“Trust is your license to innovate.” That was the simple, striking and powerful message which Information Commissioner Elizabeth Denham gave at the launch of the DataIQ 100 last week. With good regulations, properly enforced acting as the certification of that trust, it forms a clear and sustainable base for data-driven businesses, especially in the post-GDPR era.
Except that not everybody sees it that way. US tech firms and social media platforms, in particular, have decided to restart the argument about the balance between companies and customers. You could argue it is too late - GDPR has been passed, will be enforced from 25th May 2018 and even a post-Brexit UK will follow something similar in intent.
Look around the world and you will see other countries following the framework and standards which the new Regulation sets out. Asia Pacific in particular has been busy introducing data protection laws that are at least equal to - and in some cases exceed - what the European Union has implemented.
Which leaves one major market yet to decide at a national level what it will do - the United States. With multiple federal laws having failed to be approved, the Federal Trade Commission has been acting as the quasi-regulator of data protection. So far, it has taken a tough line, no doubt with a view on those important data transfers between the US and EU. With Privacy Shield struggling to stay afloat in the face of legal challenges, achieving an adequacy ruling in the absence of federal law is difficult.
For those tech and social media firms, this is a worrying development. The innovation which they have been pursuing for the last decade has been based on a one-sided deal for customers - all-in on the terms laid out by those companies, or not in at all. GDPR is going to present big challenges, from data deletion to portability. Think about it - not only will the likes of Facebook have to allow EU citizens to extract all of their information but, by implication, the network may also have to integrate incoming data. Portability means that data has to be heading somewhere, after all.
To counteract this line of development, a new body has been set up with the involvement of ten major brands, called the Personal Data Leadership Forum (PDLF). It perceives current approaches to data protection as being based on a trade-off between innovation or privacy. In other words, it is trying to reframe the argument in terms more favourable to existing business models.
PDLF is setting out to influence legislators and the media, diluting concerns about how its members make use of personal information. That suggests strong resistance to adapting to GDPR. But this will be a powerful lobby and will find a lot of support among the pro-business and anti-regulation community in Washington.
But this could be a case of the past arguing with the future. At a speech given by the digital economy commissioner at last year’s Open Data Institute Summit, the question was addressed about where Europe would find its equivalents to Google, Amazon, Facebook or eBay. The Commissioner said this was the wrong question to ask, since those companies had their origins in the preceding decade. What was more important was to ensure innovative new tech and social firms in the decade ahead.
For Europe, that will mean innovation which builds trust, rather than demanding it de-facto. US firms could find that challenging - but they can not lobby GDPR out of existence, especially once consumers start to experience the extra control and rights it gives them.