Few people question the E.U.’s intention to introduce a new law that regulates and standardizes the processing of personal data with the entire bloc.
Companies applaud the effort to condense the separate national data protection laws of the E.U.’s 28 members, many of them highly complex, into a single piece of legislation. In fact, the harmonization will likely save businesses that operate in more than one country time and money.
But that is where the enthusiasm for the new policy ends.
Many in the business world question the promises being made by the authors of the planned directive, who are members of the European Parliament and European Commission, the E.U.’s executive arm. They question whether the binding new rules will truly help to halt the domination of U.S. data giants such as Facebook and Google, or if they will finally provide the European digital economy with the level playing field it needs to catch up with foreign competitors.
American firms will have to play by the new rules if they are to operate in Europe, said Oliver Süme, head of the Association of the German Internet Industry. “However, U.S. providers will still be able to compete globally under significantly more flexible and innovation-friendly conditions with their digital business models,” he added.
Almost every use of data will require consent and companies will be expected to provide detailed information on what they do with personal data.
It still isn’t clear what the new law will look like. The three E.U. institutions – the European Parliament, the European Commission and the Council of Member States, which is made up of leaders of the 28 countries – have committed their respective ideas to paper and plan to agree on common wording by the end of the year.
If they succeed, a culture war between data privacy advocates and technology evangelists, and between civil rights activists and industry lobbyists that has been waging for more than four years, will end in December. The same fronts divide both Europe and the German government.
The data privacy activists will likely win the fight. Even the most business-friendly of the three draft directives, the one being proposed by the Council, imposes strict limits on data processing by companies and expects a great deal of them – and extends well beyond the digital economy.
The German Federal Statistics Office estimates the additional bureaucratic costs to German companies alone at about €1 billion ($1.12 billion), plus another half a billion in initial investments. If the European Parliament prevails, annual costs would shoot up to €2.7 billion, say the statisticians.
This has prompted Holger Schwannecke, general secretary of the German Confederation of Skilled Crafts, to warn against “data protection that lacks a sense of proportion.”
In contrast, individuals will receive previously unimagined control over their own data. Almost every use of data will require the individual’s consent, and companies will be expected to provide detailed information on what they do with personal data, from email addresses to license plates to professional details.
Under the proposed new rules, data processors’ obligations to inform users of their intentions extend well beyond those stipulated in German law. They cover more than five pages in the Council proposal, for example. These rules are also responsible for the largest share of bureaucratic costs.
However, critics believe that most users will have little use for the expected flood of information. “This creates a substantial burden on companies and often creates little added value for consumers,” said Iris Plöger, director of the digitalization department at the Federation of German Industries.
Privacy groups, however, insist on a strict basic principle, whereby the processing of the personal information of third parties is fundamentally prohibited and only permissible with the consent of the parties in question. This, they say, is the condition of information self-determination.
On the other hand, most businesses in the digital economy depend on being able to offer services with constantly changing links to data. Always making the processing of such data dependent on consumers’ consent will complicate many useful Big Data business models, according to Susanne Dehmel of Bitkom, an IT industry association.
“If the new rules turn out to be too strict or are interpreted too rigidly, we will have a real problem,” she said.
The EU has high hopes for the Internet economy as a driver of growth. This is why the German government has campaigned in Brussels for including more business-friendly data protection measures in the directive, such as the use of technical tools to conceal identities.
But its efforts were largely in vain. “Our proposals on pseudonymization were met with anything from polite incomprehension to rejection in many member states,” said government officials. France and Southern European countries, in particular, fear a softening of data protection.
The fact that Berlin has backed down for now was partly a result of sharp criticism from privacy groups. The strict drafts by the European Commission and Parliament were taken as a benchmark “to deride our proposals as a softening of data protection,” the German officials said, adding that the government had consistently used German privacy laws as its benchmark.
Till Hoppe is Handelsblatt’s foreign policy correspondent, based in Berlin. To contact the author: email@example.com