Close ☰
Menu ☰

EU data law’s big strategic questions

Posted on: Thursday 2nd of February 2012

I have to say, I’m puzzled by the reaction so far to the EU proposed new regulations for data protection.

There’s been a lot of debate about a proposed new ‘right to be forgotten’. However, from what I read of the actual draft legislation, the ifs and buts of this new right mean its real impact could be pretty limited. There’s considerable corporate hand-wringing about the penalties for breaking the new law, but the proposed maximum fines would only apply to the most flagrant violations and be tested in the courts.

Hand-ringing about the cost of implementation is more interesting: I’ll return to that below. What’s not being talked about is more interesting. Take the changed definition of consent.

What does ‘consent’ look like?

Under current legislation, consumers are supposed to give consent to their data being shared with other organisations for the purposes of marketing, or for receiving electronic marketing communications. But the way ‘consent’ has been interpreted, it’s OK for a company to create a pre-ticked box in a ream of small print, provide some explanation somewhere that it’s possible to untick, and ‘consent’ is deemed to have been given. Result: many consumers are ‘consenting’ to things they don’t even know about (and there’s a big trade in the sale of the resulting ‘permissioned’ databases).

The new rules require a “freely given specific, informed and explicit indication” of the customer’s wishes via either “a statement” or a “clear affirmative action”. This is clearly designed to end today’s farce of implied or assumed consent. If implemented, it would not only make some current practices illegal, it would also put the data management/sharing process onto a new footing, making ‘what we want to do with your data’ part of the value proposition for the company: something that needs to be talked about because the company wants/needs something from the customer.

Long term, I suspect, the educative effects of this – the way it propels data use onto communication agenda and into the public consciousness – could play an important role in the evolution of the personal data ecosystem.

What is personal data?

To my astonishment, I’ve not seen any discussion of the EU’s proposals here, even though their effects could be profound. The draft regulations expand the definition of personal data to include anything that “directly or indirectly” is “reasonably likely to be used” to identify a person including an “identification number, location data, online identifier”. These changes significantly shift the boundaries between ‘personal’ and ‘pseudonymous’ data. When combined with the introduction of affirmative consent these changes threaten the future viability of many mobile phone and internet monetisation strategies, including behavioural targeting.

For this reason we can expect intense lobbying and campaigning, including dire warnings about the end of free Internet services and the suffocation of growth and innovation. (I return to this below – but just to emphasise the point, take a look at the extract from Facebook’s launch prospectus at the end of this blog).

Data portability

So far, most commentary on Article 18 has interpreted the EU’s proposed new right to data portability as ‘your right to take your data out of Facebook’. That’s part of it. But it’s actually much more far reaching. For example, it also enshrines the principles of midata into European law: the right “to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject”.

That’s got huge implications in its own right. Long term, the crucial point here is “for further use by the data subject”. That points to the new market for Personal Information Management Services that we’ve been researching, a market poised for rapid growth and innovation.

In fact, this whole notion of data portability points to a future where the sharing of electronic data between individuals and organisations becomes the norm: part of the way business is done and value added.

For many companies this is a horrifying thought, not because they disagree with the principle, but because of the cost and complexity of making it happen. There are two questions here.

  • First, given technology and economic trends, will there be more or less digital data sharing in five years time?
  • Second, if the answer is ‘more’, do we want to benefit from data sharing or stand on the sidelines? If the answer is ‘benefit’, then it’s a good idea to start preparing now.

The costs of compliance

Some lobbyists are already complaining that, if implemented, the new regulations would impose unnecessary cost burdens on business, stifling growth and driving innovators and entrepreneurs away from Europe.

This is an interesting argument. It begs the question “what are the costs of not enforcing regulations such as these?”. The EU’s argument is that playing fast and loose with existing rules (over ‘consent’ for example) and the rise of new privacy-invading practices like behavioural targeting undermine trust, which in turns constrains economic growth. But this is hard to prove because it involves measuring a dog that didn’t bark – growth that never happened. It’s hard to gather evidence about something that didn’t happen.

In contrast, the ‘Wild West’ approach to Internet and data monetisation can point to growth that is happening now. The problem is that the approach currently promoted by many large American companies requires a particular relationship with customers: basically, “keep’em ignorant and don’t give them a choice!”.  It’s assumes one particular line of evolution: the ever more intensive (and secretive) harvesting of individuals’ data by big corporations.

The EU approach takes a different tack, based on informing and educating individuals and empowering them with choice. Our research into Volunteered Personal Information (VPI) suggests that the cost-saving and wealth-creating opportunities of VPI, where individuals actively take part in the processes of managing personal data, are much greater, even though they are less immediate. Ironically, even though the EU philosophy uses legislation, it’s actually closer to how truly free markets really work.

This, then, is the sub-text of the forthcoming debate about EU data protection regulation. It’s about a vision of the future:

  • are individuals to be active, empowered participants in the evolving data-driven economy, or is their data merely the raw material which it feeds upon?
  • does empowering individuals with knowledge and control over their information unleash or constrain innovation and growth?

These are big and crucial questions. I know where I stand, but what matters is the answers companies come up with. A lot rests on these answers. They really are worth thinking carefully about.

Addendum: How does this affect Facebook?

It’s not clear exactly how Facebook will be affected by these developments, but Facebook knows they could be significant. This is how Facebook refers to them in its launch prospectus:

Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business.

We are subject to a variety of laws and regulations in the United States and abroad that involve matters central to our business, including user privacy, rights of publicity, data protection, content, intellectual property, distribution, electronic contracts and other communications, competition, protection of minors, consumer protection, taxation, and online payment services. Foreign data protection, privacy, and other laws and regulations are often more restrictive than those in the United States. These U.S. federal and state and foreign laws and regulations are constantly evolving and can be subject to significant change. In addition, the application and interpretation of these laws and regulations are often uncertain, particularly in the new and rapidly evolving industry in which we operate. For example, the interpretation of some laws and regulations that govern the use of names and likenesses in connection with advertising and marketing activities is unsettled and developments in this area could affect the manner in which we design our products, as well as our terms of use. A number of proposals are pending before federal, state, and foreign legislative and regulatory bodies that could significantly affect our business. For example, a revision to the 1995 European Union Data Protection Directive is currently being considered by European legislative bodies that may include more stringent operational requirements for data processors and significant penalties for non-compliance. Similarly, there have been a number of recent legislative proposals in the United States, at both the federal and state level, that would impose new obligations in areas such as privacy and liability for copyright infringement by third parties. These existing and proposed laws and regulations can be costly to comply with and can delay or impede the development of new products, result in negative publicity, increase our operating costs, require significant management time and attention, and subject us to claims or other remedies, including fines or demands that we modify or cease existing business practices.