Search This Blog

Thursday, 26 April 2012

Business Implications Of Privacy Law

On Tuesday, I had the pleasure of presenting to the Ctrl-Shift conference arranged for MesInfos, the French equivalent of the Midata initiative, which encourages businesses to allow consumers to download their own personal transaction data. My short presentation is embedded below. 

The ensuing discussion confirmed some critical differences between the continental and British legal landscapes. The most fundamental is the difference in citizens' expectations of the civil law and common law frameworks, on which I've commented before in the context of identity. The citizens of civil law countries expect the authorities to specify in regulation how something new may be done. Whereas the common law is expected to follow commerce - so people first agree contractually how something may be done and rely on judges to solve problems in the courts - Parliament is only there to pass laws where judges can't help. Accordingly, civil law comprises civil codes or legislation made by the state, whereas a significant amount of the law in common law countries effectively comprises judicial decisions and the contractual franeworks to which they relate. 

As a result, contracts in civil law countries can be shorter, as they only need to spell out how the parties intend to modify the operation of the civil code, where that is possible - and attempts at such modification are viewed with some suspicion. But in common law countries, contracts tend to be more involved yet more readily agreed since they are heavily relied upon as the first attempt to agree how something should be done. 

Not only do these differences have significant implications for the pace of innovation in Europe as opposed to, say, the US. But they also help explain why the European Commission's (civil law) approach to life is viewed as such a drag in the UK, which doesn't have the power to ignore it. 

The approach to privacy policies is a case in point. In the online world in particular, not only have global terms of service effectively operated as the only form of enforceable international law (witness US government reliance on the terms of PayPal etc to try to control WikiLeaks), but privacy policies underpin numerous advertising-dependent business models and effectively specify how privacy works. That is something European regulators view with distaste. They believe state-made  law should specify how privacy works, and the role of contracts should be limited to merely obtaining fully-informed consent in relation to specific facts involving the use of data. The mind-numbing 'cookie law' is the product of such pompous thinking.

The incontrovertible fact remains that commerce will grind to a halt if we are to wait for the authorities to dictate the pace and shape of innovation. Life is what happens while you're making plans. The European Commission's far-reaching "General Data Protection Regulation" will be another two years in negotiation. In the meantime, businesses and their customers in the common law world will continue to hammer out their own agreements on how things should work.

Somehow the two approaches need to coincide to enable the same, consumable result.