We know that all our online transactions involve the disclosure of personal information, but 70 per cent of us fear that our personal data is being held by companies for uses other than the ones advertised. The recent Snowden revelations published in newspapers around the world have only served to exacerbate an already tense situation.
When in January 2012 the European Commission launched the discussion on reforming data protection laws, it initiated a long overdue debate. The conclusion of this debate will not only have significant repercussions for Europe but will also affect the development of the information and communications technology (ICT) industry globally. In choosing to be proactive, Europe finds itself on the right side of history. After all, data protection is a fundamental right and citizens must have control over the ways in which their personal data is used.
Since 1995, when the last data protection package was adopted, the world has experienced a 'technological revolution'. As new technologies have the potential to play an important role in kick-starting growth in Europe, it is of paramount importance to unleash the Single Digital Market's potential. Today, in spite of a certain level of harmonization, companies still have to comply with 28 different legal frameworks. They also have 28 interlocutors, since they must deal with every country's data protection authority. Fragmentation is hurting both the companies' competitiveness and Europe's investment climate. Savings from the implementation of a consistency mechanism are estimated at 2.3 billion euros per annum. These savings could very well be re-invested in research and development to boost technological innovation.
The proposed package is currently a work in progress. The European Parliament backed the Commission's proposals on October 21, 2013, so it now remains for the European Council to negotiate the final agreement, which the Commission hopes to conclude by Spring 2014. Under the new proposals, a single set of rules will be implemented and entrepreneurs will answer to a single data protection agency. The proposals are designed to ensure flexibility. The obligations of data controllers and processors are adjusted to both the size of their companies and the nature of the data they are processing. For example, Small and Medium Enterprises (SMEs) will be exempt from a number of requirements. However, though the Commission remains positive, the failure of EU ministers last week to agree on this concept of a 'one-stop-shop' appears to put the Commission's deadline under threat. During the Justice and Home Affairs Council (5-6 December), Member States considered revising the provision after the Head of the European Council's legal services alleged that it undermined human rights.
Overall, the European Commission has aimed for simplicity over complexity. Yet, it also acknowledges that a one-size-fits-all set of rules would be counter-productive in generating new ideas.
For example, the development of cloud computing or big data implies that the volume of stored data is going to increase significantly. More available information will enable those marketing a product to recognize customer heterogeneity and adjust their products to different preferences. Looking to the regulatory framework and how the big players (namely the US and the EU) design regulation, and in particular how they promote data privacy, will have a major impact on how the industries develop. Currently, the US approach is generally more liberal and gives companies a wide degree of freedom to try out data analytics. Having an overly lax regime can be detrimental to the development of new technologies as consumers grow fearful that their details are being used in a way that will ultimately prove harmful to them.
In contrast to the US, the EU proposes a technologically neutral and forward looking set of rules that will regulate what companies can do with data. This, in turn, will help to re-build the consumers' trust. Through including provisions on the 'right to be forgotten' and 'data portability', the agreement would allow citizens to better manage their online information, reinforcing the concept of 'privacy by default', whereby companies provide de facto safeguards to the consumer. Furthermore, to ensure that businesses and national administrations do not collect and use more personal data than is necessary for their operations, the proposed Data Protection Regulation has introduced new concepts such as 'data protection by design' and 'data protection impact assessments'.
Moreover, to tackle both companies' and citizens' insecurities, especially after the Snowden affair, the proposed agreement broadens the territorial scope of rules from collection to the deletion of the data, and establishes the conditions under which data can be transferred from a server in the EU to a server in the US. To guarantee compliance, it advocates for sanctions of up to 2 per cent of a company's annual global turnover. Impunity will no longer be an option.
Globally the ground is shifting. Rapid technological changes have transformed the way personal data is collected, accessed, used, and transferred. On November 27 the Commission issued a Communication on EU-US data flows and outlined recommendations for tightening up and improving the functioning of the 'Safe Harbour' agreement on transatlantic commercial data transfers. At the same time, in Washington DC, discussion on reforming US data protection regulation has been initiated.
At a conference on big data held in Lithuania, Liam Benham, IBM's vice-president of government programmes for Europe, echoed Commissioner Neelie Kroes' words that "big data can be more than a fashionable slogan. It can become a recipe for a competitive Europe." With its reform, Europe is taking account of new realities in an effort to make its companies globally competitive. The exact costs companies will initially bear in adjusting their systems to the revised standards have not yet been analysed in detail, however, the long term benefits are visible. During times of economic hardship, the precondition for growth is that both citizens and companies feel safe to invest in new products and consume. Europe has the potential; the time has come to utilize it.
Ilektra is a trainee at the European Commission's Directorate for Justice where she works for the Communications team.