The New Frontier of the Data Privacy Business

The New Frontier of the Data Privacy Business

Today the world operates with a certain set of understandings around data and its usage.  There are long boring legal disclaimers that we are required to ‘agree’ to in order to be seduced by whatever the service or application is that we just traded for our data.  From Facebook to an app, simply ‘agree and proceed’.

Very few of us consider what information we are ‘giving’ away and even less of us consider ‘how’ that information will be used.  Almost none of us consider ‘who’ will be able to buy or access our information down the road.  New changes to laws in Europe could have huge implications on the ‘data’ business across the world.  Perhaps the most immediate impact will be in how the European Union (EU) data can be used in the US (as this is where much of the trade and social media data is captured).

The first misconception that is widely accepted and operationalised is that once a user ‘agrees’ to their data being used under a ‘button click agreement’ in an app or on-line service, that the said information can be collected and used by the service/app provider in any way that they deem fit (or as defined in the legal disclaimer), including resale, profiling, commercial targeting etc. 

The reality is that this is not technically true in Europe – and that applies to jurisdictions outside the EU. There is a reality in Europe that you cannot sign away your rights, the gap that the legal departments are ‘exploiting’ are based on weakness in defining those data Personal Information (PI) rights.  These rights are being reviewed by the law makers of the EU and new ‘data age’ rights are soon to be released and instituted.

In short, the current governing laws were drawn up at a time that did not foresee the ‘Big Data’ vs, ‘Span Data’ era and the proliferation of data use that followed. The new European Union legislation that will have profound implications on how data is used, may be solicited, stored, accessed, aggregated and ‘sold on’.  In particular anything that could be defined as ‘personal information’.  The existing legislation may appear weak in certain use cases and this appears to have created a ‘data is fair game’ data-rush, but the changes will require the data industry to do some serious rethinking.  The new legislation will be much more robust and thorough and it will have real teeth in terms of ability to impose sanctions, fines and potentially criminal penal sentencing.

There is a fundamental difference of opinion of data ‘rights’ in the world, with large sections of the world regarding any sharing of their data as ‘not possible’ for reasons of state (think China and North Korea – fading in extremity as things move westward but still a related thought processes), though the openness of the North American market.

The European perspective is different, essentially the view of the majority of countries in the EU (and certainly the key ones in this context) is that:

‘Personal information must be protected, and that people should be protected from giving their personal data away inadvertently’

It is entirely possible that once the new legislation is unveiled and publicised that some very fundamental changes will come in to place to protect the data (particularly PI) of EU citizens, strict new laws will come in to play and be enforced strictly.  As the EU has a population of 503 million and the USA had a population of 318.9 (2014), it is clear that the data implication is huge.  ‘Goodwill’ gestures of SOX and ‘Safe Harbour’ have not been successful in the eyes of many European authorities and it is not clear if any ‘goodwill’ measure will exist in the current context (the new versions are likely to be much more stringent).

There is a feeling in Europe that large US companies have abused the ‘data friendship’ in many ways, and that a real change is necessary.

The key philosophical difference (and likely to be the legal position soon) between the US position on PI data and the European position is this, In the US the data owner is essentially seen as the ‘owner’ of the data once gathered whereas in Europe the Citizen will always ‘own’ their data.  To reinforce that position a range of institutions and laws will be put in place to ‘guarantee’ an EU citizens’ rights to data protection.

Some questions that you might consider in this context:

  • What would happen if Google were to reveal personal information on EU citizens, without their explicit consent (even if that consent was within the remit of the citizen to give), either within or without the European Union? Could the company be heavily fined, could executives go to jail (assuming scale, severity or repetition)?
  • Could Facebook continue to target sales banner adverts to specific people (EU Citizens), based on their ‘private’ photos, comments or associations?
  • Could Google, Facebook, twitter, LinkedIn et al, or any other data gathering company continue to ‘sell’ data to third parties? If so what restrictions and controls would be put on that downstream use, as the further down the chain the data goes, the weaker the control becomes.
  • What is the position where US companies allow access to US government agencies to the ‘personal’ (protected) data or associations of EU citizens? What is the legal position on a US company gathering information on EU citizens, and then allowing access to that data to a government agency?  From a European perspective it is not acceptable, it is seen as a form of covert corporate espionage on behalf of the US intelligence community and a form of sovereignty infringement.  While the motive may be valid, the action is a growing issue.  The EU has a mandate to protect its citizens, and that includes their data.
  • Could a US based company have a single repository of data which includes ‘protected’ EU citizen PI data, physically in the US and in the same physical tables as non EU data sets and pooled for reporting and analysis?
  • Can any collector of social data or information (or information that is collected in any other way but is still PI) sell that data on to another party, or allow it to be used, by any other third party? (Whether they clicked an ‘agreement’ button or not).

The answer to all of the above is unclear, but these are some of the questions (without the name specificity) which are under consideration and intended for resolution by the new European Data Protection standards.  One this that is clear is that there will be a new legal framework in place for anyone who touches EU PI data.

So why is Europe so focused on PI protection?  The reasons for this are partly based on history and the subjugation of rights in a historical European context, resulting in personal identity and rights protection being a core concern in Europe and an emotional unification of purpose across political divides.

Europe would also consider itself as leading light in citizen’s rights, and PI protection is a part of that.  This idea of European citizen ‘rights and protection’ is key to much of the mainland European attitude to PI and data activities.  The move by large corporations to use the data gathered ‘quietly’ or covertly on European citizens is a political time-bomb.  There is a case that perhaps the ‘horse has left the stable’, but it is entirely possible that a new horse will be put in the stable and the old horse ordered to be destroyed.

The US has a more open policy and attitude to data protection.  Two key parts of the difference are, based on trust in the authorities to ‘do the right thing’ (an attitude not shared in Europe even with its own institutions), and a post 911 fear of ‘the bad guys’.  This combination results in fundamental difference in attitude that could best be summed up in the US as ‘protect us’ and in Europe as ‘protect me’.

So what might be a winning strategy in this dynamic assuming that all of the social media corporations (and other PI data gathers) want to remain processing EU data post the new legislation coming in to force.

Some strategies that may be useful

  • Consider if you can process the data in the market (within the physical EU). Even cloud providers will find a market that now is clearly around data centres that are within certain jurisdictions.
  • Consider if you need to architect an aggregation layer – it may be the simplest solution. (With EU data stored at the detail level within safe EU data centres and other repositories potentially without that boarder if necessary).
    • Use aggregated data for data that moves outside of the EU.
    • Don’t physically mix EU and non EU PI data outside the EU.
  • Treat EU data as a protected resource, put the correct controls in place and restrict access to ONLY appropriate people and processes as defined in the new legislation.
  • Understand that the changes will be LAW, you must comply even if not based in Europe.
  • Don’t sell the data onwards, at least not as non-aggregated or personally identifiable.
  • If you are exposing data that may be PI (e.g. Google) best ensure that it is nothing new or ‘manufactured’, but simply a search exposition. Go beyond that and impose filters and mitigation processes.

While the exact details of the new laws are not clear, it is however crystal clear that significant change and tightening of access to EU PI data is a few months away.  It is beholden on us to consider the impact and potential opportunities that this change may bring.

Article written by Patrick Condren
Want more? For Job Seekers | For Employers | For Contributors