By Cam Kerry
The reverberations throughout global markets of China’s economic slowdown and stock market fall remind us once again how much the world’s major economies depend on each other.
Nowhere is this more true than between the European Union and the United States, the world’s two largest economic entities. Together, they account for one-half of the world’s GDP and about one-third of its trade flows. So the United States has a significant stake in the success of the European Commission’s Digital Single Market Strategy. Its promise of economic growth for Europe will help to lift the American economy as well, and Americans share the Commission’s vision of information and communications technology as “the foundation of all modern innovative economic systems.”
The use and flow of data is a vital component of the US-EU economic partnership. My Brookings Institution colleague Joshua Meltzer found that “cross-border data flows between the U.S. and Europe are the highest in the world” and include an increasing business transactions, supply chains, and trade in services and open new markets and opportunities for research and collaboration.
A more vibrant and more digital economy in Europe will depend on even greater flows of digital information across the Atlantic and around the globe. Digital information – data – is a key element of the Commission’s focus on investment in cloud computing and Big Data. It identifies Big Data as “central to the EU’s competitiveness” and “a catalyst for economic growth, innovation and digitization across all economic sectors […] and for society as a whole.” Its research estimates that the use of Big Data by the top 100 EU manufacturers could lead to savings worth €425 billion and that, by 2020, data analytics can increase EU economic growth by 1.9%, equivalent to a GDP increase of €206 billion. The Commission believes Big Data not only will boost growth and jobs, “but also improve the quality of life [for] Europeans.”
The European Union has an opportunity to advance the building a data-driven economy as it conducts the Trilogue on the proposed EU General Data Protection Regulation (the “Regulation”). The Commission’s Digital Single Market communication identifies the Regulation as a “key enabler of the Digital Single Market.” American companies no less than European ones welcome the prospect of dealing with one set of consistent rules across the EU and a single lead data protection authority rather than 28 so long as the rules are workable and the consistency mechanism streamlined.
The Digital Single Market Strategy recognizes that the digital economy must be built on networks and services “that safeguard consumers’ fundamental rights to privacy and personal data protection while also encouraging innovation.” The Regulation contains a number of provisions that will have a significant impact on development of a European data-driven economy and ‒ depending on the outcome of the Trilogue ‒ can encourage innovation or discourage it.
In particular, Article 20 and its parallel Recital 58 on “profiling’ directly affect the ability to analyze and extract meaningful and actionable insights from Big Data. Efforts in some quarters to restrict any use of automated processing ‒ any algorithmic inference from data about an individual ‒ reflect a deep-seated distrust of data that is at odds with the Commission’s vision for a data-driven economy.
The aggregation and correlation of increasing volumes of data across transactions, devices, and now a multiplying sensors in the Internet of Things present important challenges for data security and privacy. Eric Brynolfsson and Andrew McAfee, leading scholars of the digital economy, have likened the transformation in the power and granularity of computational science from Big Data to the revolution in natural science that occurred when Anton Van Leuwenhook first trained his newly-invented microscope on samples. Whether this new microscope of data analysis produces a virus or a wonder drug depends on how the data is used.
There are numerous forms of profiling used in both the private ands public sectors that are legitimate and beneficial to society:
· In healthcare, for clinical decision support and surveillance and management of diseases such as malaria and Ebola.
· In banking, to prevent and detect credit card fraud.
· In insurance, to improve risk analysis and pricing accuracy.
· In retailing, for demand-driven forecasting, merchandising, pricing strategy, overall operations improvement and customer relationship management.
· In government, for tax and revenue as well as benefits programs fraud detection and prevention, smart cities, and citizen engagement.
To realize the aspirations expressed in the Commission’s digital agenda, therefore, the Regulation should differentiate between profiling that is beneficial to individuals or society, and that which can cause harm. Both the Commission and the European Parliament in their proposals for Article 20 focus on the “measures” used for profiling (i.e. the technology and techniques used in profiling). The Council places greater focus on the ‘decision’ (i.e. the outcome of the profiling), as opposed to profiling as such. Focusing instead on negative effects of algorithms ‒ inferences that are unfair and discriminatory as used ‒ would avoid sweeping in analytics that the Digital Single Market strategy seeks to foster.
Another provision that could have a significant impact on the success of the digital agenda is the scope of “legitimate interest” as a basis for profiling or other further processing. Consent is a vital element of individual control over data. A rule that requires explicit consent to all conceivable uses in a world of constantly multiplying interactions with digital systems and rapidly evolving data uses devalues privacy because it ignores the universal recognition that click-through consents too often are reflexive and meaningless. As the President’s Council of Advisers on Science & Technology found in conducting President Obama’s review of Big Data, over-reliance on notice and consent “fundamentally places the burden of privacy protection on the individual” when more responsibility should fall on providers with greater knowledge.
The Regulation contains the means of shifting responsibility and enabling more dynamic uses of data. That is in the concept of compatible and incompatible uses of data. Article 22 as proposed by the Parliament and Council makes the obligations of a data controller subject to the nature, scope, and context of the processing and the risks to the rights and freedoms of the individual. These factors recur throughout numerous provisions of the Regulation, and can shape the responsibility of data controllers (and potentially processors) in using personal information.
The European Parliament introduced the concept of pseudonymous data into the proposed Regulation, i.e. personal data that does not identify a specific individual without the use of identifiers that are held separately. The Parliament provided that where profiling is based solely on the processing of such pseudonymous data this profiling will not be subject to the restrictions in Article 20. Use of pseudonymous data needs to be administered and controlled carefully to ensure against re-identification but, if so, can enable beneficial uses of data without associating that data with an individual.
The Trilogue should ensure that the Regulation strikes the right balance between effective data protection and the social and economic goals of the Digital Single Market Strategy and will not generate unintended consequences for the digital economy and society nor discourage the growth of a data-driven economy in Europe.