The Data Protection Regulation as proposed by the European Commission in Brussels is likely to be a barrier to the EU’s competitiveness in the digital world. Other than the tax payer-funded BBC, all digital media in the UK is funded out of advertising revenue - or at least those who venture their capital to develop the astounding variety of digital inventory. Setting out to make advertising less attractive to consumers and less effective for business feels like an own goal for Europe.
Advertisers see the need to bring the law up to date. Digital media was only recently thought of as “new media” - now it is rapidly becoming the usual media. Public, business and regulators alike will expect a maturity of regulation giving consumers protection from the misuse of their data.
If the proposal for a regulation, with common effect in all member states, survives the years of to-and-fro in Brussels and Strasbourg, it will have some advantages. Not least will be a common set of laws in Europe, rather than the patchwork we have now where the common purpose of an EU Directive is re-interpreted by 27 governments and parliaments. But my guess is it will end up as a Directive again.
The proposal to put the Article 29 Group of national enforcers on an official footing, rather than an advisory, one may work to bring them in line with broader social and economic objects. Equally, it may entrench their highly-restrictive world view.
The proposal to fine data users up to 2 per cent of their annual worldwide turnover will be oppressive, expensive for EU companies, and possibly discriminatory in that non-EU companies may be harder to target by a regulator.
The EU has picked up on the “right to be forgotten”, just as the Obama administration has. From a consumer and citizen point of view, we could hardly argue with our right to veto the use and misuse of our personal data. Governments may, of course, have a different point of view about their right to their citizens’ personal data. But from the business of advertising point of view we have no difficulty in respecting this.
The key question in all of this debate is going to be, exactly what is “personal data”? The campaigners are arguing that personal data is all data, regardless of whether or not an individual can be identified from that data. But can this be right? “Any information relating to a data subject” is going to catch all information, even anonymous identifiers like cookies and IP addresses.
My full name, personal address, financial data, religious affiliations, political views or health details would rightly be under my control - they are, after all, mine and they define me in or out of the digital world. But the anonymous or encrypted data that makes the digital world work is not the same. Insisting that digital data deserves the same level of protection may have the opposite effect. If in order to make the digital world work for us as consumers we have to give explicit consent to highly personal data and anonymous data alike, we may just give that permission without thought. So the new law would undermine privacy, not boost it.
If the broad definition of personal data holds, then the requirement for explicit consent for each and every piece of data covered by the definition will be intrusive. There will, of course, be lots of arguments about this. If it really does mean silence or doing nothing - like not opting to click the opt-out box each time - then roll on the revival of the hated pop-ups or the inability to proceed without agreeing. It is not going to be a good user experience.