Re-read Don Quixote as you follow the debate about revising Europe's privacy laws. Is it more noble to pursue the glory of fantasy over the indignities of the real world? Do we want to defend an obsolete chivalric code, while the rest of the world looks on with derision? Do we want a strong privacy law that can be operationalized or a glorious piece of literature?
American companies are starting to freak and shriek about Europe's upcoming new privacy laws. In turn, various European politicians are publicly posturing about how all this is required to rein in American companies, while feigning resentment that American companies are lobbying for their interests in Brussels. In reality, of course, the new proposed EU laws are full of flaws, in particular imposing lots of pricey new compliance-bureaucracy obligations, and threatening minor compliance violations with absurdly-high fines in the range of 2% of a company's global turnover. But let's not let reality sully this tale. Don Quixote is defending privacy against the American-mega-corporate-privacy-slayers. Don Quixote is defending the Right to be Forgotten.
Sadly, things don't end well for the noble knight, unsettling and unsaid...American companies will come out big winners, compared to their European rivals. European companies face decades of innovation-paralysis under the new rules. American companies will just reorganize and relocate certain operations out of Europe to mitigate risk.
Like many people in the privacy profession, throughout my career, I had always thought it was sensible to apply Europe's privacy laws worldwide, in the interests of maintaining one, consistent worldwide standard. I'm changing my mind now. As the proposals to revise the privacy laws in Europe become whackier by the day, I am starting to believe that the "world" will have to watch Europe do its own thing in its own backyard, while maintaining a different, faster, more innovative pace in the "rest of world". Granted, Europe is a market that is just too big to ignore, but that's no reason why special compliance rules for it should be exported globally. No one applies Chinese censorship rules outside of China, so this would hardly be the first time that companies apply special rules in one particular country/region.
Europe's proposed rules will end up costing a lot, if you care about innovation in Europe. I'm a technophile, in the sense of believing that fast innovation is the only hope to maintain high rich-world living standards for our aging Western societies in the future. But I am troubled by how many roadblocks are being put in place to drag down the speed of innovation. Don't get me wrong: I'm all for serious privacy ethics, for privacy sensitivity, for privacy by design. But I'm not a fan of privacy-bureaucracy-drag. Europe, as one would expect, developed the world's most extreme form of bureaucracy-drag, when it invented the notion of bureaucratic "prior approval" for new technologies. That means that a new technology is dependent on a bureaucracy's prior approval before being launched. Or prior approvals for international data transfers (how absurd, in the age of the Internet!). Or prior approvals for binding corporate rules, and a thousand other bureaucratic hills and hurdles. Reality, again, is often a rather dis-spiriting affair.
Despite all its good intentions, Europe is also giving the world hopelessly vague privacy laws, sometimes enforced with criminal penalties. For example, what does it mean to impose jail time on someone for "processing sensitive personal data without the data subject's consent"? Does that justify jail time for posting a photo to a social networking site, given that a photo will reveal a person's race and sometimes health conditions (all, "sensitive" categories)? I have faced personal criminal prosecutions on flimsier privacy-law grounds than that, so these are hardly hypothetical risks. In short, Europe is making it increasingly risky to pursue innovation in the field of Big Data, in Europe.
The cynical realists will see that Europe's innovation-inhibiting privacy laws will simply drive more Big Data and Internet innovation to move increasingly outside of Europe. Will we see companies choose to move their research arms elsewhere, for example, to the US or India or Singapore? Ask yourself whether US or European companies will turn out to be more hobbled by Europe's rules? The answer is obvious: European companies will have to swallow these new rules entirely, while non-European companies can simply ring-fence their slower, less innovative operations in Europe. Companies may end up offering a series of slower, less-cutting-edge services in Europe, given the significant risks that cutting-edge data-services could be smacked with massive fines.
I say all this with sadness, as the world moves on. Who am I to deride Don Quixote's dream? Who am I to celebrate the demise of his delusions?