TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | A Brief Look at Self-Regulation and European Data Protection Related reading: Wearable Technology: The Prophecy of Marty McFly and Dick Tracy



Last week, on Data Protection Day, I was honored to speak at the EU Parliament at an awesome event organized by the Federation of European Direct and Interactive Marketing (FEDMA), aimed at promoting self-regulation as a compliment to the EU’s upcoming data protection regulation. The audience included a number of MEPs, new European Data Protection Supervisor Giovanni Buttarelli, MEP staff members, representatives from the European Commission and self-regulatory organizations.

FEDMA, an important umbrella organization for the EU Data-Driven Marketing industry, did an amazing job at organizing this event. The cast of speakers, all all-stars in their own right, including such luminaries as MEP Anna Maria Corazza Bildt, Oliver Proust of Fieldfisher, Nicolas Dubois of the European Commission, Marty Abrams of the Information Accountability Foundation, Assistant European Data Protection Supervisor Wojciech Wiewiórowski and Chris Sherwood of Allegro, all came at self-regulation from different angles and raised thought-provoking issues for the EU legislators to think about.

For my part, I spoke from the business perspective and discussed not only the limitless potential of data, from the ways big data and the Internet of Things can change society, but also some of the more mundane ways data can be used by business to drive revenue. As importantly, though, I discussed many of the inherent risks that the new uses of data carry, including the loss of transparency and control over the electronic bits that comprise our digital selves.

With disclosure that I am the chief privacy officer at Ghostery, a company that supports and thrives from the digital advertising industry’s self-regulatory programs in the U.S., EU and Canada, I riffed about life in what I call the Post-Internet Age, an age that has the Internet as its foundation but also includes the billions of connected devices talking and sharing data between them. In this Post-Internet Age, the collection and movement of data is not only accelerated, but uses of data to drive new channels of revenue are often not even conceived when the data is collected.

And there is where we, as privacy advocates, are challenged. How do we structure new data protection laws, which are by definition rigid, to allow for not-yet-conceived technologies and uses of information?

It’s a challenge, no doubt.

This challenge can be addressed however. My message—one of optimism—was that self-regulation, when done right, can be a compliment to legislation but not a substitute. When done right, self-regulation can help to establish best industry practices for companies to benchmark against, is a dynamic tool to build trust between organizations and their consumers and is flexible enough to quickly adapt to and incorporate new technologies and uses of data that couldn’t be dreamed of when the legislation was enacted.

Self-regulation is predicated, however, upon the notion that there must be industry-wide adoption, robust monitoring and enforcement by an independent accountability agent and backstopped by the data protection regulators who have meaningful enforcement authority.

In conversations with many of the MEPs, it feels like we are on the homestretch, and that one way or another, we will have a vote on the data protection regulation this year. From the level of interest I saw and from conversations I had with various MEPs, there is keen interest in structuring the data protection regulation in a way that is close to right as possible—and I hope that this includes giving certain digital industries, such as the marketing industry, the space to grow their already-successful self-regulatory programs to compliment what surely will be the global gold standard of data protection laws.

1 Comment

If you want to comment on this post, you need to login.

  • comment Daniel • Feb 6, 2015
    Hi Todd,
    Interesting thoughts, I agree that the proposed regulation should be complemented by additional instruments in order to address future (and some already current) pratices and technologies. Among others I see two main ways to do this:
     1/ plan already some "adaptation" mechanisms within the proposed regulation framework. Delegated acts (even if highly criticized by some) could be one, another could be the possibility for bodies like the European data Protection Boards to issue binding interpretations of  the Regulation for adressing new unforeseen practices and technologies. I would like to highlight here that such decisions (Delegated aacts or EDPB decisions) , in order to be appropriate and effective, must be done after intensive collaboration with main business organizations / associations. 
    2/ Second one , related to what you mention in your article, can be "some sort of complementing regulation"... and here , to avoid confusion I suggest to avoid using the term "self regulation" which is misleading or can be misused by some bad players. "Robust monitoring and enforcement by an independent accountability agent and backstopped by the data protection regulators" should be called "CO REGULATION" (and not "self") as it includes the requirement of some "ex ante" validation and endorsement by regulators who will validate upfront that such "codes", if correctly applied, will ensure legal compliance for a specific business sector or technology / practice.
    It seems to me that the two features as described above will help (with others indeed) to ensure a space for innovation and business growth while ensuring efficient and effective Privacy / Data Protection.