Reviewing the new European proposal for a General Data Protection Regulation is a task to be handled with care, because the proposal is a complex and multifaceted body of rules, grounded on an ambitious goal. It shouldn't be judged with a simplistic ‘thumbs up’ or ‘thumbs down’, nor should it be dismissed as ineffectual if one disagrees on a specific prescription.
There is something inherently positive in the spirit and goals of the proposal that should be openly recognized: the harmonization of data protection regulation among EU states is needed to put an end to the mess created by national laws. Further, empowering citizens with stronger and better defined means to handle their personal data could eliminate ambiguities about the rights that citizens hold.
Several criticisms have been raised by the press and online. Most of them focused on some of the ‘flagship’ novelties, but, in my opinion, they largely miss the point. For example, it has been argued that the 24-hour breach notification requirement is impossible to match and would lead to legal disputes. Of course, 24 hours is a strict deadline, and a wider timeframe could be reasonable, but how wide? Forty-eight hours? Seventy-two hours? More? The best you can do? It depends mostly on the degree of inefficiency in handling a security incident. Today, on average, this inefficiency is high, but it is hardly an excuse for setting a loose requirement.
Much worse is the fact that, on average, the discovery of a breach takes weeks, often months. The sad reality is that many corporate networks are stealthily compromised – from SMEs to large corporations – even those specializing in IT security. Changing this is not just a matter of decreasing inefficiency – the problem goes far deeper.
Another criticism is about ‘the right to be forgotten’, which has been judged as anachronistic on today’s internet. Probably, as a definition, it is too emphatic and evocative of people running away from modernity, but within the scope and according to the rationale of the proposal it makes perfect sense. The proposal gives citizens full control of their personal data and requires handlers to keep full control of its.
Personally, I can’t see criticisms like these as relevant, rather they are symptoms of a broader problem that lies beneath this proposal and that could be summarized in the question: What is this proposal actually aimed at? Clearly, the most obvious answer is protecting personal data of EU citizens. But, is it really as such?
Let’s go back to the roots, which are represented by the ‘Opt-In/Opt-Out’ dichotomy. The US has always explicitly favored Opt-Out, while the EU has had a mixed attitude more inclined toward Opt-In that, in this proposal, becomes strongly Opt-In-oriented.
Opt-Out gives controllers the right to manipulate data at will, hence favoring firms doing business with personal data and (practically) giving no privacy to data subject; Opt-In gives that right to data subjects, hence impairing business (improving privacy as a side-effect). Key to this choice is that the outcome is well-known in advance and surprises are very unlikely; so it’s not a choice about different approaches, it’s a choice about two different outcomes having very clear implications for business, politics and society.
|"The most evident effect of the proposal is to explicitly recognize that data has become a key asset for the EU economy and politics that can no longer be given away for free"
So what is a foreseeable scenario with the new EU regulation in place? With regard to EU citizens, controllers will need to engage in serious efforts to convince people to opt-in, perhaps by bundling the option with personalized features. Citizens will have the exercisable right to monitor their privacy, control their data, and ask organizations what they are using their personal data for. Therefore, it’s likely that actual citizens’ privacy will improve, but the extent of such improvement is uncertain and will depend on too many variables to predict.
And what about the market for personal data, the business side of the coin? It certainly worsens and becomes more difficult for current top players, mostly US-based, because there will be a specific European market, with strict rules. This has direct and clear implications on key segments such as cloud computing, search engines, e-commerce, and data analysis, as well as IT security. It will be more difficult, if not impossible, to have a global service that includes Europe, without a strong presence in Europe.
In a sense, the most evident effect of the proposal is to explicitly recognize that data has become a key asset for the EU economy and politics that can no longer be given away for free. To do business with European personal data will require investing in Europe. This proposal has more to do with business and building a fence around the European market than with citizens’ protection. And it’s worth never forgetting how easy is to be lulled into a false sense of security – in this case about privacy and data protection – simply because people are empowered with new tools and rights.
|Marco Cremonini is an assistant professor in the Department of Information Technology at the University of Milan. Previously he served as a research assistant with the Institute for Security Technology Studies (ISTS) at Dartmouth College. He is also a member of the editorial advisory board of Infosecurity magazine.
For a different perspective on this topic, read our accompanying editorial by Sarb Sembhi.