The data protection of EU citizens has been in focus ever since the surge in espionage scandals that began with the leaks from Edward Snowden. But besides having plenty of coverage from the political and legal standpoint, not so much attention has been given to the economic perspective surrounding this matter.









The data protection of EU citizens has been in focus ever since the surge in espionage scandals that began with the leaks from Edward Snowden. But besides having plenty of coverage from the political and legal standpoint, not so much attention has been given to the economic perspective surrounding this matter. The issue comprises three main aspects:

The discussion of a revision of the US-EU Safe Harbour Arrangement, whereby US firms can operate in Europe under US privacy rules as long as they comply with the seven principles of the EU Data Protection Directive, thus allowing US intelligence (NSA) to survey EU citizens’, as is very well explained in this FT article.

The revision of the current EU Data Protection Directive (95/46/EC DPD), which has been in force for almost two decades now and is scheduled to be updated in spring 2014, so as to reflect the changes in technology, markets and preferences/attitudes of consumers.

And last but not least, the EU also needs to work towards a single digital market that provides the right conditions for global IT companies to do business in Europe while carrying an adequate tax burden, and at the same time creating conditions for European IT companies to develop and be competitive in the global digital market.

Protecting heterogeneous consumers without decreasing the social welfare

We believe that the discussion about data protection in the EU has been almost exclusively focused on a single model of ensuring a high level of data protection for all EU citizens, advocating that privacy is not a question of consumer right to be adjudicated as in the US, but a fundamental human right. Besides the fact that the right to privacy is indeed in the Universal Declaration of Human Rights (Article 12) and in the European Convention of Human Rights (Article 8), we believe that this sole view is too narrow as it disregards the welfare effects that new legislation could bring about.

Beyond privacy, consumers also care about the quality and the price of digital services and products, any regulation on privacy should also assess the impact on quality/price. For example, if certain services ceased to be offered to European consumers or they are offered at much higher prices as a consequence of new strict privacy rules, would (all) consumers be willing to pay that “price for privacy?

Consumer heterogeneity needs to be acknowledged and it is likely to be cut horizontally across European society (i.e. consumers who are more/less willing to pay for privacy can be found in all countries). Consumers differ with regards to the“privacy” rights they want and how much they are “willing to pay” for this. There is no one size fits all.

It is not only about consumers, producers matter too

With every regulatory change there will be winners and losers, thus producer interest in Europe (whether they are European or foreign owned) should be considered as well (which takes us back to the need for a single digital market).

An important business segment that is decisively dependent on the future of data privacy regulation in the EU is the one that supplies Privacy Enhancing Technologies (PETs). This is an industry where Europe could potentially become a strong player, providing PET services to the global markets if the right regulations were to be set. Data protection regulation should not impede the development of this European industry. This potential for European based global PET can be a source of important EU added value, jobs, growth and external competitiveness.

This requires a regulatory approach that:

Recognizes consumer heterogeneity on privacy preferences

Is as technology neutral as possible, not preventing the development of new futuretechnologies

Is globally coordinated and accepted. Ideally European regulation should be designed in a way that allows the upsurge of new privacy services and digital business models that are also attractive for consumers in other markets, thus the need for regulators in these markets to recognize European regulation.[1]

European regulation should not be about protectionism, i.e. protecting European firms, but creating a fair level playing competitive scene in the data/digital eco-system, i.e. it should apply to all firms supplying European consumers (European as well as foreign).

With the proper regulation in place (one that unleashes market and technology dynamics), there will be no trade-off between consumer privacy and business interests, on the contrary: new technologies/business models will offer a menu of privacy services to consumers wherever they are located.

[1] The Committee on Industry, Research and Energy (ITRE) published last year a Data Protection Review: Impact on EU Innovation and Competitiveness: the study found that the Regulation offers many potential advantages, but tends to be overly prescriptive in areas where European firms have already demonstrated their ability to reconcile privacy rights with economic development.