and certification. A robust privacy law practice has arisen to service the growing group of professionals and assist them in assessing and managing privacy. Leading firms conduct privacy audits across multiple sectors. And privacy seal and certification programs have developed.