Europe is at the forefront of the global debate about data protection and privacy. Unfortunately that debate is characterised more by hyberbole and scaremongering than real discussion. Europeans deserve better—and so does the world, who rightly see Europe as a leader on this subject. The new Commission has a chance to truly lead in partnership with governments, like Brazil, that agree with us.¹

Put bluntly, governments can lock people up and throw away the key—including indefinite detention without trial. Companies cannot. Companies can monetize personal data, and in the case of consumer-facing free-to-the-user services, target advertising. Abuses can and have resulted in real harm, and these deserve real focus, but abuses should not be used to obscure the reality that there is a vast power disparity between companies and governments.

Little to no debate is taking place on the very large carve-outs in existing European data protection legislation for governments that allow them to use personal information with few, to no, safeguards. This despite spectacular abuses of personally-identifiable information (“PII”) by governments: large amounts have been made public through inadequate systemic security, plain carelessness, and even greed². As recently as February 2014, the UK’s National Health Service sold the insurance industry the records of 47 million UK citizens.³ It seems that nobody got fired, or prosecuted, nor was it prominently reported. Imagine the screaming headlines, investigations, and fines and prosecution if a company had done the same thing.

Every stakeholder that comes into contact with PII should be held accountable according to their ability to do harm. Right now, the opposite is far too often true. Europeans deserve better and the next Commission should ensure that we get it.

All economic use of PII is not Equal

There is a lot of talk about abuse by companies of PII—yet very little of the reality that one size does not fit all.

Different business models have starkly different motivations. A case in point are so-called ‘data brokers,’ companies whose business model is to aggregate as much information about each person as they can find and sell it on to third parties as many times as possible.⁴ While in Europe the ability of these (in my view very unsavoury) business models is considerably restricted over their counterparts elsewhere,⁵ they do exist. Contrast that with the other end of the scale, companies who provide services for free at the point of use and make money through advertising; their motivation is to foster consumer trust as they compete with similar services.

Europe should do a better job of fostering the latter internally but also externally. In trade policy our negotiators could seek to ensure consumer protection mechanisms online are interoperable—rather than focussing on harmonisation. If consumers could rely upon whatever consumer protections exist in Europe’s trading partners, that would be a real improvement (and something that would help justify trade agreements to increasingly sceptical Europeans). It would also motivate partners to increase, not decrease, the protections they offer in pursuit of making their economies more attractive to European consumers.

Complaints about privacy policies miss the big picture

It is popular to complain about online privacy policies—and let’s be honest, they can be hard to read. However, simply to complain isn’t helpful:

• Privacy policies exist to provide the individual with guarantees from the company they have provided their data to, and in return limit the company hosting the service from liability if they follow the rules. As a consequence, the more detailed privacy policies are, the more terms there are to enforce when companies violate them.
• While some companies may be motivated to hide abuse through obfuscation, long policies are also a consequence of the fact that services are often global and privacy laws national. Creating contracts with users that are capable of multinational application guarantees complexity.

Finally, the debate on privacy policies leaves out public institutions almost entirely. Even national security and law enforcement use of PII should be disclosed in a way that is easily understood, prominently available online and subject to periodic review through open, public processes and ensure recourse is available if a citizen believes he or she has been unfairly treated by their government.

Competition law is not a panacea

When the pace of technological change is as rapid as it is, the idea that competition law is the solution to online problems, with its traditional multi-year timelines and vast costs to all parties is hard to credit. I don’t have an answer, but I think we should start by agreeing that what we have is not really working well for anyone.

Responding to Surveillance

The current situation with respect to data gathering by governments for national security services is damaging to economic development and corrosive of the foundations of democratic values. The debate consists largely of finger-pointing with no discussion of how to create something that is sensible, effective and socially justifiable. Finally, in an area where Europe should lead by example in protecting citizens, we see some European countries treating their nationals in a way we expect more from dictatorships than democracies.

European trade negotiators should also insist that the agreements they negotiate do not have broad national security exceptions; these should be narrow, specific, and limited, in keeping with our values and human rights obligations. This is crucial given that major trading partners are proposing very broad exceptions, some specific to the Internet. Our negotiators should never agree to this.

In Conclusion

The new Commission should use its convening power to bring together companies, NGOs, and national governments to come up with rules that are socially just and effective for law enforcement and security purposes but that are truly congruent with international human rights law and create a competitive advantage for Europe in tech⁶. This would motivate other countries to emulate Europe and move away from a debate focussed on the search for the biggest sinner to one focussed on solving problems.⁷

The Commission cannot do this alone: all European stakeholders must take responsibility for helping make that happen. We can all do better. Europeans deserve nothing less.

¹ Brazil’s Marco Civil, adopted in 2014, is a landmark in the protection of people online. The US, by contrast, is going in the opposite direction in practical terms but also in values terms.

² For just a few examples, and in just one country,

this Wikipedia article is salutary. Even more egregious is the case of the UK’s National Health Service selling the data of 47 million UK citizens.

³ For mainstream reporting of this episode and its aftermath see “Patient records should not have been sold, NHS admits”.

⁴ For an overview of the practices in the USA of data brokers, a 15-minute segment on popular newsmagazine show “60 Minutes” entitled “The Data Brokers: Selling Your Personal Information” is worth watching.

⁵ The US Federal Trade Commission report on the subject is useful and available here.

⁶ I recommend the “Necessary and Proportionate Principles” as the starting-place for that discussion.

⁷ You can read one proposal of the framework of a global dialogue along these lines here.