Guest post from Stephen Ezell, Senior Analyst, Information Technology and Innovation Foundation
In recent months, heightened by revelations regarding the United States’ global surveillance and data gathering operations, data privacy has become one of the most contentious policy issues dividing the United States and its European trade negotiation partners. So what explains the differing approaches to data privacy between the United States and Europe?
It starts with the fact that, in Europe, privacy is viewed as a fundamental human right, and, as such, it takes primacy over other personal and societal values. In contrast, in the United States, many people view privacy more as a consumer right and as one value among many, and thus believe that privacy must be balanced against other competing interests.
In particular, in the United States, it’s viewed as reasonable to give consumers more ability to manage their privacy settings online in exchange for the provision of innovative digital services. In fact, many of the most popular Websites on the Internet would not exist today without online advertising, which supports the creation and maintenance of new online content, applications, and services: everything from Google’s free email service Gmail to Facebook’s social networking services. Online advertising provides the revenue that fuels innovative business models and drives much of the Internet economy.
But Europeans place a higher priority on privacy. For instance, proposed updates to the European Union’s 2002 Privacy and Electronic Communications Directive (PECD) would introduce restrictive privacy regulations limiting the ability of advertisers to collect and use information about consumers for targeted advertising. The regulations would limit the ability to target online advertisements to users based on certain protected categories of data, such as an individual’s race or ethnic origin, political opinions, religion or beliefs, trade-union membership, genetic information, health, sex life, and criminal history. These restrictions could potentially prevent or limit marketers from effectively creating targeted ad campaigns for services. For example, whereas it would be perfectly acceptable in the United States to present a Web advertisement for ChristianMingle.com or JDate based on one’s Web search history or social network posts, this would be forbidden by European data privacy rules.
Moreover, even in analyzing the impact of existing PECD privacy rules, Avi Goldfarb and Catherine Tucker found that they resulted in an average reduction in the effectiveness of online ads of approximately 65 percent. The authors write “the empirical findings of this paper suggest that even moderate privacy regulation does reduce the effectiveness of online advertising, that these costs are not borne equally by all Websites, and that the costs should be weighed against the benefits to consumers.” If European advertisers reduced their spending on online advertising in line with the reduction in effectiveness resulting from stricter privacy regulations, “revenue for online display advertising could fall by more than half from $8 billion to $2.8 billion.” Likewise, in a broader analysis of the economic impacts from Europe’s Data Privacy Directive, ECIPE finds that if fully implemented it would reduce EU GDP by 0.35 percent, in even the most conservative estimate.
The second difference is that the United States tends to manage data privacy issues on an industry-by-industry basis, thus we have HIPAA (Health Insurance Portability and Accountability Act) regulating health data privacy rights, Gramm–Leach–Bliley rules regulating privacy of financial data, etc. The United States is not likely to pass an overarching, across-the-board data privacy law — along the lines favored by the Europeans — anytime soon. Thus, the Safe Harbor program — a framework that allows US companies to self-certify that they adhere to a set of privacy principles enabling them to comply with requirements of the EU Data Protection Directive — will remain vital to successful Trans-Atlantic trade and free flows of data.
However, in the wake of the PRISM revelations, some European data protection authorities have called for a suspension of data transfers under the Safe Harbor agreement, since US companies are in “apparent violation.” Moreover, Germany announced on November 3 that it intends to push for tough data protection controls to be included in the Trans-Atlantic Trade and Investment Partnership Agreement (TTIP). But the US perspective is that the Safe Harbor program has worked satisfactorily, has robust enforcement mechanisms, and should be continued.
At the end of the day, data flows are critical to a global, networked economy and thus data issues need to be a component of future high-standard trade agreements. At the same time, those agreements need to preserve a framework that permits different kinds of data privacy rules to be in place among countries. From the American perspective, it’s a global economy, and we can’t have one country or region saying here are the data privacy rules that the entire world has to play by. In summary, trade policy has just barely begun to scratch the surface of issues raised by digital trade, and it’s high-time for the global trade agenda to enter the digital age.