Europe stirs the crucible of data privacy

Long before the Snowden revelations made privacy laws a battlefield of international diplomacy, the EU's plans to harmonize data protection were already stirring a crucible of strong emotions.

Many Europeans see data privacy as a fundamental human right. For some on the left, it's also a convenient stick with which to strike back against the forces of global capitalism.

Add to this volatile cocktail a strong dose of euro-jingoism and you have all the ingredients for a powerful explosion.

Earlier today, the LIBE committee of the European Parliament backed a tough package of amendments to a new set of data privacy laws. The amendments propose to give individuals more control over their data held by third parties and allow punitive fines on companies that break the new rules.

But don't panic yet; whether these amendments will ever be enacted is another matter — the Parliament is not the sovereign body of Europe. Policy makers will now enter a process that insiders dub a 'trialog'.

This three-cornered negotiation takes place between representatives of the European Parliament, officials at the European Commission and the true holders of power in Europe, the Council of Ministers representing the 28 member states. All of this has to be ratified before the Parliament dissolves for elections that take place next June.

It's all in the balance therefore — and it will probably all go horribly wrong. But there's still a whiff of a chance that common sense will prevail and something good will come out of this. It all depends on getting the balance right across three very different dimensions.

Individual vs the corporation

Europeans feel really strongly about this dimension. Perhaps it's because the history of repression and police states is still so much more recent for Europeans that they worry about what others do with their personal data. Or perhaps it's just distrust of the unfettered power of large corporations. Whatever the reason, many Europeans want to have control over data they give to corporations.

This is a point of view many Americans simply can't relate to. They see it as inevitable that their private information will end up online (although there are limits: understandably they balk at the notion of credit reference agencies selling it to ID theft criminals for profit).

Infor's CEO Charles Phillips gave a typical response when I raised the data privacy question with him in conversation on Friday:

"US people just put their data out there, especially younger people. The rest of the world isn't there yet. If you were concerned about that, you would've gotten worn down long ago in the US."

But for certain sections of the population, privacy can make the difference between safety and peril. While some people may argue that if you have nothing to hide you have nothing to worry about, others take a different perspective. Fugitives from domestic violence, those on witness protection schemes and people who have been through a gender transition all have life-changing reasons for wanting to control what data about them is out there.

That's why many in Europe elevate data privacy to the status of a human right. This allows them to feel scandalized that the US, while respecting minimal protection for the data privacy rights of its own citizens, allows its security agencies free rein to abuse the privacy of citizens of every other country.  Though their own governments often play equally fast-and-loose with privacy.

Enshrining data privacy as a universal human right would provide protection that many feel could redress the balance of power between powerful corporations and individual citizens.

Innovation vs regulation

On the other hand, should the rights of a few restrict the freedoms of everyone else? The same burdens that tie the hands of global Internet giants while they profit from our data will also restrict the ability of startups and small businesses to pioneer innovative new services based on predicting our wants and needs.

The EU's proposed new regulations encourage the use of 'pseudonymized' data, recognizing the value that can be derived from analyzing aggregate data in fields such as health, accident and fraud prevention, credit rating, predictive analysis, and so on. But even here there are potentially onerous requirements to ensure that identifying data cannot be extrapolated.

Many of us may well be happy — as most Americans are — to divulge our behavior, status and preferences in order to get better targeted, more timely and accurate services from providers. But these regulations could make those services more expensive to provide and indeed less competitive from similar services delivered under more lenient data privacy regimes.

In a free market, shouldn't individuals be able to choose the degree of privacy they wish to have? The regulations should not mandate a specific, lowest-common-denominator privacy regime that everyone has to adhere to. Instead perhaps they should simply mandate a bill of rights that ensures people understand what privacy (or lack thereof) they're signing up to for a given service. Then they can make an informed, individual choice whether to participate or not.

EU vs the world

The final component in all this is the diplomatic, trade protectionism angle. Certain policy makers seem to think that if Europe has the most citizen-friendly data protection rules then it will attract more services into its ambit. I'm not so sure that data protection is top of the list of criteria that Internet users have when considering services. Feature sets and pricing count for a lot more.

And if Europe really cares about data privacy as a human right then it should not restrict its horizons to a single continent.

Call me an idealist if you like, but for me, the best outcome out of the current discussions would be a global rather than solely a European consensus on data privacy. Let's find one system that not only the 28 countries of the EU but also the US, Brazil, China, Japan, Singapore, Gulf states and everyone else can get behind.

Then we'll have a truly global playing field in which citizens will know that neither powerful corporations nor an over-zealous state will abuse or undermine their rights to data privacy.

This is not something that can be achieved as early as next June; it will take a lot longer. But it's an important aim. The network benefits of pooling all our knowledge and connections in the cloud will only be realized if the cloud is truly global. Therefore any rules need to be universal and the only rules that can command global respect have to be sufficiently light-touch to permit continued innovation.

Rather than the beginning of the end of the EU's search for data harmonization, I rather hope that this week's deliberations are merely the end of the beginning of a much larger quest for global consensus on Internet rights and freedoms. Let's hope the politicians are up to the task.

Photo credit: © Natalia Rashevskaya - Fotolia.com