Today the world operates with a certain set of understandings around data and its usage. There are long boring legal disclaimers that we are required to ‘agree’ to in order to be seduced by whatever the service or application is that we just traded for our data. From Facebook to an app, simply ‘agree and proceed’.
Very few of us consider what information we are ‘giving’ away and even less of us consider ‘how’ that information will be used. Almost none of us consider ‘who’ will be able to buy or access our information down the road. New changes to laws in Europe could have huge implications on the ‘data’ business across the world. Perhaps the most immediate impact will be in how the European Union (EU) data can be used in the US (as this is where much of the trade and social media data is captured).
The reality is that this is not technically true in Europe – and that applies to jurisdictions outside the EU. There is a reality in Europe that you cannot sign away your rights, the gap that the legal departments are ‘exploiting’ are based on weakness in defining those data Personal Information (PI) rights. These rights are being reviewed by the law makers of the EU and new ‘data age’ rights are soon to be released and instituted.
In short, the current governing laws were drawn up at a time that did not foresee the ‘Big Data’ vs, ‘Span Data’ era and the proliferation of data use that followed. The new European Union legislation that will have profound implications on how data is used, may be solicited, stored, accessed, aggregated and ‘sold on’. In particular anything that could be defined as ‘personal information’. The existing legislation may appear weak in certain use cases and this appears to have created a ‘data is fair game’ data-rush, but the changes will require the data industry to do some serious rethinking. The new legislation will be much more robust and thorough and it will have real teeth in terms of ability to impose sanctions, fines and potentially criminal penal sentencing.
There is a fundamental difference of opinion of data ‘rights’ in the world, with large sections of the world regarding any sharing of their data as ‘not possible’ for reasons of state (think China and North Korea – fading in extremity as things move westward but still a related thought processes), though the openness of the North American market.
The European perspective is different, essentially the view of the majority of countries in the EU (and certainly the key ones in this context) is that:
It is entirely possible that once the new legislation is unveiled and publicised that some very fundamental changes will come in to place to protect the data (particularly PI) of EU citizens, strict new laws will come in to play and be enforced strictly. As the EU has a population of 503 million and the USA had a population of 318.9 (2014), it is clear that the data implication is huge. ‘Goodwill’ gestures of SOX and ‘Safe Harbour’ have not been successful in the eyes of many European authorities and it is not clear if any ‘goodwill’ measure will exist in the current context (the new versions are likely to be much more stringent).
The key philosophical difference (and likely to be the legal position soon) between the US position on PI data and the European position is this, In the US the data owner is essentially seen as the ‘owner’ of the data once gathered whereas in Europe the Citizen will always ‘own’ their data. To reinforce that position a range of institutions and laws will be put in place to ‘guarantee’ an EU citizens’ rights to data protection.
The answer to all of the above is unclear, but these are some of the questions (without the name specificity) which are under consideration and intended for resolution by the new European Data Protection standards. One this that is clear is that there will be a new legal framework in place for anyone who touches EU PI data.
So why is Europe so focused on PI protection? The reasons for this are partly based on history and the subjugation of rights in a historical European context, resulting in personal identity and rights protection being a core concern in Europe and an emotional unification of purpose across political divides.
Europe would also consider itself as leading light in citizen’s rights, and PI protection is a part of that. This idea of European citizen ‘rights and protection’ is key to much of the mainland European attitude to PI and data activities. The move by large corporations to use the data gathered ‘quietly’ or covertly on European citizens is a political time-bomb. There is a case that perhaps the ‘horse has left the stable’, but it is entirely possible that a new horse will be put in the stable and the old horse ordered to be destroyed.
The US has a more open policy and attitude to data protection. Two key parts of the difference are, based on trust in the authorities to ‘do the right thing’ (an attitude not shared in Europe even with its own institutions), and a post 911 fear of ‘the bad guys’. This combination results in fundamental difference in attitude that could best be summed up in the US as ‘protect us’ and in Europe as ‘protect me’.
So what might be a winning strategy in this dynamic assuming that all of the social media corporations (and other PI data gathers) want to remain processing EU data post the new legislation coming in to force.
While the exact details of the new laws are not clear, it is however crystal clear that significant change and tightening of access to EU PI data is a few months away. It is beholden on us to consider the impact and potential opportunities that this change may bring.