When justice commissioner Viviane Reding introduced the European Commission’s proposed reforms to the Data Protection Directive in January, she made much of the potential benefits to businesses.
“European citizens are concerned that their personal data may be misused,” she said in a speech in Brussels. “This discourages them very often from buying goods and services online.”
Meanwhile, the complexity of data protection regulations across the many jurisdictions in the EU was an unnecessary burden on business, she argued. Creating a single data protection regime for the whole of the EU, Reding said, would “save businesses around €2.3 billion a year”.
But these remarks were met with considerable scepticism. There is little direct evidence that privacy concerns are holding back ecommerce, and the reduced administrational burden that would result from the reforms will only apply to multinational corporations. The costs will apply to all businesses.
James Mullock, head of data privacy at law firm Osborne Clarke, described the claim that the new rules would save businesses money as “fatuous”.
It seemed as though Reding was trying to sell the reforms to the business community. In truth, and in keeping with the European Commission’s traditional position on data protection, the proposed reforms are balanced in favour of individuals and their ability to control the data that organisations hold about them.
The Silicon Valley view might be that the EC is sailing against the wind of history – that it is trying to impose 20th century values on the digital economy of the 21st. But in fact, this is one area where Brussels may have the sweep of history behind it.
As information technology becomes embedded in more products and services, consumers are becoming data-savvy. They are increasingly aware of their right to access information that businesses hold about them, and that managing that data can help them get better deals.
A number of start-up services have emerged recently that seek to put consumers in the data driving seat, while certain forward-thinking organisations are taking the initiative and granting customers greater control over their own records.
This could be highly disruptive to the data management process that businesses currently employ. But it may also help to resolve systemic shortcomings in data quality and customer engagement.
European thought on data protection is heavily influenced by post-war history, and the use of information and surveillance as tools of oppression in the Soviet era. This is why, compared with US regulation, for example, the rights of the individual are given particular priority.
This can be seen throughout the new reform proposals. “Data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected,” they assert, a proposal known as the ‘right to be forgotten’.
“To further strengthen the control over their own data and their right of access, data subjects should have the right…to obtain a copy of the data concerning them also in commonly used electronic format,” the document says. Currently, subjects are only entitled to paper versions of the data that organisations hold.
For consumer advocacy groups such as Consumer Focus, these proposals represent a welcome boost to individual rights.
“It is only right that if firms want to benefit from using the data they collect they must also be willing to take the responsibility that comes with this,” Adam Scorer, director of policy and external affairs at the pressure group told Information Age. “[These reforms are] a big step forwards in putting control of personal information back into consumers’ hands.”
But not everyone is convinced that putting more power in the hands of the data subject is necessarily beneficial. Jane Yakowitz is visiting assistant professor at New York’s Brooklyn Law School. She argues that there are many examples where the right of businesses to process customer data provides a societal benefit that could be jeopardised by, for example, the right to be forgotten.
“For example, an individual might know that there’s some piece of information about them that would affect their credit-worthiness,” she explains. “Under these proposals, they might be able to have that data erased. This might lead to them being offered a better line of credit than they are entitled to, which may affect the credit pool. This is an example of where the self-interest of the data subject is pitted against the public interest.”
Nevertheless, Yakowitz says, the European conception of data protection is increasingly influential in certain quarters of US government, including the Federal Trade Commission.
The EU’s bid to enhance the rights of data subjects was also evident in last year’s update to its e-Privacy Directive, which governs how businesses can track behaviour online. The revised directive introduced a requirement that website operators acquired an individual’s consent before they could collect cookies – small text files that allow website operators to record users’ click paths and preferences.
Certainly, current online marketing practices will have to change in light of this and other regulation. “The days of covertly listening to customers’ web activity and advertising to them without their consent are coming to a close,” wrote Anthony Mullen, a Forrester Research analyst specialising in digital marketing, in a recent report.
Instead, Mullen argues, businesses must give customers greater control of and insight into the data that their websites collect. He recommends that they build simple, accessible interfaces that not only explain how collecting data leads to better products and services, but also allow them to dictate how their data is used.
“Let users choose the type of things they are happy for you to use in their profiling (race, age, search history, nothing, everything),” Mullen wrote.
Significantly, Monster.com not only allows its customers to remove cookies that they do not want to be used in recommendations, but it also permits them to add new cookies that the site may not have collected. In other words, the cookie management portal offers Monster.com users an opportunity to give the company useful information that it may not have been able to access without consent.
Mullen describes this as a “win-win for better targeting and privacy”, and it offers a glimpse of how putting customers in control of the data may in fact improve the amount of relevant information that businesses can access.
Alan Mitchell is strategy director at Ctrl-Shift, a research and consulting company focused on the growing empowerment of consumers to control marketing data. For Mitchell, that shift is less a matter of ideology as it as about the changing economics of information technology.
“Over the past 50 years, information processing costs have decreased several millionfold,” he explains. “That means information is becoming a tool within the hands of the individual. It’s now affordable and practical for individuals to manage their own data. It’s also inevitable that services and software will emerge to help people do it.”
Mitchell is involved in one such service himself. Mydex is a personal data store that seeks to reverse the traditional equation of customer data.
“Mydex is the opposite of the traditional, centralised customer database,” he says. “Every individual’s data is in a separate store, individually encrypted and hosted in the cloud or locally.
“If organisations want to access that data, they have to enter into an agreement with the individual,” Mitchell explains. “The individual might allow them to use that data forever for free, or they might say, ‘You can use this once but then you must destroy it.’”
One service that Mydex will offer when it goes live later this year is called ‘Subscribe To Me’. This puts the customer in charge of maintaining their personal records, and allows business to access the most up-to-date data.
“If a utility provider subscribes to my personal data store, then when I move home they will not only know my new address straight away, I can even tell them in advance,” he says. “For UK businesses, that data alone is worth billions of pounds every year.”
Mydex is just one of a crop of new services that are putting control over data into the hands of customers, he says. Two other notable examples are US start-up Personal.com and Dutch provider Qiy.com. “We are expecting at least ten more to start up this year.”
Even the UK government itself is getting in on the act. In November last year, the Department for Business, Innovation & Skills unveiled midata, a voluntary scheme under which businesses will offer customers access to their data in electronic form.
“midata empowers the individual to say to their energy supplier, ‘Tell me what tariff I’m on and how many credits I’ve used,’ for example, rather than just getting a big, paper document of all the data they hold,” explains Mitchell, who sat on the project’s advisory board.
Big businesses including British Gas, Lloyds Banking Group and Google have all signed up to the project. It was originally conceived as a voluntary scheme but if the EC’s proposed data protection reforms are ratified, it may offer an easy way for businesses to meet their regulatory obligations, says Mitchell.
Mitchell acknowledges that there are obstacles to the empowerment of consumers to manage their own data. “One of the challenges is that most consumers find thinking about personal data both boring and scary,” he explains. “Another is that some businesses wrongly see this is as a threat, because they have a mindset of controlling data. And there are technological challenges – we’re only beginning to put the mechanisms for secure data sharing in place.”
But all these will fall by the wayside in the face of what Mitchell believes is the inevitable evolution of the customer data ecosystem.
“Fifty years ago, the customer database started a revolution in business,” he says. “This is the second phase.”