Privacy stifles innovation and competitiveness? Not so!
June 13, 2019
How far should we go to protect society from the erosion of privacy, without compromising innovation and competitiveness in business and public services? Can regulations like the GDPR play a positive role in achieving a right balance between these aims?
These were the questions posed to me by The Assembly, part of The Next Web’s cutting-edge technology and data conference, held in Amsterdam in May.
Privacy, innovation and competitiveness are not strange bedfellows. There isn’t an inherent incompatibility here. Yet the charge that ‘privacy is a threat to innovation and competitiveness’ is often made by including business and the technology sector itself, particularly when new regulations are proposed.
But it’s a lazy plea. Where are the examples of innovation and competitiveness being impacted or otherwise harmed by privacy?
Think about the big privacy new stories of recent years – the Phone Hacking Scandal, Edward Snowden’s disclosures - you know the list. Do they reveal any evidence that innovation and competitiveness were put under threat by concerns for privacy? Not at all. Instead, they reveal how grubby, or abusive or questionable business practices can be revealed by the cleansing spotlight of privacy.
Perhaps we can be more specific. Can we point to any police databases being wrongly decommissioned because of privacy concerns? What about health databases? Is AI being stopped? Is the web losing its vitality? Is the pace of tech development slowing down or increasing?
Exactly where is the problem?
As far as I can tell, the current priorities of the privacy regulatory scheme seems to be about tackling non-transparent personal data use, particularly in marketing-related activities (as our latest Privacy and Security Enforcement Tracker shows); profiling in the political and policing domains; the operation of IoT devices and sensors; and security breaches. And, of course, the affairs of big US tech companies.
With all due respect to AdTech and related areas, this area doesn’t deserve special pleadings around innovation and competitiveness worries. Nor do any of the other priorities: preventing abuses of democracy and civil liberties is in all our interests; IoT needs to be understood; and security breaches speak for themselves.
As for the role that the GDPR can play in finding the correct balance between privacy, innovation and competitiveness, my view is that the law contains enough space and potential for any competing interests to be fairly and intelligently addressed and resolved. If you want to find this out for yourself, read the rules about legitimate interests. Trace back further into the legislative foundations of the GDPR’s predecessor, Directive 95/46, and you’ll find that the promotion of the economy was one of its two goals, with the other being protection of Human Rights.
The compliance mechanisms of the GDPR, such as Privacy by Design, risk assessments and legitimate interest assessments, expand the space and potential for fair and intelligent resolution of challenges, as does the supervisory scheme. An example of this in action is the UK Information Commissioner’s ‘regulatory sandbox’ initiative, which provides a forum for tech innovators to have a safe conversation with the regulator, to shape better, more balanced outcomes.
No, the GDPR isn’t a challenge to innovation and competitiveness. The law hasn’t been designed from an anti-business stance. Its ignorance of its provisions, meaning and intent; false expertise; partisanship; and unfair practices that are the problems. Sadly, untruths can build on untruths, so that false pleas of ‘bad law’ can entrench as anti-fact. We all know about fake news, so let’s be sceptical when people say that the law is stifling innovation and competition.
We can do much more than the law
Law can only achieve so much, however. As a lawyer, I see the limitations of law, just as much as I see it’s functions. Law can be politicised. It’s often nationalistic. It’s a top down approach to problem solving, with a paternal or maternalistic flavour. All of these things acts as natural brakes on law’s utility and effectiveness, as do resource problems, such as under-strength regulators. I do not believe that we should invest all our hopes in the GDPR if we want to ensure that privacy, innovation and competitiveness remain happy bedfellows, not sad or warring divorcees.
So if the GDPR has limitations in what it can do, how is the gap filled?
I’d like to focus on the first few words of the précis to my keynote – how far should we go? The ‘we’ in that sentence doesn’t have to be ‘them’, or ‘it’. It can be ‘us’.
I have always believed that it is the people who are closest to data and technology who have the greatest capacity to deliver change. The collective power of the users of data, the builders of data architecture and the designers of technology systems dwarves anything that the GDPR or the legal system has to offer. If we understand the objectives of privacy and the principles and rights within data protection law; if we define our business purpose and understand how appropriate personal data use can maintain value and add to societal well-being; if we think properly about the intelligence that we are seeking to derive from data; and if we understand the point that a data-centric approach is not the same as a technology-first solution, then our capacity to deliver the right privacy outcomes while keeping the flames of innovation and competitiveness alive is unlimited.
Let’s invest in our personal understanding of privacy and turn our backs on lazy pleas. Privacy stifles innovation and competitiveness. It’s simply not true.