In October, I stopped for lunch at an outdoor osteria on Via della Lungara just east of the Tiber River. The pizza served there -- puffy Neapolitan crust with buffalo mozzarella and fresh San Marzano tomatoes -- was just the early part of a multicourse meal that always includes wine. Compare that to the American pie, a main course with its chewy crust smothered in tomato sauce, cheese and a seemingly endless variety of toppings. It almost always is accompanied by beer. All sorts of pies and slices get called pizza in the U.S., while the name and geographical distinctiveness of Neapolitan pizza is protected under European Union law.
On that trip, just two blocks from the osteria, an international gathering at John Cabot University, a private American liberal arts school in Rome, was considering another transatlantic divide -- privacy in an era of big data -- that has striking similarities to the different ways Americans and Europeans cook and serve pizza.
Restrictive, comprehensive data protection regulations safeguard the use of personally identifiable information throughout Europe, while privacy protections in the U.S. resemble a patchwork quilt of measures, with a tendency toward industry self-regulation in areas where the law is silent.
Read Governing's first-ever International Issue.
Many Americans use their personal information as a commodity that can be traded as currency in retail transactions to earn discounts on the purchase of groceries, gasoline and a wide variety of everyday goods. That practice angers Daniele Pica, a professor at John Cabot, who has worked with the nonprofit Privacy International to fight intrusions into private life by businesses and government across the world. “Commodification is insulting,” he says. “Consent is essential because control over personal data is a fundamental human right.”
Attempting to codify a fundamental human right is both daunting and contentious, as the European Commission is finding out as it works to finalize a new General Data Protection Regulation, which is due to take effect in 2015. The size, scope and complexity of the effort dwarfs America’s HIPAA privacy rule, which became law in the late 1990s. At root, the E.U. regulation must harmonize 27 member states, while not precluding country-specific add-on provisions.
In the proposed regulation, consent to the use of someone’s personal information will “not only have to be free, specific and informed, but also explicit.” European policymakers see the change as a small step forward in privacy protection, but it introduces greater uncertainty for international companies that anticipate significant global economic growth from big data, a term for the analysis and use of vast amounts of data to gain new insights into all kinds of behavior -- climatic, societal, organizational, operational and consumer -- at a once impossible scale.
Will Marshall, president of the left-leaning Progressive Policy Institute, which convened the forum, says big data is key to reviving economic competitiveness in the U.S. and Europe. He worries that disparate privacy rules pose a threat to a “robust ecosystem of innovation-based growth.”
American companies face the delicate task of expressing strong opposition to the privacy regulations sought by European officials in Brussels while being diplomatic about their approach. Among the potential openings for reconciling transatlantic differences over privacy are provisions in the proposed E.U. regulation for codes of conduct. Seen as stronger than self-regulation but less restrictive than full-on regulation, the codes could provide an innovative way to navigate the competing interests of privacy and big data.
Jacques Bughin, a director with McKinsey & Company, is among those who work with European parliamentarians and data protection officials. He sees the risks of both sides locking themselves into extreme positions. Bughin cautioned everyone to “go after their devils but don’t kill the golden goose.”