Friday, April 19, 2013

Could an International Trade War on Privacy Rights for Online Businesses be Heating Up?

Privacy and data protection are synonymous with the “good life” of e-commerce, when online businesses are free to use consumer data with little restrictions.  But with technological advances and the explosive growth of e-commerce, this area invites extraterritorial regulation by foreign governments across borders.  I’m concerned that this web of web regulations will be totally inconsistent, unmanageable and lead to significant costs and lost opportunities for e-businesses.  Consumer protection should not become a mandate for imposing bureaucracy and “free” content management services.

EU Harmony.  In January 2012, the EU announced proposed reforms to its 1995 data protection rules in order to further strengthen online privacy rights and regulate the enormous growth of data collection and processing over the internet in this age of mobile and social computing, the Internet of Things, Big Data and related analytics.  In short, these reforms proposed:

  • a single set of rules to apply across the EU and its administration by a single national data authority within the home EU country with the power to impose fines for non-compliance. 
  • In addition, EU people will have greater privacy rights, including the “right to be forgotten” and the “right to port their data” across service providers. 
  • EU rules would apply in cross-border transactions for companies in non-EU countries handling services to EU citizens.  Any serious data breaches would have to be reported to authorities as soon as feasible within 24 hours.  Additional costs would be incurred by businesses.
Since then, some EU member nations, major tech companies and other countries have criticized the proposal as being too restrictive and a burdensome expense for (especially small) companies..  Nevertheless, the EU continues to move forward with an amended draft likely to happen later this year with the objective of implementing a Regulation governing its member nations in 2014.

American Federalism:  A Hodge Podge.   In contrast, American federal laws (see https://www.cdt.org/privacy/guide/protect/laws.php) are generally weaker than European and other countries’ laws in the field of consumer protection for data privacy and the “private life.”  A year after the Obama administration called for a draft of a consumer privacy bill of rights, none has been completed or made public.  There are no baseline privacy laws protecting consumers. Instead there are sector specific privacy laws and self regulated company privacy policies; consumer privacy laws vary by state (see http://www.ncsl.org/issues-research/telecom/state-laws-related-to-internet-privacy.aspx).  Those who support this hodge podge of laws insist that these methods encourage free commerce and growth of online businesses.

New Balance: International Agreement or International Chaos?   There is no free lunch.  My concern is that privacy laws will be so onerous, complex and confusing that it will balkanize the Internet, preventing cross-border transactions and increasing the hurdles for Internet entrepreneurship of small and mid-sized businesses.  Consumer protection and data privacy laws will conflict with business, adding costs that will have to be passed along to the consumer in the form of higher prices, more advertising per view, and less innovation.  Should the EU adopt its proposed reforms independently, American companies could find themselves subject to EU regulations when conducting cross-border transactions with EU citizens even if there is no conflict with American laws. 

I believe that every nation should have “baseline” privacy rules, including the US, but I wouldn’t go as far as the proposed EU reforms.   Businesses and/or consumers alike have a:

  • Right to know what data is being collected and aggregated about them
  • “right to be forgotten” but only where the user pays the cost of undoing what the user posted “for free”
  • copyright in posted content and a right to transfer one’s post to other providers, for a reasonable porting fee
  • right to know what data is known by a service provider and the right to correct it.

The US and EU are set to begin negotiations for a free trade agreement June 2013.  Hopefully common agreement on data protection and privacy rules will be a part of it.  More on this subject later.