peshkova - Fotolia
Data is an increasingly valuable good. That is why organisations are so eager to collect as much of it as possible. And that is also why consumers and governments are increasingly concerned about what organisations will do with their data.
The European Union (EU) has been actively involved in data protection and the data movement for many years. The most visible result of these activities was the Directive of the European Parliament in 1995 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.
This directive, which stipulated basic human rights such as privacy and access to their own personal data on the one hand, and free movement of data between member states of the EU on the other, was to be the foundation for national laws in each individual member state.
The freedom for each member state to interpret this directive according to the local culture and views on data privacy seemed the best possible solution, given the sometimes huge differences between those member states.
“When you compare some more privacy-prone southern countries to the Scandinavian countries, where even salary and tax return details are publicly posted online, you can understand that it is not easy to find a common ground that covers the needs of all countries and citizens,” says Deloitte UK research director Harvey Lewis.
Outdated and confusing
Yet the need for a unified law across the various member states has become increasingly pressing. International companies were struggling with the current situation, according to Lewis. “Many of our customers have to deal with a patchwork of data protection regulations in the various member states. That makes it very difficult to do business in Europe at times,” he says.
On top of that, the European consumer is also concerned with what happens to their data when it's moved across the border to another member state, where a quite different set of regulations is in force. And the technological advances between 1995 and today weren't all covered by the 20-year-old directive.
That is why the European Commission decided to draft a European General Data Protection Regulation (GDPR), which should be a reflection of the current state of affairs and should supersede the Data Protection Directive and all of its derived national laws. “It's a dream for companies but a nightmare for European bureaucrats,” says Lewis.
Read more about the ethics of data use
- Uncomfortable conversations about the ethics of big data and the virtues of transparency
- How applications vendors have some soul-searching to do over their approach to 'big data' ethics and information privacy
- The heedless data collection in business analytics programmes is breeding moral hazards, according to author Frank Buytendijk
It is indeed a long struggle to have each nation's interests and priorities integrated in the new regulation. To have everybody's interests protected and reconciled, a working committee was formed: the so-called Article 29 Data Protection Working Party, which includes representatives from each member state.
The committee's website provides a summary of all activities taking place in this area. It also features a recent announcement that the committee has handed over a summary of all findings and agreements to the European Commission, Parliament and Council – an important step towards reaching a European-wide regulation. Officially, the target date is set at the end of 2015. But everybody agrees that this is a very ambitious target.
But companies cannot afford to wait for the European authorities to agree on this new regulation – they need to move forward now. “Not everything can be covered in this new regulation,” says ING Belgium information architect Dirk Coutuer. “Some things are better left to common sense – general knowledge such as 'don't give your password to third parties', for instance."
Companies don't need a regulation to know what they should be doing to gain customers' trust, says Coutuer. “That is why I think it would be a good idea for organisations to jointly write down a set of rules and best practices that they can guarantee to comply with,” he says.
In the meantime, companies should strive for maximum transparency, so that consumers know what data is being used and how they can prevent this from happening – a decision that does not necessarily differ that much between citizens from different countries, according to Coutuer.
“I see more of a difference between generations than between countries," he says. "The younger generation doesn't worry about privacy at all, and doesn't give a thought about what happens with their data. But that doesn't mean we shouldn't do that for them. Freedom – including freedom of your personal data – is too valuable to just give that away without a good fight.”
A virtuous circle of data ethics
Frank Buytendijk, an analyst at Gartner specialising in data ethics, agrees that companies shouldn't focus on the European GDPR or on its due date, whenever that may be. “Technology shows what you can do, laws and regulations tell you what you're allowed to do, but ethics tell you what you should do. If you limit yourself to complying with laws and regulations, you get stuck at the level of a toddler that only obeys because it is forced to do so, not because it wants to," he says.
Frank Buytendijk, Gartner
Buytendijk distinguishes three more levels of data ethics. Firstly, the level of risk avoidance and, secondly, the level of distinctive capabilities where you use data ethics as a competitive advantage. "Take, for example, TomTom: it includes privacy in the design of its products to distinguish itself from the GPS vendors that can't guarantee you the privacy of your travel details," he says.
And finally, says Buytendijk, there is the level of true inherent data ethics values. “These are the adult organisations that practice data ethics because they believe in doing the right thing,” he says.
All interviewees agree that compliance is but one of the sides to data ethics and that, in the end, companies should be able to convince the customer to trust them with their data by being transparent, flexible and morally correct, not just by complying with the law. “If you do that, customers will start to expect that from every company. That's how you create a virtuous circle of data ethics,” Deloitte's Lewis concludes.