The EU Parliament recently approved the General Data Protection Regulation (GDPR), a new set of heavy-handed rules that strictly limit data sharing and use among European organizations. On the same day it did so, the EU Parliament also approved the Passenger Name Record (PNR) directive, a proposal to make it easier for Europe’s police forces and antiterrorism agencies to share and use data about who is flying to and from the EU. The contrast between these two policies suggests that EU policymakers are conflicted about data: They want blanket restrictions on the use of data, but they are willing to make exceptions when they understand how it can be used to address important problems. However, Europe has more problems than just domestic security. If Europe is to succeed in the data economy, EU policymakers will need to apply the same principles that led to development and approval of the PNR to the rest of the economy so that data-driven innovation can flourish.
The GDPR has many problems. First, the regulations impose severe restrictions on how organizations collect, use, and share data. As a result, businesses will need to sharply reduce how much data they use or constantly bombard consumers with privacy notices to obtain their consent to remain in compliance. The rules will make it more difficult for European businesses in virtually every industry, from financial services to manufacturing, to leverage data and thus make them less competitive in the global market. Second, the GDPR includes a more expansive definition of personal data and imposes new data protection obligations on organizations which means that businesses will have to re-evaluate all of their data handling practices to ensure they are in compliance. This will not be cheap, and these costs will be passed on to consumers. Third, the GDPR exposes companies to the risk of exorbitant fines for noncompliance. The severity of these fines, up to 4 percent of total worldwide revenue, will dampen the enthusiasm companies have for experimenting with innovative uses of data, as well as sharing data with partners, because they will not want to risk running afoul of these rules.
In contrast to the GDPR, the PNR is a long overdue attempt to make it easier to use data to improve domestic security. The PNR allows government agencies to collect a wide array of information from airlines about passengers traveling in the EU so that they can analyse the data for suspicious activity and use the information to identify and disrupt terrorist networks. The idea is not new, but it has long been resisted for being at odds with the EU’s existing data regulations. However, European policymakers finally agreed to the proposal in the wake of growing terrorist threats which highlighted the need for reform.
The rationale for the PNR is that better data analytics are needed to improve security. But European citizens have more than just physical security needs. The UN’s 1994 Human Development Report identified seven forms of human security, including economic security, food security, health security, and environmental security. Better data analytics can play key roles in improving these forms of security but only if EU policymakers reform data regulations. For example, public health officials should use data to monitor infectious diseases and food safety, while drug manufacturers and health-care providers should use data from electronic health records and other sources to treat illnesses and track how people with different medical conditions respond to different treatments. It will be much harder for European medical researchers to significantly improve clinical outcomes, cut health-care costs, and develop personalized treatments unless regulators unlock unnecessary restrictions on medical data.
The EU still has a long way to go to embrace data-driven innovation so that it can be used to address many of the challenges facing its citizens. It is not enough to only use data to address terrorist threats. European policymakers should be thinking hard about additional reforms they can make, like the PNR, that will allow data-driven innovation to thrive. Given that it took the European Commission 20 years to update its data protection regulations, we should begin this conversation sooner rather than later.
Image credit: Flickr user Allan