Can you have your cookie and eat it too? – Why EU’s data policy has reached a crossroads

Under Juncker’s Commission, light-touch regulation seems to apply to all fields except digital. Following the action plan that underpins its Digital Single Market strategy, the European Commission is churning out new pieces of legislation almost every month, akin only to the “regulatory Kalashnikov” that was emptied round after round to get the financial crisis under control. In the digital sphere, the EU first tackled legislative initiatives on access to digital content (copyright, geo-blocking, portability). In a second step, it is currently zooming in on the use of data (e-privacy, digital contracts, free flow of data).

What boundaries for privacy in an interconnected world?    

The General Data Protection Regulation that was adopted last year created a harmonised European framework for personal data. Now regulators broaden their views beyond personal data and strive to clarify users’ rights over any other type of data that is to be monitored, collected, processed or commercialised. One particular question is to define in which instances prior consent or clear information of the user is required

In this regard, the Commission’s e-privacy proposal is hotly debated in the European Parliament and Council. The draft regulation aims to strengthen privacy across a broad range of activities summarised as online communications, including both content data and metadata. This is largely uncontroversial for OTT services like Whatsapp, Skype or Viber, where many stakeholders would subscribe to the notion that a private conversation through these services should enjoy the same privacy standards as they would with traditional telco operators.

It becomes highly controversial, however, where the draft regulation cracks down on the use of “cookies” by websites, or enables users to gain control over any individual information they are generating when chatting in an online forum, visiting a website or downloading a mobile application. Critics say this approach goes way beyond reinforcing privacy in electronic communications; it fundamentally overhauls the relationship between the user involved in generating data and the counterpart that processes it.

The draft regulation generally considers any storage of user-generated data on devices as an invasion of privacy and suggests imposing privacy-by-default settings on hardware or operating software. This move would reign in on service providers and provide blanket protection against any kind of cookie or tracker. But it remains questionable whether any storage of information on an end device is necessarily intrusive. For example, what about the information stored on a connected car to make localisation functions more accurate? This is not about recording movement patterns, but quality of service. Do consumers need to be “protected” from this?

A myriad of innovative services and digital content are being developed and improved upon by the analysis of consumer data.  Data analytics have vastly improved users’ online experience: algorithms can now provide more relevant information tailored to the consumers’ interests, improve customer service interactions, and help identify and resolve issues in a timely manner – all with the aim of giving the best experience to users and generating economic benefit.

Downside risks of the draft rules become palpable, especially since the Rapporteur in the European Parliament further strengthened the wording of provisions. Media companies for example are up in arms, as they fear yet another blow to their revenue streams. News websites rely heavily on targeted advertising for income, which in turn is impossible without the use of cookies (barring other methods that are arguably more intrusive). Adding to the commercial struggle of quality media in times of fake news is obviously an outcome to be avoided. But some observers point to much broader, structural consequences that this drastic extension of privacy rules could potentially have.

An overreaching e-privacy regulation might deplete the user data flow – in other words: choke the “oil supply” of the internet economy. Here the problem is no longer a lack of revenues for news sites because badly targeted advertisements do not generate enough clicks, or a degradation in quality of some non-essential connected service. The overall availability and diversity of online content may suffer, and with it the preconditions for online innovation, especially in the context of the rising Internet-Of-Things revolution. This would be bad news for Europe’s economic prospects.

From privacy to data ownership

The protectionist turn in EU digital policy does follow a political logic. Many European citizens are hesitant and unsettled as they recognise that every digital step they take generates more and more online traces that are visible to players they cannot see. They stand to ask themselves how they want “their” data to be used and how much control they can actually exert in this area. This is where the debate about the scope of e-privacy inexorably leads to the question of data ownership. Who should own user-generated data and on what grounds?

In its current form, the draft Digital Contract Directive (DCD) takes an unequivocal stance on this question and declares any user-generated data to be the exclusive property of the user. The new data property is conceived of as a tradeable good which could potentially be retrieved or exchanged for other services or, why not, money. This would not only unhinge the business model of many a data-driven service provider. As forceful and consistent as the approach might appear, as many questions does it raise.

First and foremost, why should data belong to the user if this data would never have existed without the existence and interaction with a specific service? To look back at the example of the connected car, why should the technical data of the vehicle belong to the driver more than to the manufacturer? If the Commission sees users engage in business activities with their data, how will this market be regulated to protect the average citizen who is not a data scientist? Which obligations are tied to the newly bestowed property that users will enjoy? Will benefits from user-generated data be taxed?

Can’t see the data for the bytes?

Member States and political groups in the European Parliament appear rather undecided on those issues. Tech-savvy MEPs will surely cross swords again with the defenders of privacy, but so long as the fundamentals are not addressed, any resulting compromise will be unsatisfactory to everyone.

The data-driven economy works because it combines high accuracy with large scale. This allows an ever more tailored delivery of a service to an ever better defined segment of customers. But segmentation is exactly the opposite of what the Commission has done on the new data rules. Rather than trying to analyse and categorise data types, its functions, risks and regulatory needs, the EU is embarking on an effort to cut the Gordian knot with a few, heavy strikes.

Rules for online data should be clear and robust, but they must also be reasonable and avoid disruptions with unforeseeable consequences. A solution would make sure that users can make informed decisions, but avoid imposing rigid answers that could end up stifling digital innovation in Europe altogether. This would stead well for the EU, if it still wants to hold on to plans of building a data-based economy.