Digital Version of January/February 2015 Print Edition
Digital Version of November/December 2014 Print Edition
Proposed EU privacy rules could limit innovation and cost businesses
In January, the European Commission proposed a comprehensive reform of the EU’s 1995 Data Protection Directive to strengthen consumer privacy laws and harmonize privacy regulations and enforcement across EU member states. While the EU proposal has many useful recommendations, it falls short in a number of areas. Specifically, it adds new regulations that will negatively impact the Internet economy, limits the potential for future innovation and imposes excessive burdens on organizations.
First, the draft regulation imposes new restrictions on online behavioral advertising, a key part of the Internet economy. Internet advertising supports the creation and maintenance of new online content, applications and services, including news, videos, music, games, social networking, reference, email and other online services. Many of the most popular Websites on the Internet would not exist today without online advertising.
Restrictive privacy regulations limit the ability of advertisers to collect and use information about consumers for targeted advertising. As a result, the effectiveness of online advertising decreases. Advertisers must then compensate by either reducing spending in proportion to the drop in effectiveness or using more intrusive advertising, such as pop-up ads. Either way, consumers are worse off and receive less access to free content and more exposure to unwanted ads. Policymakers should consider carefully any attempts to limit the use of online advertising, and its effect on the Internet at large, before tampering with the foundation of its growth.
Second, the proposed EU regulations ignore the impact of these regulations on future innovation. For example, the draft regulations outline a data minimization principle that discourages organizations from collecting data unless they have pre-defined plans for how they will use this information. This requirement restricts organizations from conducting post-hoc analysis to develop new types of products and services based on what they learn from the data, even if these organizations use this data in a way that protects individual privacy.
Or, to cite another example, the regulations limit the ability to target users based on certain protected categories of data, such as an individual’s race or ethnic origin, political opinions, religion or beliefs, trade-union membership, genetic information, health, sex life and criminal history. This might make sense until you think about the types of advertisements and services this might limit. For example, these restrictions could potentially prevent or limit marketers from effectively creating targeted ad campaigns for services, such as online Christian bookstores, Brazilian music stores or dating Websites based on a particular faith or sexual orientation.
Third, the draft regulations do not sufficiently minimize the burdens imposed on businesses and other organizations. For example, the EU proposed that individuals be able to have access to information stored about them from any organization at no cost. Underlying this mandate appears to be an assumption that providing this information to individuals is feasible, low-cost, and privacy-enhancing. While many organizations have centralized and cross-linked information systems, such as integrated customer relation management (CRM) systems for customer data, for many organizations, especially smaller ones, this is not always the case. To put in place such systems would cost organizations considerable resources, not only to establish the initial systems but also to devote staff to managing information requests. Similarly, many organizations do not have processes or systems in place to verify the identity of individuals making this type of request. In addition, this requirement, or similar ones requiring organizations to correct or delete personal data upon request, could be used by activists to subject organizations to harassment through frivolous requests.
The approaches taken in Europe to privacy are clearly different than in the United States. In Europe, privacy is seen as a right, and as a right, it trumps other personal and societal values. In contrast, in the United States, many people see privacy as one value among many, and as such, must be balanced against other competing interests. While citizens and policymakers on different sides of the Atlantic may disagree on these broad frameworks for privacy, both should still agree on the goal of protecting the privacy of individuals while minimizing the burdens on businesses and other organizations. Certainly some privacy regulations are necessary, but policymakers should tread lightly, focus on protecting consumers from harm and avoid creating burdensome regulations that impose new compliance costs on businesses and limit future innovation.
Daniel Castro is a senior analyst with the Information Technology and Innovation Foundation (ITIF). He can be reached at: