The industrial revolution, which swept across Europe in the early 19th Century and set the global economy surging to breathtaking heights, disrupted every aspect of pre-industrial society. From urbanization and population growth, to modern agriculture and medicine, to railroads, steamboats, air traffic, child labor, women’s suffrage—you name it. We are still living on the coattails of that colossal engine for progress and growth.
It has taken modern nations more than 200 years to adjust to some of the changes, including putting in place policies, such as labor laws, antitrust and environmental protection, to temper excesses and balance benefits and costs. Indeed, the Paris climate pact, reached this past weekend, marks the culmination of a long, laborious process to contain the destructive powers unleashed by unbridled progress—global warming, rising ocean levels, famine and displacement.
Today, in Brussels, a similar process comes to a head. For years, European Member States have struggled with a regulatory system ill-equipped to handle a more recent socio-economic shakeup, the data revolution. The existing framework, put in place in 1995 and negotiated for years before then, essentially predated the dawn of the Internet, not to mention mobile, cloud, big data and the Internet of Things.
Already, the data revolution—and the digital economy it precipitated—is a force disrupting the way we communicate, transact business, consume energy, travel and treat patients. It accounts for an ever-growing proportion of the economy in Western democracies and emerging nations alike. It underlies entire ecosystems like smart cities, smart grids, e-government, fintech, ed-tech, personalized medicine and critical information infrastructure. It has upended our relationships with our friends and employers, governments and retailers—even our kids.
Europe has reacted with a detailed legislative package, including both a regulation for the private sector and a directive for law-enforcement agencies, positioned to govern the data economy for a generation to come. This, no doubt, has been a Herculean task, and the drivers of the legislative locomotive, including former EU Justice Commissioner Vivienne Reding and parliamentarian rapporteur Jan Philipp Albrecht, deserve much praise.
In today’s polarized political climate, overwhelmed by frequent exogenous shocks and constant electoral considerations, it is no mean feat to keep your eyes on the goal while drilling deep into innumerable substantive, contentious issues (the Parliament draft included more than 4,000 amendments to the original Commission text).
Many will argue that the new regulation leaves much to be desired in terms of resiliency to technological change. In fact, cynics will claim that large parts of it are already obsolete. For example, while the intentions of tightening consent requirements to enhance the voluntary, informed nature of individual choice are admirable, it is doubtful whether obligating consumers to check more boxes on lengthy legal documents they cannot bother to read is a step in the right direction. Similarly, extending the jurisdiction of privacy regulators beyond their national borders is more aspirational than operational. The difficult problems around online jurisdiction, which are inherent to a borderless cyberspace in a border-filled world, cannot be resolved unilaterally.
At the same time, the regulation marks an important path toward recognizing the significance of organizational data governance mechanisms, including appointing privacy officers, conducting data protection impact assessments, implementing privacy by design and training a data-savvy workforce to recognize privacy issues and escalate them to responsible staff. With respect to these steps, there is broad consensus across the Atlantic. Just last week, the White House announced new measures for all federal agencies, including appointing senior agency officials for privacy, ensuring they are appropriately staffed, training their workforce and more generally, recognizing, “It is time to shift from reactive programs to proactive strategies. And it is time to 'professionalize' the privacy profession.”
Much like the Paris climate accord, the new European regulation is the first step on the long journey to implement a new strategy for addressing the disruption wrought by the industrial and data revolutions. These revolutions have generated previously unimaginable benefits for mankind. The hard task—balancing those benefits against other critical interests such as privacy—remains a work in progress.
If you want to comment on this post, you need to login.