The EU’s Giant Leap for (Digital) Mankind
Digital rights are only as good as the systems that enforce them. It’s better to build parity between companies and individuals than to intermediate over-burdened legal systems.
For those of us watching the world of data and Internet law, 2015 marked a big shift in thinking. In 2014, Brazil passed the Marco Civil Da Internet — a lauded Internet governance bill that take a human rights approach to digital privacy, security, and neutrality. Just 18 months later, the European Commission agreed to reform its Data Protection Framework, putting individual rights, regional legal harmonization, and private sector data protection on the agenda for 2016. The move from nationally interpreted principles to individually expressed choice in the way we design and deliver digital systems is seismic.
Both bills represent progress, but there is a big difference between governments defining user rights and governments enforcing a user’s rights to make their own decisions. Brazil’s Marco Civil, though advancing important principles, still channels disputes between digital service providers and users through government regulatory bodies and court systems for resolution. The European Commission’s approach compels companies to create structures that give users more influence in the way their data is used. Under the Marco Civil, the Brazilian Government is involved in nearly every aspect of mediating the relationship between companies and users. The European Commission’s reforms move toward a system where citizens and technology companies manage their own disputes, mediated by the enforcement capacity of the institution as necessary. The difference is that the European Commission is moving toward devolving power for data protection, while giving users the ability to advocate and enforce their own rights. The European Commission’s approach forces private sector recognition of users’ rights to make their own choices, which is important for a number of reasons.
First and foremost, it moves away from false binaries — too often conversations about privacy and security suggest they are absolutes, whereas they are more commonly points on a spectrum. Decisions about whether data is private or secure are far more contextual than binary. The question isn’t whether a piece of data is private — the question is who data is private from. For example, you very likely want your doctor to know whether you’re trying to have a child, but you may not want your parents or your employer to know. Similarly, we often speak about technological security as an absolute, but many vulnerabilities come down to non-technological factors like legal subpoenas, commercial pressure, or violence (as comically illustrated by an XKCD cartoon). The EU’s reforms, rather than dictating a standard for privacy or security, give users the ability to access, move, and delete data from private systems — enabling individuals to manage their own exposure.
Second, the reform is regional, harmonizing a disparate set of regulations and making it substantially more practical to do business on the continent. That’s good for business, but it’s also an important recognition of the size of institution it takes to counterbalance Internet companies’ global footprint. Regionalization, while still very local for the global nature of the Internet, is progress over nationalized data regulation. The European Commission’s reform builds on pre-existing regional institutions, consolidating the practical challenges, risks, and regulatory capacity of a number of large, disparate markets. It also starts to outline the governance role of the private sector in digital ecosystems, equally restraining national governments from over-reaching. Like many forms of professional regulation, the Commission’s reform starts by building standards into commercial certification — but it will quickly need to evolve to include dispute resolution and enforcement mechanisms.
Lastly, the move toward self-determination signals a new set of norms for the structure of the digital private sector. The requirement of data protection officers and impact risk assessments compels companies to build internal structures that evaluate the proportionality of data collection to functionality, increasing accountability for data breaches and attenuating data treatment based on risk. In essence, it pushes companies to be more thoughtful about the impact of their data collection and consumption. This is a large departure from the “gold rush” mindset fueled by advertising revenue, clearing space to have more articulate dialogues about private and public responsibilities; individual and collective interests; and the social impact of digital systems.
That’s not to suggest that the European Commission’s reform effort is perfect or that there aren’t enormous challenges ahead. Fundamentally, governmental institutions— even regional governments’ certification — don’t have the jurisdiction to regulate global enterprises or clear ways to regionalize norms in global digital systems. They are important and influential, but not determinative. Instead, as Lucy Bernholz suggests, it may be more effective to embed user rights and governance frameworks into globally recognized asset regulation frameworks, like intellectual property or labor and contributor rights.
Further, self-regulation in any industry is (if history is any judge) a flawed half-measure, especially when there aren’t the basic norms, foundations of accountability, or institutions capable of enforcing them. As the New York Times points out, the reform framework creates a patchwork approach of rights, giving strong protection to complex ideas like the right to be forgotten, while ignoring mechanisms for dispute resolution, intermediary liability, and key technical issues (like encryption and anonymization). Although both processes involved public input and consultation, one process is a long way from building adaptive regulatory institutions. Despite all of these flaws, the Marco Civil and the European Commission’s reform are positive evolutions toward a better digital world.
Though the move to instill user rights frameworks into the private companies and organizations building digital systems may seem like a small step, it is in fact a giant leap for digital mankind.*
*By mankind, I mean all people — the use of a gendered word comes from the reference to Neil Armstrong’s famous quote, not an intention to exclude.