It’s a cliché that Internet technology (IT) is the future, but it’s a cliché that is most likely true. Unfortunately for Europe, IT is a future that may pass it by. There is no European IT giant to compete with Apple, Twitter, Facebook or even China’s Alibaba; there is no European equivalent of the start-up culture of California or even Israel; the USA pours billions into information technology research through its defence budget, money the EU doesn’t spend.
Europe has not always lagged so far behind. Extraordinary as it may seem now, there was a time when Europeans took the lead in IT innovation. Tim Berners-Lee, a scientist at CERN in Switzerland, first proposed the system that would become the World Wide Web in 1989. But the initiative in this technology slipped across the Atlantic long ago.
The EU has consoled itself that at least it retains regulatory power even as it has watched the technological initiative slip away from it. Europe may not have anything to compete with Uber or Google, but German courts can injunct the former and a member of the outgoing EU Commission has suggested that the latter may spend a decade mired in the EU’s competition law process. But even this consolation may be fleeting.
For the EU’s most distinctive regulatory initiative, the right to data protection, is in trouble.
The cause of this trouble is, on the face of it, quite straightforward. Europe’s existing Data Protection Directive is obsolete, a reality that the EU legislature has been avoiding since the Lindqvist decision of the Court of Justice of the EU in 2003. That court found that the EU had not anticipated the Internet when determining the directive’s jurisdiction—not an inconsiderable omission. The previous year saw the EU’s legislature make its last substantive effort at privacy regulation: the ePrivacy Directiveof 2002. It’s true that the EU formally recognised data protection as a fundamental right in 2009, a right that the EU is now obligated to legislate for. And the EU has been debating its proposed General Data Protection Regulation since 2012, but it is impossible to say when that debate will end.
Of course the EU is entitled to take its time when legislating for a right as important as data protection, but the IT industry innovates at a pace far quicker than the EU can regulate. Moore’s law, that the capacity of a computer chip doubles every couple of years, may be meeting its limits, but that law may still approximate to the IT industry’s innovation cycle.
We have therefore seen one cycle of innovation since the debate about the proposed regulation commenced. The EU may hope to enact that proposal by the summer of 2015, but it won’t come into force for a further two years. By then the cycle of innovation will have turned again, and the regulation will face obsolescence once more. The rapid pace of IT innovation makes legislating for data protection a Sisyphean task; once one law is enacted, it must be replaced by another. But this is a task the EU must undertake.
For if the EU does not, it faces something worse than obsolescence: irrelevance.
Today, personal data now flows across social media platforms in a manner unimagined when Europe’s Data Protection Directive was first conceived a quarter century or more ago. Public awareness of the need for effective data protection is growing, driven by events such as the Snowden revelations, a host of data breaches and the growth of big data.
The EU’s failure to legislate for this right has created a vacuum in which American companies are beginning to demonstrate the same leadership that they have demonstrated when innovating new technologies and services. Brad Smith, general counsel of Microsoft, has warned that “some in our industry have underestimated the degree to which people care about privacy.”
The IT industry is built around identifying and then meeting peoples’ needs. And Tim Cook, CEO of Apple, has written to customers with the promise that “a great customer experience shouldn’t come at the expense of your privacy” - a promise that demonstrates how the IT industry is developing its own solutions for its customers’ privacy and data protection needs. Such solutions may preempt those that the EU proposes to apply in two or three years’ time. By then, “first-mover” advantage may then lie with industry.
Instead of imposing its regulations, the EU may find itself adapting its regulatory requirements to whatever standards the industry deems appropriate. That outcome would once have seemed unlikely, but European privacy may pay the price for Europe allowing the lead in technological innovation to slip away. Innovation is increasingly happening elsewhere, in the U.S. and Asia. The EU expects that U.S. and Asian suppliers will adapt their products to its data protection rules to get access to its markets, but an alternative future is possible, one where U.S. and Asian suppliers expect the EU to adapt its data protection rules to get access to their products.
The above represents the views of the author alone and not the views of any other person.
If you want to comment on this post, you need to login.