Data protection in a global world

I. The scenario
Over the last few years it has been commonly affirmed that personal data is not only information regarding individual life, but is an exploitable resource to make money from. This way of making business has developed in recent decades and was recently outlined by Commissioner Reading (SPEECH/12/26).

During the Seventies, European countries adopted the early regulations on data protection. These regulations regarded to public sector information and the risks of total control, but they also considered data collection and the merging of collected data carried out by big companies in different fields. In the following years the phenomenon increased exponentially due to the introduction of new and more sophisticated technological devices and computer systems which were able to manage and merge large amounts of data.

In a changing world the aim of private data collection has not changed, information is used for businesses in order to extract value from it. However in the public sector, where the traditional approach was not to open public data bases for private use and was excepted in limited cases to be justified by law, has now changed. On the one hand, public security and intelligence activities induce agencies to require information from the private sector and merge this data with their records. On the other hand, the idea of public sector information as a public good induced open data policies which allowed the access and re-use of information owned by public bodies.

Finally, in the last few years, the paradigm of big data and its related aspect concerning the concentration of power over information is emerging. The size of datasets makes it possible to draw inferences about unknown facts from statistical occurrence and correlation, with predictive results that are relevant in socio-political, strategical and commercial terms. Despite the weakness of this approach, which is more focused on correlation than on statistical evidence, it is useful to predict and perceive the birth and evolution of macro-trends, that can be later analysed in a more traditional statistical way in order to identify their causes. These results concerning the emerging tendencies, without knowing the causes that generated them, give the owner of big data a competitive advantage in the business world and increase the possibility of social control by states and groups of power.
From this perspective it emerges that the availability of data is not sufficient, but it is also necessary to have adequate computing resources to manage it. Without the latter, more available data will not generate more knowledge, but only more confusion. The overflow of information without the adequate instruments to organize it, creates nothing but noise and, in the end, less knowledge. For this reason power over information, in the big data era, is not only related to data characterized by a limited access, but can also concern open data, over which the information intermediaries create an added value by means of their instruments of analysis.

II. Towards a global convergence

In the scenario described above, characterized by the central role and increasing value of information, it is necessary to adopt specific rules in order to regulate the flows of information, to define the rights over data and to ensure adequate enforcement. This need concerns not only the protection of personal rights, but also assumes a relevance from a market point of view: clear rules and adequate protection reinforce individual trust in those who collect and process data and guarantee a fair negotiation avoiding unfair practices in the collection and use of data, which produce negative effects on competition.

The initial approach to data protection was local, different countries adopted specific legislative measures, and in some cases concerned only specific sectors characterized by a high need for data protection. This approach is no more adequate in a world where data flows across national boundaries many times a second, and in the context of big data, where it is not possible to define in advance which kind of information is relevant and sensible. In this sense general principles or regulations have been adopted in different areas of the world, like in the EU (directive 95/46/CE).

From this perspective in which different regional approaches to data protection emerged and are still emerging, for a long time privacy aspects have been represented as a struggle between the US and the European paradigm. In an interconnected world, in a global context dominated by global companies and characterized by huge data flows between administrations and agencies, this kind of representation is no longer adequate to reach the global necessity for efficient data flows and data management. At the same time, the dimension of big data, the perspective of extracting value from the private and public sector, need a more coherent and homogeneous approach.
These requests come from civil societies, in order to have a guarantee of significant protection of individual privacy related to data, as well as from institutions and corporations, in order to do business without barriers.
In this particular context different models are emerging. The EU model has a long tradition and had a significant impact on the global system as many other countries have adopted legislations based on it. Now this model is changing towards a higher level of protection and a more homogeneous processing of data. We could probably a different strategy, with less analytic rules, which would maintain the original structure of the Directive 95/46/EC focused on principles. Principles are more suitable for adoption in a world which is continuously changing. If we want to define the rules for the next twenty years, we probably do not need rules which are too detailed. However, we need to define some principles and set up specific bodies which are able to define their practical applications in an evolving world.

Leaving aside these aspects concerning the legislative measures, if we look to the other side of the Atlantic we can also see that big changes in data protection are about to happen in the US. Their model is evolving towards a new model, which continues to differ from the UE and from the new European proposal, but represents the attempt to give an answer to the general global request for data protection coming from individuals.
In this field it is possible to have a dialogue, but the discussion should not remain solely with the EU and the US. Other countries, where different data protection models are emerging should also be involved, such as India and China, where many corporation are exporting their data, their information and their services. From this perspective the rules of these countries are not only local rules, they have indirect effects on our countries.
In a world where people have the same needs and aspirations to have their data protected, companies have the same need to have clear and homogeneous rules, governments have the same need to guarantee efficient data flows between countries and administrations, we have to converge on fundamental principles of data protection common both in the EU and the US. At the same time, we need a wider global convergence on these principles. It does not mean a race to the bottom in order to focus the attention only on specific and limited aspects of data protection. Neither a race to the top, adopting a more protective model. A coherent and sufficiently strong model of data protection is necessary. On this basis every country -or better any geographical areas-, will build its specific rules, coherently with its historical, cultural and legal system, but the convergence on the principles and on the basic rules will facilitate the protection and the flows of data.
We should transform the struggle between models into the interoperability between them. By means of international treaties and other forms of cooperation we could assure the respect for differences, in a context of the efficient management of data flow.
From this perspective, the provisions of the recent EU proposal explicitly consider instruments like binding corporate rules and the use of international treaties. In this sense the proposal assumes significant relevance for achieving the goal of a common framework on data protection and for the definition of specific rules for interoperability between systems.
Our countries, Europe and the US, also have another task that is historically related to their cultures which is to assure the democratic value of data, access to information and sharing of knowledge. The value that could be extracted from individual information by big players and big government agencies, is a value that should be regarded from a new prospective in order to consider information as a common good for the entire society.
This is a difficult goal to achieve, we need to change our models and rethink our competitive systems. However this perspective could be considered in the light of the current trend towards open data and an open culture occurring in the US and the EU. Since corporations invest huge amounts of money in collecting and managing data, they are resistant to open data policies in order to preserve the strategical value of their information. But society and governments should also actively facilitate the sharing of information between corporations, between corporations and society and between governments and society, because the spread of knowledge will create new ideas, new possibilities to make business and will enrich society. Sharing information is not necessarily synonymous with loosing value, but can also be synonymous with creating value. In this field, with regard to data protection, and from a global perspective, we need to be more open to dialogue and to accept a certain level of flexibility.
No single body or country should consider imposing its own model, but they should work together to build a better society and protect fundamental rights and create opportunities for businesses using personal data. These businesses will only be possible if people trust companies, because they know their data is well stored and managed in every part of the world.

1. See The Aspen Institute, The Promise and Peril of Big Data, David Bollier Rapporteur (Washington, 2010), p. 12, see fn. 1.