BRUSSELS—What’s a data subject? Not what the average person likely thinks.
In fact, the average person is a data subject in the parlance of imminent new European privacy requirements that, if enacted, will create the world’s toughest regulations governing data collection, use and protection in the world’s largest economy. With hundreds of millions of consumers in play—and likely tens of billions of dollars for U.S. companies—the new laws are almost certain to slow the current headlong rush toward massive data collection, analysis, use and sale.
“The key objective of this legislation is to create trust,” Paul Nemitz, European Commission director of fundamental rights and citizenship, told a packed theater in Brussels December 12 at an International Association of Privacy Professionals conference devoted to understanding the impending European Union legislation.
Most of the speakers at the conference said they were confident the EU would pass the new privacy directive, which 28 member states would then codify into their domestic laws as early as 2015.
For his part, Nemitz dismissed worries about potential regulatory costs to business—citing one estimate that U.S. cloud companies such as Amazon and Google have already lost up to $30 billion in business from European firms which fear their data may be exposed to U.S. government scrutiny. This year’s revelations about the National Security Agency’s collection of personal data on billions of people have aroused fierce consumer resentment in Europe, and Nemitz predicted that EU privacy protection will work in favor of EU enterprises.
“I believe privacy will become a competitive advantage for European companies,” Nemitz continued. “There are millions of U.S. and Chinese middle-class consumers who do not want to be constantly tracked and analyzed without knowing what happens to their data and their money.”
The impending EU law contains 90 articles regulating data privacy and protection, based on the proposition that control of individual, personal data is a fundamental human right, and includes the right to consent, the right to access, and the “right to be forgotten,” within limits.
Key provisions will likely mandate informed, explicit consent from consumers for companies to collect any personally sensitive data, such as geo-location, health matters and shopping behavior—opt-out will not suffice. Businesses above a certain size will be required to employ data privacy officers whose job includes oversight of data privacy and protection. Techniques such as data anonymization will be encouraged, and data collectors will bear strict responsibilities for protecting the security of their data. Substantial fines will accrue to violators, and any company that has information on EU citizens on its servers—Amazon, Microsoft and Yahoo, for example—will have to comply. Another notable provision would require organizations that collect or store citizens’ data would have to report a serious breach “within 24 hours if at all feasible.”
Nemitz and other speakers assured the audience that the intent is not to suffocate innovation or business growth. Richard Watson, a journalist and privacy advocate, cited a famous Google project in which analysis of keyword searches was able to identify flu outbreaks. But, Watson added, there is a steep trade-off for such a public-interest use of big data.
“This data has enormous value, but obviously it consists of information that used to be private to ourselves—what we searched for,” Watson observed. With 12 billion devices connected to the internet in the world today—and 7 trillion by 2045, according to a British government estimate—Watson envisioned data collection schemes that may seem like science fiction now: a toothbrush that reports your child’s brushing compliance to your dentist. It’s not hard to imagine a different use of a keyword search algorithm that might be used to identify AIDS patients, for instance.
“Privacy is fundamental, and will grow more so. But so far everyone seems to think it’s someone else’s responsibility.”
U.S. Federal Trade Commissioner Julie Brill, who has been involved in intense negotiations between American and European officials about the impending regulations, cautioned the 700 Brussels attendees not to confuse consumer privacy with citizen privacy, and to recognize that different techniques to protect privacy may be equally effective on the two continents.
“We don’t have any blanket data privacy laws in the US, and are unlikely to do so in the near future,” Brill acknowledged. “But I have very broad enforcement powers regarding specific sector practices, and I use them. Can the U.S. and EU collaborate in this arena? I’d like to think so.”
Brill pointed out that the Safe Harbor pact provides EU agencies the right to file data protection complaints with her office—but only a dozen or so such actions have been received.
Oxford University Professor Viktor Mayer-Schönberger called the EU focus on point-of-collection safeguards irrelevant and ineffective. He called for the EU to create an entirely different framework for data privacy and protection–strict oversight of the end use made of data, rather than the current focus on the initial moment of acquisition for each data item.
“Data reuse is artificially constrained by the need to specify reuses at the time of collection – when these reuses might not yet have been apparent,” Mayer-Schönberger argued. “Strict purpose limitation would have prevented us to reuse Internet search requests to identify likely adverse drug reactions, or predict the spread of the flu. It hugely limits our ability to employ big data to improve learning and education, as well as health care – two sectors that are particularly ripe for benefiting from insights gleaned from big data analysis.
“While the American government seems wedded to the ideas of Orwell’s 1984, Europe could innovate by giving birth to an effective data protection framework for the big data age,” Mayer-Schönberger said.
Despite his plea, most speakers sounded certain the new regulations will become law in the next year or two.
“User consent is the cornerstone of data privacy, and it should stay that way,” said a statement issued for the conference by Neelie Kroes, the outspoken vice-president of the European Commission.
“Data is a whole new asset class, but companies in big data must think of privacy at every stage,” Kroes said. “How? Not by stopping data use. Mastering big data means mastering privacy. It should be clear to everyone that, in this discussion, you can be at the table—or on the menu.”
Interest in data privacy is growing at the conference organizer’s roster. The International Association of Privacy Professionals was founded in 2000 and now claims 14,000 members in 78 countries—with 4,000 new members in just the past year.
Eric Lucas is a Seattle-based business and travel journalist.
Editor’s note, December 18, 2013: This article has been updated from the original version. The original version incorrectly attributed comments comparing the American government policies to Orwell’s “1984” to Richard Watson. Viktor Mayer-Schönberger made that comparison. The article is also updated to include additional comments that Mayer-Schönberger delivered at the event to clarify the context of his remarks.