I attended the recent Europe Data Protection Congress in Brussels hosted by the International Association of Privacy Professionals (IAPP). After three days of attending sessions, listening to some of the best-known European experts speak about data protection and privacy, and talking to dozens of other attendees, I walked away with one very clear observation: European data protection interests are on a collision course with the current business models of companies such as Facebook and Google which rely on personal data to thrive.

Data protection and privacy are really important to Europeans

Europeans really value their privacy and in many countries, such as Germany, protecting personal information is enshrined in their bill of rights. Some believe the fixation with data protection is a reaction to the misuse of personal data in the past. Others believe there is a sense of loss of control with large non-European companies using European citizen data to build vast empires of offshore wealth. Still others are nervous that personal data collected by companies could be handed over to local or foreign government agencies without due process. Whatever the reason, Isabelle Falque-Pierrotin, the head of France’s data protection agency (also known as the CNIL), states it best in a New York Times article from November 20th:

“In Europe, we consider privacy a fundamental right. That doesn’t mean it is exclusive of other rights, but economic rights are not superior to privacy.”

Key elements of European data protection

The basic tenets of privacy in Europe, as defined by the European Commission, the Article 29 Working Party and others, can be summed around the following points:

  1. Informed consent: Users must be able to provide their consent to any collection of personal data and this consent must be freely given, specific, informed, unambiguous and explicit.
  2. Special treatment for personal data: All personal data must be stored securely and there must be full and immediate notification for any type of breach. It is worth noting that many Europeans I spoke to believe any information that can be used to uniquely identify an individual (such as IP addresses) should be considered personal data.
  3. Limited amounts of data: Companies should only gather data that is absolutely required for the delivery of a chosen service. Gathering large amounts of personal data to enhance a cloud provider’s business is not acceptable.
  4. Disclosure on data uses: Companies must clearly describe exactly how personal data is being used.
  5. Limited retention: Companies must only retain data for as long as necessary to deliver the service and after that time they must remove the data.
  6. Opt out: Users must have the ability to not only opt in with consent but also have the ability to opt-out at any time for any identified use and have their data removed.
  7. Audit rights: Users must have the ability, within reason, to see exactly what personal information has been collected.
  8. Data aggregation: There are real issues with combining personal data from many different services in order to build massive personal dossiers on users.

In addition, data protection leaders such as German EU parliamentarian Jan Philipp Albrecht called for better ways for users to use web services either anonymously or while using pseudonyms.

While some may feel the European are going too far with data protection, many of these principles are not that different than concepts covered by the White House’s privacy bill of rights or the FTC’s “Protecting Consumer Privacy in an Era of Rapid Change” report.

Many cloud business models rely on personal data

Not all cloud providers rely on using personal data but ones that provide services for free often do. By using personal information such as your age, your location and your interests, cloud providers are able to display more relevant ads which is how they make their money. The more they know about you, the more relevant the ads are, the more likely you are to click on the ad and the more money they can command from companies who want to advertise. This concept is what has made Google into the largest advertising company ever known to man.

Facebook promotes its service as a way to connect with your friends but in reality, the company uses the information it collects from its users to sell ads. That’s how it makes money.

Amazon is another example of a company that uses personal information combined with your history of clicks and purchases to build a very robust profile that can be used for targeted advertising and promotion of specific products.

These business models may not be inherently bad so long as the user has consented to providing their personal information with full knowledge on how the data is being used and for how long. The models become less friendly to consumers when there is no way to opt out or if excessive amounts of data are collected for unknown uses and are kept long after the user stops using the service.

Something will need to change

Yet looking at the European data protection principles and the current models used by some cloud providers it becomes obvious the two are incompatible. The Europeans are looking for changes to current privacy practices as exemplified by the recent recommendations made on behalf of 27 data protection authorities (DPAs) by the CNIL related to Google’s new privacy policy. Google has responded that there is no problem with its privacy policy and “the new policy respects E.U. law” despite the fact the recommendations are coming from the authorities whose job it is to enforce the laws.

Again in the words of the CNIL’s Ms. Falque-Pierrotin:

“If a company that is at the heart of the digital economy cannot come up with a satisfactory solution that is very serious.”

So this impasse leaves us with at least four possible outcomes.

  1. Europe will need to lower its expectations and propose regulations and directives that are more compatible with current cloud business models.
  2. Consumer-oriented cloud providers such as Google and Facebook will need to substantially change their services to be more in line with current and future European data protection laws.
  3. Cloud providers may choose not to comply at all and pull out of Europe.
  4. Or compromises are made by all parties involved and a sane resolution to the impasse is reached.

Option four seems like it would be the obvious solution and provides a win-win for all involved. And yet, Facebook has stated in a document just made public that over-regulation and …

“… potential fines will create a disincentive for innovation and associated job creation among internet service companies. This could be a major blow for the European Union given that the internet sector is widely recognised as the major driver of job creation and growth in an otherwise moribund economic environment.”

In other words, let us be or we’ll move jobs and investment elsewhere.

Peter Fleischer, Google’s global privacy counsel said the following in reaction to the announcement of the CNIL’s recommendations on Google’s privacy policy:

“Our new privacy policy demonstrates our long-standing commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.”

This head-in-the-sand statement is almost insulting given that it is again directed at the very people whose job it is to enforce Europe’s data protection laws.

As Microsoft has learned and continues to learn, you don’t mess around with the European Commission. You either work out your differences and comply or risk substantial fines. Google is already on a path that seems unwinnable. Facebook may also not be on the right path by pushing back on the EU’s demands and threatening the EU with pulling back on jobs and investment. The better path is to compromise and adapt business models to be more aligned with the laws and customer expectations where each company operates.

We have already seen this with companies such as Google, who have Google Apps offerings for Businesses and Government that suppress the display of ads and instead charge for the services and yet it still collects enormous amounts of personal data as outlined in its privacy policy. Google will need to go further to fully comply with European regulations as highlighted in the recently published recommendations from the EU DPAs and the CNIL.

It is hard to imagine how Facebook can possibly change its business model to be better aligned with EU data protection interests. This is going to be an interesting one to watch.

Perhaps Microsoft has the right idea with clearly segmented services: free, consumer-oriented services such as and Bing, and walled off private business services such as Office 365 which from all appearances fully complies with EU laws today. There may be some tuning required for how Microsoft’s free services use personal data and I suspect Microsoft will be willing to make these changes rather than risk future EU fines.

Why does all this matter to U.S. consumers and businesses? In the end, what the Europeans are pushing for is something we could all benefit from — that is, more control over and knowledge about how our personal data is used by cloud providers. As mentioned, many in the U.S. — including the FTC and the White House — believe in many of the same principles. But the Europeans are more hardcore about clearly defining the rules and going after those who fail to respect the privacy of its citizens. It will be interesting to see how this all unfolds over the next year as Europe ratifies its new data protection regulations and directives and see how Facebook, Google and others react to increasing pressure to conform with these laws.

–Commentary by SafeGov expert Doug Miller. This piece first appeared on Wired Innovation Insights.

Author :