A Critical Investigation into the Market Structure of the Security Field

This chapter aims to provide a critical contribution to the ongoing discourse on selfregulation with regard to privacy and data protection (cf. e.g. European Commission 2010). This discourse encompasses the amendment of the EU Data Protection Directive and the related discussion about a principle of accountability (cf. Article 29 Working Party 2010). Underlying these conceptualisations is the assumption that data protection law is generally observed, but could be simplified and even reduced in favour of more self-regulatory approaches which are deemed more efficient. We would like to raise critical questions about the institutional conditions and frameworks that greatly influence data controllers’ potential and motivation for enacting privacy awareness and self-regulation; in other words, the market structures that these organisations operate within. An investigation into organisations’practices is indispensable in order to evaluate these current claims for self-regulation and to lay out the conditions that need to be met if market forces are to be harnessed for privacy and data protection. The results and conclusions presented were gained in the course of the EU FP7 project “Privacy Awareness through Security Organisation Branding” (PATS). The project inquires into the possibilities of organisational self-regulation in the field of security technology and services by means of branding—understood as a complex, two-sided communication process between companies and stakeholders.1 Specifically, research from the first three work packages is used. We started out with an analysis of current security regimes and actors, then interviewed representatives of