The EU is currently seeking to replace its nearly two decade old policy on data protection for the Internet, social networking and smartphone age. Its proposed reforms seek to deliver better data protection, legal certainty and trust, with the aim of enhancing the EU’s competitiveness. Kristina Irion and Giacomo Luchetta discuss their new report on Online Personal Data Processing and EU Data Protection Reform, arguing that the reforms may fail due to the real risks of the politicisation of data protection, the still fragmented nature of regulations on electronic privacy, and a lack of innovative elements in the proposals.
Data protection policy has developed from being a niche regulatory subject into a mainstream concern for policymakers, individuals and businesses. The issue’s salience today can be explained by the role that is envisaged for personal data in the emerging information-rich economy. The Boston Consulting Group has estimated that the volume of global data transactions is increasing annually by 45 per cent and in the near future 8 per cent of the EU’s GDP will be directly attributable to extracting value from information. When personal data is a most valuable commercial asset on which many online businesses thrive, companies’ stakes in any regulation that would restrict their ability to use personal data as they see fit are understandably very high.
As online technologies develop, connected mobile devices proliferate and the use of social media grows exponentially, users appear to divulge information about themselves and to accept a company’s terms and conditions with a quick click of the mouse. But it is not just carelessness that makes users surrender their privacy but the fact that consumers are often not empowered vis-à-vis online companies. Numerous studies have shown little consumer confidence in the way many online companies make use of personal data and resignation about users’ effective ability to control their personal data.
Since the 1990s a distinct European approach to data protection has developed which is firmly embedded in a constitutional recognition of the right to privacy. Moreover, the “right to the protection of personal data” has evolved to become a modern fundamental right in the EU. In the face of ongoing transformations that have been spurred on by Information and Communications Technology, we may not yet fully comprehend the importance of these rights for individuals and our democratic culture even in a commercial context. Certainly, data protection should be enabling for modern business models, including those that require sophisticated analytical techniques, as long as this is in the interest of consumers and their ability to influence if and how their personal data is used is respected.
The first generation of EU data protection rules were established in a 1995 directive which, from the very outset, has pursued two objectives that are seemingly at odds: to protect these fundamental rights while ensuring the free movement of personal data in the EU internal market. At present, the EU legislator (Council and Parliament of the EU) is working to modernise the general rules so that it can deliver better data protection, legal certainty and, ultimately, trust with the wider ambition to enhance the EU’s competitiveness. This reform was originally launched with the intention to retain the existing level of data protection, to overcome legal fragmentation by resorting to a single EU-wide instrument and to modernize the regulation in order to cope with today’s ubiquitous data processing. Despite important innovations in detail, our recent report suggests that there is a risk that the reform will fall behind in all three of these goals.
First, retaining current levels of data protection may be endangered because EU decision makers are not sure if the reform will stifle innovation or actually enrich innovation. This is not least because powerful lobbies from within the EU and overseas advocate for the interests of providers over consumers. Even today, data protection compliance is often a symbolic and passive exercise whenever individuals must give a consent bundle that authorizes the extensive use of their personal data. But in the discussion about the reform proposals some core concepts of data protection regulation, such as the definitions of personal data and individual’s consent, have turned out to be highly politicised. This is despite the fact that they are already part of the present rules. Damage would be done if a new regulation protects less than all personal data and consent is not explicit and separated from any other transaction.
Second, while it is true that a single EU regulation would overcome the fragmented legacy of the 1995 directive, from the vantage point of processing personal data that is inherent to most online businesses today, fragmentation will persist along the lines of a specific directive on electronic privacy. This leads to conflicting outcomes where installing cookies on end-user terminals or sending email marketing – which are both fairly mainstream practices – will still be regulated separately by 27 member states. EU policymakers are well aware of the two tracks, which can be explained against the background of EU competencies and reform agendas opening different windows of opportunity to introduce new rules. However, it is an increasingly artificial distinction to treat “online” as a different sector, but this should be consolidated into general rules.
The third and final point about modernized rules that will be fit to cope with today’s ubiquitous data processing is only partially resolved. The legislative proposal carries a few innovative elements such as a provision that requires organizations to implement data protection by design and by default. But overall, the reform has been criticised for applying linear concepts to a world of ubiquitous and distributed personal data processing but not offering anything that would scale data protection adequately in the expanding information-rich future. In our report, we discuss options of how to meet the expected magnitude of online personal data processing, and, most importantly, that the role of producers and online platforms should be reconsidered because they are central in helping to ensure compliance. For example, often apps are designed specifically for certain social media sites or smartphones, but the interfaces over which personal data is exchanged do not leverage data protection compliance.
EU legislators now have the difficult task of remaining firm on the principles of data protection and to issue a new EU-wide data protection regulation which is internally consistent, comprehensible and flexible. Data protection in the information-rich economy should enable rendering personalised online services to users but also empower them to effectively control what is done with their personal data beyond the original context. The new regulation can help companies to better demonstrate the benefits of processing personal data to users and their responsible use which ultimately helps to establish trust online.
Note: This article gives the views of the author, and not the position of EUROPP – European Politics and Policy, nor of the London School of Economics.
Shortened URL for this post: http://bit.ly/12bsxlf
About the authors
Kristina Irion – Central European University
Dr. Kristina Irion is Assistant Professor at the Department of Public Policy and Research Director at the Center for Media and Communications Studies (CMCS) at Central European University in Budapest, Hungary. Pertaining to the information society, her research focuses on policies and governance of communications, media and information.
Giacomo Luchetta – Centre for European Policy Studies
Giacomo Luchetta is a Researcher at the Centre for European Policy Studies in Brussels, Belgium, where he contributes to the activity of the Regulatory Policy Unit. His expertise covers better regulation issues, impact assessments, competition law and economics as well as ICT law and economics.