Balancing innovation with data protection

There are no easy answers in balancing innovation with the data protection, but as the discussion of the data protection directive begins, it will be important that Britons and Europeans consider risk

William Rinehart
On 7 May 2013 10:44

A new exhibit recently opened in Dublin is immersing visitors in the murky world of statistics and probability. The Science Gallery has converted its space into a casino of modern risk with slot machines and games of Texas Hold ‘Em, explaining that the purpose is to be introspective:

"From bad driving to the lotto, from real estate to smoking, humans find it tricky to evaluate risk. How do emotions, scenarios, or media skew our assessment of the odds. Is it possible to recalibrate our perceptions of risk?"

The exhibit is one for our times. We are living in a world of risk and probability. But, understanding risk is fast becoming a necessary skill for our modern lifestyle, especially when it comes to privacy.  

At the end of April, top officials in Brussels met with Julie Brill of the US Federal Trade Commission (FTC), the chief regulator of privacy in the US, to discuss the future of privacy on both sides of the pond. What is abundantly clear is the distinctive methods that each governance regime is pursuing.

The EU is just in the beginning stages of a single data protection law that will eventually be interpreted by member states, and to that end has been coordinating with a number of different groups, including the US government, to ensure compliance. The US privacy regime is being shaped by a mix of laws governing specific sectors of the economy, pressure via markets and a robust community of corporate privacy managers.

Even though the EU has been pushing for American policymakers to pass a companion data protection law, the US will continue be better served by a predictable common law approach, which is more messy, but gives more flexibility as norms online change.

Negotiating the future of these two approaches will be imperative for every user of innovative Internet-based products. As Brill noted of the current talks, “I wanted to make sure that the language will allow us to continue to co-operate robustly through the ‘safe harbour’, we want to make sure that we have the means to co-operate on international privacy enforcement, and to do it robustly.”

Currently European firms are limited in transferring personal data to overseas jurisdictions, but are allowed to do so with the US if the companies abide by so-called 'safe harbour' principles. When the new data protection directive comes down, there has been worry that the safe harbor will no longer apply, an outcome that Brill wanted to avoid.  

Regardless, it isn’t going to be the law itself, but the country-level transpositions that will actually direct privacy law in Europe. The play between the actual laws and the directive rightly worries some of the players in the Internet ecosystem.

A little over year ago we saw exactly the interpretive power of countries when one potential Dutch transposition of the E-Privacy Directive was drafted. This is the exactly the law that forces web sites to serve you the cookie settings notice. But, under that interpretation, each cookie would have required explicit consent.

This may sound fairly innocuous given the experience now, but news sites, like most sites on the Internet, have dozens of integrated third-party services. A web site created by a coalition of industry groups showed exactly what the result would have been. Internet use would have become extremely tedious, as the the single most important benefit of these sites, usability, was thrown out. In its place would be substituted a slurry of opt-in popups, as each element on the page asked for permission before they were able to load.

Even though this particular Dutch interpretation never came to be, the opt-in system of cookies we have all come to learn about still presents a cost to the user that should not be overlooked.

As Nicklas Lundblad and Betsy Masiello point out in a paper appropriately titled “Opt-In Dystopias,”

Unlike opt-out, an opt-in policy requires that a user make two decisions: first, a user must decide if it is worth the time to evaluate the decision to opt-in; and, second, a user must then make the actual evaluation of whether the service is valuable enough to justify the opt-in. This dual cost structure is absent from the opt-out model, and has the effect of imposing a cost on the initial recognition of a great opportunity or service...

This means that many users who would otherwise have benefited from using services that collect information may be deterred simply by a subjective feeling or inability to evaluate the initial costs of the offer as it stands.  

The cookie law has caused confusion, and it is not clear exactly the positive effect it is having on privacy. Compliance is becoming more widespread, but the cost it is having on commerce is still an open question. Though comprehensive studies have yet to be conducted, early estimates of the cost of the rule change placed it in the range of £10 billion.

As for enforcement, the Information Commissioner’s Office is rightly holding back on fines. As Oliver Emberton, the Managing Director of Silktide, said, “I think it's clear at this point they've no appetite for the law they've been asked to enforce.” One wonders if this is an implicit admission that the law is a bit burdensome.

And as my colleague Berin Szoka commented, we cannot dismiss the tradeoffs taken when we enact legislation:

Attempting to control one of the primary variables of price, quantity, or quality inevitably results in non-optimal adjustments in the other two variables. The absence of price as a variable in the context of “free” (i.e., ad supported) content and services means there is one less variable for the government to control in the first place. Simply stated, stifling the evolution of the online advertising marketplace will likely result in fewer free online services and less content, less high-quality online services and content, or some combination of both.

There are no easy answers here in balancing innovation with the data protection, but as the discussion of the data protection directive begins in earnest later this year, it will be important that Britons and Europeans keep a watchful eye on developments and carefully consider what is risky and what is mere speculation. As the exhibit in Dublin articulated, it is imperative that we understand our own world by asking those tough questions: “How do emotions, scenarios, or media skew our assessment of the odds?”  

Ensuring that the most egregious laws don’t hamstring innovation on the net is important to the medium’s progress. Readers of this site, who understand the importance of varied viewpoints, should especially appreciate that.

blog comments powered by Disqus