Not that long ago, reading this article (let along writing it) would have been regarded as nerdy. Data protection used to be seen as arcane and irrelevant to businesses and ordinary people. Introducing yourself as a data protection lawyer or a privacy professional was a recipe for embarrassment and a sure way of getting some funny looks. However, at some point, something suddenly changed. What was wacky is now cool, and what seemed like an obscure legal discipline with funny jargon and odd rules has become a critical consideration for business and government. What happened? What was the event that radically altered our perception of the importance of personal information for the world’s prosperity? The crucial catalyst was in fact a combination of three factors that will also shape the future of privacy and data protection going forward.
The first one is the most obvious of all because it has impregnated our lives to such degree that we can no longer live without it. Remember life before e-mail, mobile phones, the Internet, search engines, CCTV cameras, biometric passports, chip & pin, apps and cookies? The evolution of technology has been the primary contributor to the growing importance of data protection as digitalisation has led to a never ending, yet not always visible, churn of personal data. The second one has been the realisation that personal data is a very valuable asset. Some examples: last year, Google’s turnover was nearly $38bn, LinkedIn doubled the value of its shares on the day it floated on the stock exchange, and Facebook’s IPO reportedly created 1,000 millionaires overnight. What these businesses have in common in addition to being amazing success stories of the post-dotcom boom is that their success is based on the power and value of personal information. The third critical factor is no other than the reality of data globalisation: the fact that geographical distance and cultural barriers have become almost negligible for the exploitation of data.
These three factors have thrown into the air many existing preconceptions and turned legal conundrums into business critical issues. Getting the right answer to which law applies or who is in control of the information generated by our daily use of global interconnecting technologies has massive practical implications. Some will be purely financial and others political, but their significance has not gone unnoticed. Even the very thing at the centre of the legal debate – ascertaining what is and what isn’t personal data – has become an issue of great economic impact for businesses across all industry sectors, from technology to financial services and from retail to life sciences. As an overarching theme, the question of how to ensure global compliance with maximum effectiveness and minimum cost has suddenly focused the minds of business leaders and politicians.
But having got to this place, the question that we now need to address is this: what happens next? Or in other words: what is the future of privacy and data protection? For policy makers and data reliant businesses alike the answer to that question lies in addressing the three issues that have so radically changed things. Regulating and managing the evolution of technology necessarily involves understanding technology. That means that a likely component of tomorrow’s privacy regulation will be about explaining technology in a way that their users can understand what is likely to happen to their personal information generated by the use of that technology. This is transparency 2.0 and from a compliance perspective, collecting and using data will entail making the impenetrable world of new technologies understandable to everyone. But beyond pure transparency, something that no legal regime has addressed to date but that will form part of the legal obligations of the future is the provision of value. When a government or a business asks a citizen or customer for their personal information, it will only be fair to give that person something back or to share with individuals part of the value extracted from their data. That would certainly be a much better way of getting the control balance right than seeking an empty and meaningless consent.
One remaining challenge is the international nature of data flows and information exploitation. Data protection will never be a local issue again. Data is no longer transferred from A to B. Geographically speaking, where data actually is in an interconnected world is completely irrelevant, because data is ever accessible from everywhere. Law and practice will have to come to terms with that. Overcoming the legal limitations affecting international data transfers has always been a difficult challenge because, even in the old days, data was pretty fluid. Today’s and tomorrow’s data globalisation needs a completely different approach which focuses on mutual recognition of rules, regulatory collaboration and incentives to do the right thing.
This article was first published in issue number 100 of Data Protection Law & Policy in May 2012.