The privacy cliff and how not to fall off it

by Siobhan MacDermott - Chief Policy Officer, AVG Techologies

We are all hearing the phrase “fiscal cliff” considerably more times than is useful. So far, however, nobody’s mentioned a “privacy cliff.”

They should: it’s a very big deal.

Moving in opposite directions on protecting the future of consumer privacy online, the U.S. and Europe nevertheless are both heading toward the same cliff—and dragging with them billions of dollars and Euros in e-commerce along with the confidence of consumers.

“Never has privacy been more important than today, in the age of the Internet, the World Wide Web and smart phones,” President Obama wrote in February 2012, urging “Americans … to . . . apply our timeless privacy values to the new technologies and circumstances of our times.”

On January 25, 2012, the European Commission (EC) issued a privacy proposal to require “data controllers” (online merchants, advertisers, etc.) to provide more transparent and accessible information to data subjects (individual Internet users). The proposal asserts a right of EU citizens “to be forgotten,” thereby obliging data controllers to delete personal data on request. Data controllers would be prohibited from collecting data unless the subject gives express consent. In the meantime, the United States has proposed precisely what the EU has already vehemently rejected: voluntary industry self-regulation, subject to limited federal enforcement.


The differences between the EU and the U.S. threaten the global interoperability of e-commerce; companies operating under U.S. law will fail to satisfy proposed EU law and may find Europe’s doors barred to them—with fines mounting, revenues dwindling, and economies eroding.

This is the privacy cliff.

Real though it is, the privacy cliff is shrouded in a fog of uncertainty. Unlike the fiscal cliff, falling off has no set deadline. The EU proposal remains a proposal, the implementation date yet to be set. The U.S.? It has yet to act. And we are left asking: What powers will governments have to enforce privacy laws? How will differences between European and U.S. laws impact trade? And will a fall over the privacy cliff entail the very consequences predicted for the fiscal cliff, precipitating the world into a new, deeper financial crisis?

Speaking on December 4, EU Justice Commissioner Viviane Reding suddenly took the focus off individual privacy rights and argued instead that government privacy regulation will promote the growth of e-commerce by creating legal certainty and consumer trust.

Legal certainty is always good for business, but the notion that the consumer trust created by law will stimulate e-commerce is a self-defeating argument. In fact, e-commerce has exploded in the absence of stringent privacy laws. So why assume, absent laws, this spectacular growth will stop? Since the Internet’s inception, successful companies have risen on the free market, not climbed up any legal framework dealing with privacy.

With the utility of privacy law in question, and the U.S. unwilling to relinquish industry self-regulation, we are left with a choice. Continue the march toward the privacy cliff or find an alternative to both the EU’s “government-centric” and the U.S.’s “industry-centric” regulatory approaches.

The most viable alternative, and the way back from the cliff, is to empower consumers to motivate corporate respect for privacy by giving them the technology to control their own data online.

For example, continue deploying do-not-track (DNT) tools that afford consumers some control over whether advertisers track their browsing. And encourage the advertising industry to more effectively publicize programs such as the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising.

Beyond this, further empower and simplify for the consumer. Specifically, enlist e-commerce stakeholders to create a single, simple, universal digital form that consumers may complete online to express their privacy requirements. Then require businesses to access and respect these forms. The result: Users who choose not to file a form may be tracked by default, and those who choose not to be tracked will not be.


Finally, beyond even this, develop technologies enabling consumers to manage their data as they would any other asset. One emerging technology is the personal data locker (PDL). A cloud service for storing anything one creates or does online, a PDL functions like a personal bank account. The individual controls it, and no third party can access it without the consumer’s permission. PDLs can put consumers and businesses on an equal privacy footing.

Empowering consumers acknowledges the transnational reality of Internet commerce. The day after Commissioner Reding’s address, U.S. Ambassador to the EU William E. Kennard spoke to the same Conference. He discussed, among other issues, “International Interoperability” and “Regulatory Cooperation,” the areas in which the U.S., EU, and all national sovereignties clash loudest.

The only means for achieving permanent interoperability and cooperation is to create, by international treaty, a transnational cyber zone for digital commerce. Modern ideas of national sovereignty date to the origin, some 500 years ago, of the nation-state. Alas, the utility of this durable invention does not extend into cyberspace. As no nation claims to control an entire ocean just because its waters touch its coast, no nation can claim sovereignty over cyber space just because it is a node on the network.

Going forward, a combination of consumer empowerment and legal recognition of what the Internet already is—transnational—provides a simple, uncompromising alternative to suffering the collective fate of digital lemmings. Consumer empowerment and transnational recognition is the only way back from the privacy cliff.

http://www.net-security.org/article.php?id=1806