Rightsizing data privacy in the digital world

Data privacy is rightly a key topic of discussion for individuals, business and policy-makers around the globe today, and will only be more so as the digital world slowly infiltrates every area of our lives. In Europe, with the ePrivacy Directive currently under review, the question of how to balance the rights of the individual against the corporations’s need to compete and innovate is a delicate one, and one that has been much debated in the press over recent months. Tom Dailey, VP and international general counsel for Verizon, outlined his views on the way forward for privacy regulation at a recent IIC event in Brussels.

He started by explaining that Verizon has long been a huge proponent of privacy and the protection of customer data. Verizon fought the recording industry a decade ago over its ability to access customer address and account information without a subpoena; it established a privacy-by-design approach to product development many years ago; and privacy and security are right at the heart of Verizon’s compliance model and culture.

In the complex and fast-moving digital world, data has shifted into new locations, and its value has transformed. Let’s look at Verizon itself. The ‘phone’ company has been completely transformed by the Internet. In the converged digital economy we may still be a communications company, but we are also a multi-media services company; a content delivery company; a telematics and IoT innovator; a mobile and online advertising engine; and a data analytics company. Where once, Verizon and other telecoms companies were the holders of CPNI and similarly “valuable” customer information, today voice services account for just a fraction of telecom revenues, and value resides in major respect in how individuals use apps and consume content. Regulation and compliance, put in place to protect voice calling data, has yet to adapt to these new norms.

Of course, competition and technology disruption are the inevitable results of healthy markets. But regulation is not inevitable, and indeed often happens where competitive markets have failed, mainly in order to protect consumers and competitors. What is of most concern in the digital world today, is regulatory uncertainty. When 97-98% of all new investment in the EU is expected to come from the private sector, the economy of Europe is indelibly tied to the success of private sector economy. And that economy is fueled by investment, which drives innovation, which thrives on predictability of regulation.  Uncertainty makes investment return less predictable, so investors will inevitably seek out a more predictable regulatory environment.

When we look at Europe today, there are two major privacy regimes: the current ePrivacy Directive under review and the recently adopted General Data Protection Regulation (GDPR). The GDPR, while not perfect, represents a largely harmonized approach to the protection of privacy at all levels of the economy. It applies to all technologies and sectors and therefore does not burden one sector over others. The ePrivacy Directive targets mainly telecommunications providers. Major sectors of the digital economy – social media companies, cloud service providers, entertainment services etc – are so far exempt from its reach.  Yet each of these sectors deals extensively in data, some of it personal.

In essence, companies today are regulated based on industry profiles that existed 20 years ago. This leads to a complex dual regime that artificially segments the digital sector based on historic criteria, instead of focusing only on a horizontal approach under the GDPR that is designed to stimulate investment and innovation. It also leaves companies like Verizon – and undoubtedly carriers in Europe, struggling with the unequal burden of multifaceted, and inconsistent compliance.

Of course, not all regulation is bad. Properly constructed, consumer protection regulation is appropriate and necessary.  Competition or antitrust regulation keeps markets properly disciplined.  But problems can arise when regulation is inserted into developing markets where there has been no market failure, or where governments attempt to pick technology winners and losers by incenting certain behaviors or dis-incenting others.

So what do we suggest? The key question should be to consider the economic value and pertinence of data today, rather than regulating for historical reasons. Pulling the rest of the tech sector under the ePrivacy Directive as suggested in the ongoing review is decidedly not the correct answer.  Rather, we should take the opportunity during the upcoming ePrivacy Directive Review to simplify and harmonize the ePrivacy Directive by evaluating its necessity, identifying redundancies with terms of the GDPR and then eliminating those elements of the ePrivacy Directive that conflict or are redundant. The same should happen in other areas where regulation of the same or similar industry players is duplicative and inconsistent – like using the Telecoms Package review to rationalize network and information security obligations with the NIS Directive.

Strong privacy protection today has to be built around regulatory simplicity, predictability and harmonization. A focused effort to harmonize laws –through horizontal regulation that doesn’t single out particular parts of the increasingly interconnected, converged digital economy – and to simplify rules and obligations, will go a long way to creating a regulatory environment fit for the digital age. And this is exactly what Europe needs to continue to attract investment into the private sector, stimulate innovation, and ultimately stake its claim on a share of the global digital economy.

You can read more about Verizon’s views on policy issues here.