EU data protection laws will stifle big data and the internet economy, warns Acxiom European privacy officer

Plethora of EU data protection and online privacy laws threaten to stifle innovation, says Dr Sachiko Scheuing

The European Union risks undermining its own internet industries and discouraging inward investment with aggressive data protection and other digital laws.

That is the warning of Dr Sachiko Scheuing, European privacy officer at marketing company Acxiom, and also the chairwoman of FEDMA, the Federation of European Direct and Interactive Marketing, of which Britain's Direct Marketing Association (DMA) is a member.

"When companies around the world consider setting up a new unit in digital or mobile, I don't think Europe is the preferred place to invest in," she says. "The signals I'm getting from colleagues outside of Europe is that many companies are following the General Data Protection Regulation (GDPR) and Digital Single Market debates very closely to see whether they would like to invest in the Europe Union."

Indeed, it is the sheer weight and volume of regulation that is coming out of Brussels that is putting off inward investment, she believes: not just the GDPR, but the so-called cookie law, which was introduced as a result of the E-Privacy Directive, and the "right to be forgotten", which has tied high-profile internet companies such as Google up in bureaucratic and potentially expensive regulatory knots.

Are you allowed to do that?

In contrast to the principles-based approach of the Data Protection Directive of 1995, the forthcoming Regulation, which will be directly applicable in law across the EU in contrast to a Directive, is based on a more continental prohibition-based legal approach, warns Scheuing.

That may mean that it goes quickly out-of-date and inhibits innovation, especially in the burgeoning area of big data. "The current data protection laws are principles-based. There are a number of principles, reflected in the Data Protection Directive, and as long as you are following those principles, you'll be fine," says Scheuing.

"Prohibition-based laws are the opposite: everything is illegal and only the things that are written into the law - what you are allowed to do - are legal... That means that unless you know all of the possible outcomes of future usage you are not going to have a future-proofed, all-encompassing, effective legislation," she says.

"Fundamentally," she continues, "under prohibition-based law, you need to know all the possible things that might happen."

For example, when work started on the GDPR in 2012, the concept of big data was little known outside of IT departments (and, perhaps, major vendors' marketing departments).

The GDPR's prohibition-based approach, she argues, could therefore stifle big data innovation in Europe, or drive companies overseas to more liberal jurisdictions. "I'm not really sure if we will ever be in a position to know all of the different potential applications of big data. It would be a phenomenal task, which I don't think is realistic."

Transfer fees

International data transfer rules are also problematic, suggests Scheuing, because it assumes that personal data will be more secure if the server on which it is located is in the European Union. "What's safer? A server in someone's basement in Europe of a state-of-the-art server farm overseas, with 24-hour surveillance and dedicated security staff," she asks.

She continues: "I don't think the mechanism that governs international data transfer is up-to-date enough because the fundamental understanding of the people who drafted the Regulation is that there are national borders to be found on the worldwide web. We need to accept that international data transfer is taking place all the time, so we need to have a better way to govern such transfers."

Instead, she says, the EU ought to work with the marketing industry to develop codes of conduct that can be globally applicable so that, regardless of where personal data is held, the same standards will apply. FEDMA, to which the UK's DMA is affiliated, already does this across Europe, while in Sweden the Swedish DMA (SweDMA), has its code of conduct effectively enshrined in Swedish law.

It is, she adds, standardisation rather than legislation that has enabled industries such as the steel industry to globalise so that, for example, steel products can be made to standardised shapes, sizes and grades, and traded globally. The same should apply to data and data processing, she argues.

However, with various countries still in disagreement over the GDPR, which one of three texts will be adopted as law is unlikely to happen by the end of this year, as originally planned, and it may take until the middle of 2016 until agreement is reached, warns Scheuing. In that case, it will not be until 2018 at the earliest that the Regulation will come into force.