Can Europe's Single Data Market Solve the US Data Privacy Challenge?
From an American perspective, the European Union can appear to be a coercive force in the technology sector, ensuring that big technology companies don’t step out of line on issues like data privacy.
But there's another perspective to consider. In the future, the EU could well help US companies access all the data that is stored in data warehouses all across Europe.
Digging Into the European Commission Strategy
In fact, the new European data governance strategy foresees a situation where the EU will become a player in the monetization of European citizen’s personal data with the full consent of those citizens that have no objection to providing that data to organizations.
Unveiled in February of this year, the news slipped under the radar of many tech companies but it forms one of three strands of a new digital strategy that will guide the EU over the next five years. The new strategy is outlined in three different papers which foresee the emergence of a "Digital Europe" that has undergone a digital transformation.
The papers outline a five-year policy roadmap, an AI policy that includes plans for legislation aimed at creating human-controlled AI systems and a European Data Strategy that envisages the creation of a huge single market for data.
And it is already underway. The first initiative is called the Trusts Project which is due to be in place by 2022. This involves the creation of a European-wide pool of personal and nonpersonal data that will be accessible by businesses and technology companies through a system of trusts. While they will not be able to move that data, businesses will be able to use it, although terms of usage and what they will have to offer in exchange have not yet been decided.
That said, close to 500 million people in Europe could become a data source for governments, public bodies and private companies, effectively creating the biggest data marketplace in the world. Could this be a way out of the conundrum American companies have to navigate to use this data?
The Implications of EUSD
Kara Birch is director of policy and compliance at the Australian law firm Peripheral Blue and, as a specialist in privacy and data protection law, has been looking at the possible implications of the new strategy. The EU’s European Strategy for Data (EUSD) has been met with some robust debate in privacy and cybersecurity circles, she said.
At its core, it proposes a conceptual departure from the data protection approach currently taken in many privacy jurisdictions. In particular, the idea that trusts would control large amounts of accessible data on behalf of individuals who would enforce their own rights via those data trusts, as opposed to primarily being enforced by companies complying with obligations on the personal data they control, is a significant shift.
At a conceptual and compliance level, the EUSD seems to place a substantial burden on individuals to exercise choice and control over their own data in the context of some particularly sophisticated and complex data ecosystems. “We have already seen, through recent examples like the Cambridge Analytica scandal, that individuals may not always have a complete understanding of how a decision they make will impact on their own privacy, or on the privacy of others,” Birch said.
“It’s very ambitious to assume that the EC’s proposals around supporting improvements to individual digital literacy will be enough to the address all possible restrictions on every individual’s decision making capacity in relation to the protection of their own data.”
It is also unclear how much of the burden of improving customer’s digital literacy and understanding of complex data systems and processes would be shifted to enterprises.
From a governance and security perspective, the EUSD also raises significant issues. The creation of any centralized repository of data always rings alarm bells for privacy and cybersecurity professionals. Birch added that the security, governance, oversight and accountability of the data trusts themselves, which appear to be the data custodians under the EUSD model, would need careful consideration. For enterprises who have made substantial investments in data security and data governance, transferring this responsibility may seem counter-intuitive.
At an implementation level, it is unclear how much cost there will be to businesses to ensure that their systems, infrastructure and services provide the required security, sustainability, interoperability and scalability that will be needed to participate in the new data market the EUSD creates.
Birch also said that, given that one of the key drivers behind EUSD is to level the playing field between tech giants and small and medium-sized enterprises (SMEs) by providing them equal access to data, it would be an odd consequence if SMEs were burdened by more onerous resourcing and infrastructure requirements than they otherwise would have been.
“The EUSD appears to largely ignore the role that the current marketplace has played in incentivizing data protection,” she said.
Many marketers also make the claim that trust is a brand differentiator. In recent years, numerous enterprises have built brands on a high level of consumer trust, including in relation to their customer data handling practices.
"Poor implementation of the EUSD has the potential to undermine the value that a company’s past data protection efforts have generated in terms of data quality and brand reputation," Birch said. "For enterprises who have already heavily invested in privacy management because of the GDPR, this would be particularly frustrating."
Data Access for All
Michael Paye, CTO of Netwrix, an Irvine, California-based IT security software company, said while there are problems with this approach the clear advantage is it gives smaller companies the same access as big organizations.
In creating a regulated and standardized data market, the EU will be offering the chance for far greater and deeper data analysis than is currently possible with data siloed across many organizations. This has the advantage of lowering the bar to enter the data analysis space and, in limiting what is allowed to be stored by organizations, might go some way to reduce concerns around the levels of data stored. But it is unlikely to solve the general problem of data privacy for organizations.
“Ultimately, the issues that many organizations face on a day-to-day basis in relation to identifying and controlling sensitive data will still exist and can only be addressed by robust processes and effective use of tools to control the ever growing masses of data,” Paye said.
However, he warned that bringing in such legislation will also create additional barriers and complexity for those enterprises working across multiple regions, particularly if the new approach gives rise to other countries bringing in their own approaches.
Easing Data Access
The EU data market trust does not solve enterprises' data privacy problems. However, the EU data market does allow companies access to data sets that may have otherwise been incomplete or more difficult to obtain from individuals using consent or other legal data transfer methods, said Debbie Reynolds, a consultant to corporations on data privacy.
The EU data market trust would both create a level of anonymity for the individual and a means by which an individual would be paid for their data. This trust would hamper the capabilities of third parties to re-identify and sell data that would have otherwise been personally identifiable.
“Since privacy is a fundamental human right in the EU many individuals will likely object to the trust and monetization of their data,” Reynolds said.