October 25 Tuesday

Transatlantic Perspectives of Privacy and Cybersecurity: a Proposal

  • Tuesday, October 25, 2016 at 1:00PM - 2:00PM
  • Room 128
  • Open To The Yale Community
  • Add to Calendar:


The idea that the US and EU have different perceptions about privacy values is widespread. When describing the U.S. view, much scholarship starts from Warren and Brandeis’ Article “The Right to Privacy” which presents a general and undefined "right to be let alone" connected to a principle of excluding private spheres from public view. This view is very different from common European perceptions of privacy, which are based on concepts of generally applicable fundamental rights.

This traditional view, however, is incomplete, because it overlooks a critical commonality between the two regimes – the shared fear of what bad actions the "privacy intruder" will take. Specifically, while each regime fears different actors most – both are concerned about the "chilling effects" on individual freedoms that would result from privacy invasions.

We argue that the common values inherent in both United States and European Union privacy regulation, and in their associated bureaucratic institutions, provide clues to developing a framework for coordinating these two different regulatory regimes in a way that reduces compliance transaction costs.

The resultant approach, which we describe as Supervised Market-Based Regulation (SMBR), allows for an international regulatory framework which both shows respect for national differences in privacy preferences while allowing for harmonized compliance procedures which reduce barriers to free flow of information and discourage compliance-avoidance activities.

Such coordination has many benefits for data flow between the two countries, particularly for the multinational technology companies who face a current patchwork of regulatory compliance procedures which differ from nation to nation. Furthermore, based on the success of a similar framework at regulating healthcare cybersecurity in the United States, we hypothesize that such an approach may have benefits for transnational cybersecurity regulation as well that is strictly connected with privacy.

The idea of a SMBR applied to cybersecurity already has some use both in the US and EU. The EU Directive on Security of Network and Information Systems (NIS Directive) requires that Member States maintain cybersecurity procedures and encourages cybersecurity cooperation, but delegates to the individual States details of implementation. In the US, cybersecurity regulation in the healthcare sector employs a similar approach of specifying areas of focus but delegating implementation details to industry actors under the HIPAA Security Rule.

Additionally, as part of the EU cybersecurity strategy, the European Commission and the European Cyber Security Organisation (ECSO) recently signed a contractual Public-Private Partnership (cPPP) which is expected to drive further market-oriented policy measures in the forthcoming months.


Pierluigi Perri, Ph.D., is a tenured researcher at Law School of University of Milan and Advisor on Cybercrime at the Council of Europe in Strasbourg. His academic interests are focused on Privacy, Information Security, Computer Crimes and Computer Forensics.

Since 2010, he is Associate Research Professor in Advanced Computer Law at the University of Milan, and since 2015 he is Director of the postgraduate Course in Computer forensics and Data protection. He was Visiting Postdoctoral Associate at Information Society Project of Yale Law School (CT), Non-Residential Fellow at the Center for Internet and Society of Stanford University – Faculty of Law and Visiting Researcher at the Legal & Corporate Affairs Department of Microsoft Corp. in Redmond (WA). He is author of two books and numerous scientific papers concerning computer law, privacy and information security.

Sponsoring Organization(s)