September 16, 2013
Tomorrow I am fortunate enough to be speaking on a panel at the year’s most important data protection conference in Brussels. The conference theme is the draft EU data protection legislation that has been under discussion since January 2012. My panel will be focused on “the future shape of the digital landscape” in Europe. I wanted to take this opportunity to speak on behalf of a large coalition of tech sector trade associations because this law will set the fundamental rules of the game for any company that uses customer data. Actually, I can hardly think of any companies that don’t fit that description!
The stakes are very high for the European economy. And in this time of economic crisis, it is more important than ever to get the rules right. Thankfully, the draft law and the debate that surround it give me cause for a good deal of optimism.
It looks likely that a lot will be done to address the challenge of operating across borders. European Internet companies are at a natural scale disadvantage compared with our American competitors because of the fragmentation of our markets. Rules simplifying the way we interface with national data protection authorities will help. We know that there are some thorny issues of national constitutional law and judicial process to fix, but with sufficient political will, the lawyers will find a way to make it work!
We also appear to be moving towards a consensus that the law can cover a much broader range of data. The smart way of doing this will be to ensure that companies are incentivised to use forms of data that are harder to link to real-world identities by attaching a carefully reduced set of obligations to the use of such data. In this way, we can achieve a double privacy win for consumers – more of their data is protected, and companies will use more privacy-protective forms of data.
Another key area of progress is the issue of the legal basis that companies must choose for processing personal data. Although this may sound arcane, it’s actually something that has a huge impact on consumers. To simplify somewhat, there are two primary ways we can process data today – either get the permission of the consumer (via contract or “consent”), or apply a balancing test that requires us to have a “legitimate interest” in processing the data that is not outweighed by the privacy interests of the consumer. Many would like to see the rules on consent tightened so that it always has to be given explicitly. And many also want the “legitimate interests” balancing test to be strictly regulated.
While the desire to ensure that companies are actually justified in processing people’s data is understandable, there is a risk that excessive tightening of these two valves will simply stop the perfectly safe processing of vast amounts of business data. Worse, it may push companies to ask for consumer consent more and more frequently, or reduce such intrusions by getting consumers to agree to processing through contracts. On the Internet, that would probably translate into more and more services becoming subject to registration and logging in, so that companies can be sure they are dealing with someone who has given explicit consent. This wouldn’t be such a big problem for our big American competitors, who have high brand recognition and enormous registered user bases. But it would be a major barrier to entry for small, new, European players. It would lead to consumers needing to remember more and more passwords, with all the security risks this entails. And it would also mean that more and more consumer activity on the Internet would be carried out in a fully authenticated (i.e. identified) way, as opposed to anonymously.
We need to provide industry with legal bases that are practical and easy to use in the course of everyday business – legal bases that do not artificially incentivise the reduction of anonymous activity on the Web. And at the same time, we should be flagging the more sensitive processing to consumers for their decision rather than overwhelming them with banal requests for explicit consent.
Here too, progress is being made. I look forward to the debate at the conference tomorrow and in the coming months. We have to get this right.Laurens Cerulus