Few people like change and a common first response to new legislation is that it is a bad thing because of the change it will bring.
One of the biggest concerns about new and proposed privacy and personal data protection laws in Europe is that they will add another layer of bureaucracy that will stifle innovation and productivity.
This fear is predicated on the fact that the current privacy and data protection laws have placed a fair amount of burden on businesses in Europe.
The greatest difficulty stems from the fact that these laws are different for each of the 28 European Union states.
This is particularly burdensome for multinational companies that must consequently deal with hundreds of different regulations and 28 different national data protection authorities (NDPAs) across the region.
“If your company has subsidiaries in every country in the EU, you will have to declare every personal data file to the country's NDPA in the national language,” says Yves Le Roux, policy group lead for the (ISC)² European Advisory Council and principal consultant at CA Technologies. “Every form and its contents are different, which makes this process vastly complex and time-consuming.
“Businesses simply face an overwhelming amount of complexity when it comes to handling data. In Germany, for example, companies need to keep a record of the religion of their employees because some of their taxes are collected for their churches. Therefore, those that create an EU-level employee database have to keep a record of religious beliefs.
“However, in other EU countries, it is forbidden to process personal data that reveals religion, so having this record can create problems when it has to remain private in other countries.”
Concerned about new rules
Given these current complexities, it is not surprising that many Europeans and their business partners in other parts of the world are concerned about any new rules and regulations.
Eduardo UstaranHogan Lovells International
But change could be a good thing, given that the Le Roux says the current situation involves too much complexity.
“Regulation that is unrealistic and does not address the fact that technology's evolution is unstoppable and that data is a hugely valuable asset of the information economy and society, will fail to achieve its purpose,” says Eduardo Ustaran, partner at law firm Hogan Lovells International.
“That is why the current modernisation process of the existing EU data protection framework is so crucial. It is a golden opportunity to get public policy right in this area.”
Rather than holding back productivity and innovation, Ustaran believes privacy regulation could make a valuable contribution to Europe’s productivity, particularly in the technological and digital space.
He believes data protection law should embrace technology and work with it, by making sure that technological players are motivated to embed privacy thinking into the development process.
“If that is achieved, productivity will not only rocket, but the outcomes will be more valuable and sustainable going forward,” he says.
Globalisation of data
Ustaran says privacy and data protection laws must also be aligned with the globalisation of data.
“Trying to ring-fence data geographically in our digital world is absurd,” he says. “The law should be aimed at seeking consistency across jurisdictions so that the protections follow the data, irrespective of where it is.
“If this is done properly, European companies will become more global and hence more successful at the same time that data is protected in accordance with the right standards.”
Stewart Room, partner at PwC Legal, agrees that although there is the potential for privacy and data protection laws to have a negative impact on business, there are strong mitigating factors.
Stewart RoomPwC Legal
He says privacy and data protection legislation could have an economic impact if what regulators do becomes too strident, overbearing or aggressive, so as to cause business worry, and if the regulatory framework creates a load of extra work to be done.
“That work could slows things down and hold things back, having the potential to affect productivity, but there are two mitigators,” says Room.
First, he says the fears of the potential negative impact of information security on business have never been realised.
"I am not sure that anyone is seriously suggesting that, despite the worry about security being a business disabler, that there really is a negative effect on productivity from security, so it is unlikely to happen with privacy and data protection,” he says.
Privacy as business-enabling
Second, Room expects that, over time, business innovators will portray privacy as business-enabling and a virtue. “So, rather than us decrying privacy regulation, what we will have is more people offering privacy products and privacy unique selling points,” he says.
According to Room, there are already resellers in the security technology community that are reviewing the technologies they are offering as value-added resellers (VARs). “They are asking themselves if they can add a second line of technologies that are privacy-enabling or privacy-protecting,” he says.
This trend provides a ready example of how privacy legislation could drive productivity in the sense that there will be more products and services produced to support compliance.
“Gross domestic product [GDP] is output, and that will increase as people will start to sell privacy products and services,” says Room. “Business will adjust to the reality and make it a unique selling point [USP].”
Room points to the way the cloud computing industry has responded to security concerns and turned to security features as USPs, and he believes it will do the same with privacy and begin pushing privacy USPs as European privacy and data protection law goes forward.
Stewart RoomPwC Legal
“While people tend to see laws and regulations as a bad thing and there will be some losers, there are always winners as well, which means privacy legislation could bring a massive boost to the economy as organisations with antiquated processes are forced to reflect on their data-handling capabilities,” he says.
Room believes it is highly likely that as organisations carry out these assessments, smart businesses will see opportunities for productivity and efficiency gains by linking disparate systems and processes, and by streamlining organisational structures.
Generally positive outlook
Despite concerns about the potential impact of privacy and data protection legislation on productivity and innovation, the outlook is generally positive because of the many ways Europe’s privacy agenda is likely to boost economic activity.
The proposed new general data protection regulation (GDPR) will also support greater productivity by harmonising European data protection laws into a single set of requirements.
One area this will help is in addressing the current concerns about company-wide policies for multinationals for data transfer outside of the EU, known as binding corporate rules (BCR).
To implement a BCR, companies have to choose a lead data protection authority (DPA), but currently companies tend to choose a DPA with the weakest privacy policies, says Le Roux.
“Without international standardisation, this will continue to happen, so we need to implement a ‘one-stop shop’ to add coherence,” he says – and a one-stop shop is one of key changes on the way in Europe.
Implementing a one-stop shop is one of the core principles of the proposed GDPR – further indication that coming changes will help address many existing problems and help to boost, rather than stifle, productivity and innovation.