Reaction to the new Data Protection Directive proposals has been understandably gloomy, with organisations that depend on customer data to drive value in their business wondering just how bad the impact will be. It is easy to see the first battle as having been decisive, given the heavy nature of the first blow that was landed.
While claiming to reduce the burden on business, not least through the exemption of SMEs from some of the requirements, Viviane Reding has likely increased the costs and resourcing necessary to be compliant. In looking to shift the balance towards the individual, she has severely infringed on the rights of business.
Companies may no longer have to notify a national regulator of their status as a data controller, but they will still have to prepare documentation on what data they hold and how they use it. Registration fees may cost a claimed €2.3 billion across the EU, but the work necessary to audit processes will still have to be done. Worse, observers believe the role of data protection officer will become all but obligatory under the proposals, while the removal of a minimum fee for handling Subject Access Requests is likely to open up the floodgates for a significant increase in SARs.
Just how much extra cost is that likely to impose on companies right across the region? Yet it is precisely this burden which is at the heart of the fightback being prepared right now. Economic impact assessments are being prepared to help demonstrate just how much of a problem the revised Directive might cause.
National and European MPs may well be persuaded that now is not the time to place substantial extra costs on businesses struggling with extreme economic conditions. Especially when it is hard to point to an overwhelming public concern about privacy. Some market research does indeed suggest that consumers worry about data security - why wouldn’t they? But, as the Americans say, data security is like motherhood and apple pie. Everybody is in favour, but that is not a basis for policy or law.
A handful of examples of bad practice, like the struggles of an Austrian student to get a Facebook account deleted, should not justify the wholesale imposition of a right to be forgotten. Social networks have erred, but mostly because of reckless youth, rather than deliberate malice. It is quite a leap from that to a new civil right which few consumers have noticed the absence of.
So the next stage of this battle will be an evidence-based fight back, making a measured case for watering down the proposals based on clear proof of the costs and problems they will cause. It will not be possible to simply oppose everything or get all of the proposals rolled back - there is a powerful lobby within Europe that itself needs to get a sizeable win.
Yet there are reasons to hope that the damage inflicted by the first battle does not mean the war is lost. The data industry can rebuild and fight back - it has to, or accept a profoundly different future.