Killing geo-location in the crib
Is this a return of the US-EU privacy wars of the 1990s, when Brussels’ bureaucrats threatened to halt intercontinental online transactions? They may be coming back. This time it’s over location data.
An upcoming EU report will say that “geo-location data has to be considered as personal data… The rules on personal data apply,” an EU official tells the Wall Street Journal.
The implication is that data collected by cellphones, twitter, Facebook and others must be handled like names, birth dates, and other personal information: requiring user consent, deletion after a certain period, and kept anonymously.
This is absolutely preposterous. Yes, rules — better, tougher rules — are desperately needed. But to simply drop the data into a pre-existing regulatory bucket (as the EU is doing, of calling it “personal information” which has sweeping regulatory burdens) is asinine. It will hold back the amazing innovations and services that are just starting to emerge, and future ones that we can scarcely imagine today.
Calling something new (geo-location data) something old (personal identifiable information, or PII in the trade) is a far too blunt way to go about upholding legitimate public interest concerns that need to be addressed. It avoids the more humble — and probably more effective — task of trying to figure out the new properties of this type of data, and thus devise appropriate ways to balance personal privacy with innovative services. It’s harder to do this, but sounder.
This of course will happen, but over time, and probably in a different regulatory jurisdiction. Possibly America? Perhaps China? Maybe Brazil? But European geo-loco firms will suffer in the meantime, since they’ll crammed into a regulatory straitjacket. And to be clear: this is not to say that better rules aren’t needed — they definitely are. But they ought be sensible ones.
Failing to take a more cautious and reflective regulatory approach results in things like the EU’s 1998 privacy directive. It did an excellent job of getting governments into the privacy arena, but it had lots of silly parts too. For one thing, it required an international “safe-harbor” provision in order to do innocuous things like allowing a US firm in France to send its payroll data to headquarters in Detroit. The rules are already out of date, and although it boasts strong enforcement provisions, they’ve barely ever been used.
In fairness, the US has miserable privacy legislation — no country does it well — but the piecemeal approach and building up of a body of regulatory experience is looking like a better way forward. There is no “privacy kommissar” in America, but that hasn’t stopped the FTC from taking serious action often.
A far better way to proceed is the way the US is moving. Sen. Al Franken’s opening statement to hearings on May 10th on cellphone privacy was a paragon of wise policymaking: he wants to find the right balance. He was scorching in his condemnation of current practices:
“Once the maker of a mobile app, a company like Apple or Google, or even your wireless company gets your location information … these companies are free to disclose your location information and other sensitive information to almost anyone they please-without letting you know. And then the companies they share your information with can share and sell it to yet others-again, without letting you know. This is a problem. It’s a serious problem.”
But at the same time, he understood the risks of regulating too soon:
“I just want to be clear that the answer to this problem is not ending location-based services. No one up here wants to stop Apple or Google from producing their products or doing the incredible things that you do. You guys are brilliant. When people think of the word “brilliant” they think of the people that founded and run your companies.”
If this gap in regulatory approach is not settled, the result may well be another round of the privacy wars. Companies like Apple, Google, Facebook, Twitter, Foursquare and others will have to tailor their operations depending on jurisdiction, down to their very code base. The EU will argue that they have to do this any way for language and law. But this still fractures and debilitates the service. And it is hypocritical: the idea behind the EU’s common market and common currency is about the gains from harmonization.
The best way to ward off bad public policy are good case studies of excellent services. Industry basically has its head in the sand hoping this issue will go away (it won’t) or is in hiding, hoping it doesn’t need to disclose how the services work (it does). Their actions are shortsighted. Geo-location services are interesting and useful, and if people really knew what was happening, many would be fine with it, provided a backstop of basic protections exist.
The case must be made publicly. So what are the amazing new services that are emerging that show why the EU’s approach is not quite right? Share your stories here.