In one of the most significant steps on data privacy in recent years, the European Commission is set tomorrow to put forward a comprehensive plan to reform the EU’s data protection rules. As a starting point in this long process, the Commission should be lauded for tackling one of the most critical issues of the digital age. At the same time we urge the Commission to refrain from adopting the overly prescription approach embodied in this draft which we feel would thwart access by EU member’s citizens to the full array of the most exciting products and services the digital economy has to offer.
The Commission’s effort accomplishes many long-overdue improvements to the EU’s current data privacy regime. It will replace the current overlapping – and often contradictory – system with a single set of rules that applies in all EU member states and covers all types of businesses. These changes will enable a more-unified Single Market within the EU and reduce confusion for both enterprises and consumers.
But other elements of the EU proposal threaten to undermine those very constructive goals. Certain elements of the data protection framework, including the “right to be forgotten,” are troubling because implementation will be complex both as a matter of how the technology works and also in terms of aligning with existing laws. Still others – including the draft regulation’s provisions on breach notification, administrative sanctions, and even the definition of personal data – will require significant clarification in order to understand their potential implications. Many of these problems stem from the underlying premise that addressing privacy concerns requires sharp prescriptive rules. In dynamic digital environments, such snapshot-in-time prescriptive rules could chill innovation and digital progress.
We believe in addressing privacy with a flexibility that is commensurate with the rapidly changing digital environment. By focusing too sharply on the narrow issues of today, the EU runs the very real danger of adopting a privacy regime that will be outdated tomorrow and forsake the “future-proof” framework that the European Commission intends to create. That approach is good for no one. Neither for the businesses that will be constrained in their ability to grow and benefit the economy, nor for EU consumers who will be deprived of the full range of products and services that would otherwise be available.
Privacy is a vital component of the technologies that have become so integral to our daily lives, and the European Union is right to stress companies’ responsibility to clearly describe and take responsibility for how users’ data is being collected and used. BSA member companies each already fully embrace the duties that emanate from data stewardship. They have each implemented comprehensive privacy policies, which they update regularly as to reflect users’ and customers’ needs and the companies’ ever-evolving software, computer and cloud services. BSA members believe this approach is essential to ensure that individuals can make informed decisions about the firms with which they share their most intimate information. This mutual trust between companies and their customers is one of the most relevant and crucial aspects of the Digital Age.
But our privacy expectations and the ways in which companies will use data to improve our lives is not a static environment. Consider, for example, the growth in social media in the past few years. A method of communicating that was – when the EU last considered its privacy rules – largely limited to conversations over coffee has exploded into an internet-enabled phenomenon that allows users to communicate with people around the world in a matter of a few simple keystrokes.
Good privacy law will allow that growth to continue, and it will be built around a reasonable standard of privacy that focuses on the context in which information is shared. To do otherwise would threaten to lock us into the static world of today – and to bar the progress of tomorrow.
The world is at a critical turning point in the continued evolution of technology, and the European Union has the opportunity to capitalize on this new era. It should do so by embracing privacy considerations that are dynamic and flexible and will ensure users have access to the full range of new and exciting digital technologies.