October 2, 2015
In this post we argue that the debate on the EU’s proposed General Data Protection Regulation is unhealthy: that ‘fundamental rights’ are used as a shield to avoid real discussions on practical implementation, that wild assertions are made about the economic effects of privacy rules, and that European industry’s views, when not dismissed as those of ‘American’ interests, are simply denied.
Much has been written and said about the European Union’s proposed Data Protection Regulation. The Barroso Commission published the proposals in early 2012, and as 2015 draws to a close, the conclusion of the legislators’ First Reading is thought to be imminent. In the three years that have passed, European industry has given a remarkably consistent message: Yes to a Data Protection Regulation, but not without significant improvements. This message has been angrily attacked by defenders of the proposals as ‘unprecedented lobbying’, ‘scaremongering’, and dismissed as the message of ‘big American tech firms’ or the point of view of faceless ‘lobbyists’.
As a policy professional who has worked in this field for 15 years, I expect a certain amount of opposition propaganda; that’s fair and part of the way things work. I can assure readers that there is nothing ‘unprecedented’ about industry’s efforts on this piece of legislation (I often think back to REACH or the Services Directive or the Software Patents Directive). However, I have been surprised, and frankly disappointed, by some of the tactics that have been used in the debate on this critically important piece of legislation.
The first example is the use of the fact that data protection is a fundamental right to kill all discussions about protecting that right in a proportionate and effective manner. Time after time, we have heard MEPs, Commission officials, and others object to industry suggestions aimed improving the practicality and effectiveness of the rules without actually addressing the substance of our arguments. Instead, we are (sometimes literally) shouted down with cries of, “But this is a fundamental right, and business interests come second!” It’s as if those who say this believed that what is worse for business must be better for civil liberties. This is obviously a facile and simplistic way of looking at things – not least because data protection is not an absolute right and needs to be balanced against other fundamental rights like freedom of speech, the right to work, or others. Such a debate is likely to lead to sup-optimal outcomes.
The second example is the way wild claims are made about the supposed benefits of the new rules for the European economy. The widely derided impact assessment that was published with the proposals made the claim that the new rules would save business 2.3 billion euros. If this were credible, it would have been warmly welcomed by industry. It obviously wasn’t credible. But at least a minimum effort was made to predict the impact, even if it is commonly known to have been engineered to fit a political objective. More worrying is the kind of claim about economic impact that is made without any evidence at all. The biggest such claim is that consumers from all over the world will flock to European service providers because they provide more privacy protections than those elsewhere. Prima facie, this would appear to be a strange argument to make, because Europeans have enjoyed the highest standards of data protection in the world for 20 years, without any clear indication that these have constituted a competitive advantage for European companies. But for the sake of argument, let’s assume the existing standards are too low to deliver this benefit, and that the new, higher standard set by the GDPR could be capable of doing it. Where’s the evidence for the claim? How do we know that consumers in Europe and beyond would actually flock to more privacy protective communications, retail, accountancy, medical, automotive, construction, or any of dozens of other offerings of goods or services? Do EU legislators have data on how much consumers value privacy protection as compared to convenience, speed, quality, price, or any other parameters of their consumption experience? This is an awfully big bet to be making without such information.
The third example is the denial of reality about the strength of industry’s concerns. Just a few days ago, a senior official from DG JUST spoke at the European Parliament and declaimed “Most of the industry, I’d say in terms of GDP, 95% are very happy with the law. You don’t hear anything from them.” This is an astonishing claim, made by someone who must be living in a parallel universe. In the real world, the same department of the European Commission has received hundreds upon hundreds of position papers from concerned companies, trade associations, charities, public service providers, governments, and NGOs, each with a set of concerns about the proposals or the amendments put on the table by the Council and/or the European Parliament. A small proportion of these positions are listed at the end of this blog post to give an idea of the breadth of concerns. They include the positions of large umbrella groups like Business Europe (the European employers’ federation) and UEAPME (representing European SMEs), but also sectoral interests like the healthcare, machinery, or publishing industries. Together, they easily account for 95% of GDP – the real 95% that is not very happy with the proposals, not the imaginary 95% that exists in DG JUST’s parallel universe.
Industry’s very real concerns must not be blithely and irresponsibly waved away or denied.
On a weekly basis, the message we are getting from some legislators is, “We don’t believe you”. Instead, many politicians confidently assert that we have deliberately miscalculated the costs of compliance of the proposed rules or willfully misunderstood our own customers. None of them has offered an explanation for why industry would choose to shoot itself in the foot in this way.
This piece of legislation is really important. It will define the rules of engagement for every single customer-facing business in Europe directly. Its effects will also cascade into the B2B space, because ultimately every aspect of the economy serves some kind of end customer. Just as the 1995 Directive has lasted a generation, hopefully this Regulation will also last a generation. Europe should ensure that it fits with the aspirations and world view of the younger generation – not the generation of the legislators. This younger generation – ‘Generation D‘ – wants and expects modern digital, data-enabled services, and thinks about data protection very differently from us oldies. There is enough good text on the table to get it right and provide Europe with rules that help it move confidently forward into the 21st century, with strong, principles-based and practical privacy protections. But there is also enough bad text, and it seems, enough ideological thinking and fantasizing about untested effects, to put us all – consumers, citizens, and industry – in a very dangerous place.
Advertising & Marketing