SOCIETY | Jan 3, 2017

What is the relationship between privacy and innovative services?

The Mevaluate case brings us to reflect on how (and if) an activity can be carried out when the aim is to collect data and extract summary information.

“Mevaluate” is a “web platform (with connected information archive) that is set to process reputation profiles for individuals and legal entities”. In less bureaucratic terms, it wants to be the  arbiter of people’s and companies’ reputations, by processing a series of data and producing a summary opinion of the subject examined. The Guarantor was less than impressed by the idea and issued a negative provision that halts any desire to continue the activity, at least in Italy.

In this case, there are various arguments and contrasting problems involved. The collection of data on unknowing third parties; the mass registration; the lack of consent; the asserted (or lack thereof) third party status for the subject organizing the service; the incontestable nature of a judgment on “reputation” – whatever that may mean -. All these factors, seen from the viewpoint of personal data protection, are clearly a millstone around the neck for any similar initiative.

However, on the other hand, we could ask another very simple question: if the same activity was carried out by, for example, Google, in the USA, what would happen? Would the results be the same? What burden would the operator suffer? We wonder why, in a globalised world, where Internet denies (almost) any boundaries, a European citizen must be forced to feel the weight of an especially protective (for others) legislation when on the other side of the Ocean it is all free range?

The Guarantor’s Time

We can also tell you that the gentlemen at Mevaluate have done things perfectly and even asked permission from the Guarantor. There is something slightly off here already: there was a gap of almost eighteen months between application and opinion given. Actually, however, it took less time, as the Guarantor had already sent a preliminary opinion. Actually, however, the problem of the Guarantor’s time in giving an opinion and the need to refer to the Guarantor before beginning any processing (and therefore business) was a real brake on activities. It has happened to people that I work with, who have not been able to start collecting biometric data for almost a year, although actually the Guarantor’s observation were in the end limited to a request for clarification. In a world that is increasingly based on data processing, almost always personal data, this slows down innovation and is a competitive disadvantage that, like the level of taxation, may discourage entrepreneurs from starting a business in Europe and move somewhere where the legislation is less rigid to test and launch a product, and then try out the venture here.

However, if we look at the Guarantor’s observations, it is hard not to agree on the fact that a few problems, not just this activity, but any data collection for the creation of reputational profiles is extremely dangerous and should be strictly regulated, if not prohibited. Although some might think “well, I haven’t got anything to hide” therefore privacy is just pointless tinsel, they should try to find themselves denied a job, an overdraft, the entrance of their children to a private school based on information, which could be mistaken, collected by third parties and assessed carelessly. As is always the case, there is no simple right and wrong here.

Neo-Luddism?

It is not a matter here of just looking at the meager quality of the activity proposed by Mevaluate (for which there is much doubt, but that’s another matter entirely). The problem is a more general one. It affects, as Alfonso Fuggetta has already mentioned, the if and how an activity can be carried out the aim of which is to collect data and extract summary information. Or worse, as in the case in question, the activity comprises fully or partly automated judgments. Which is what companies that offer people’s credit rating offer.

The lack of a clear, reassuring regulatory framework, outside the general protection legislation, is actually used by the Guarantor as an important element for not permitting the handling. Not here and not another similar case. Is there a way out? Established industries such as journalism, investigative businesses and direct marketing have found comfort in the legislation side of things thanks to the adoption of codes of ethics. But how do those industries without representatives, lobbyists, trade associations etc, manage? How can you create a code of ethics for an activity that doesn’t yet exist? Can a law-making body, even an “ethical” one, regulate each possible new activity when it is created?

This would create a kind of neo-Luddism that is partly harmful to the same rights that are to be protected. It would privilege the “brick & mortar” industries compared to innovators of unexplored areas, with contradictory results.

This is a significant paradox: an industry that cannot be created because there is no regulatory framework. A regulatory framework cannot be created without an industry, as reasonably, no legislation can be created in vitro. So the way it works is that the barbarians come in, create the market because nobody creates any real fuss, and place the law-making body before a fait accompli. Uber-style. De facto de-regulation is created through the hunger for too much regulation, which then leads to real deregulation, followed by a feeling of impunity that encourages an aggressive approach that even goes beyond the law (or may well be illegal).

This is a little like what happened at the end of the 1970s and early 80s with the advent of “commercial” television. Crazy, antiquated monopolistic legislation that was challenged several times by free TV channels. The system reacted harshly with the intervention of some “assault praetors” who silenced all desires for a few years and restored the previous system. Until some largely unknown builder bloke reinvented himself in the sector and created what is now known as an “asset of the nation”. We all know how that ended up, the Prime Minister of the time intervened and acknowledged that things couldn’t carry on in a cat and mouse game and that the time had come for a change. So things changed from a monopoly to a duopoly.

Future developments

As we know a European Law on the protection of personal data has been approved and is about to come into full force. This replaces the directive, although it does not explicitly abolish the Code on the protection of personal data. This new law is destined to partly change the situation, as it sets up a principle of unanimous decisions by European Guarantors (a one stop shop), so that anyone wishing to set up shop in Europe does not have to go the full rounds of all the administrations to obtain all required authorizations and opinions but can simply contact the one in the Member State where the business will be mainly established. This will simplify the life of operators and increased intra-European “tourism” is easily foreseeable for accessing the “friendliest” Guarantor, which may not necessarily be a bad thing, as there will be limited regulatory competition, and that may be beneficial. However, we must mention that the European Guarantors consult regularly in a “working party” set up by art. 29 of the abolished directive.

Also, the obligation of preventive reporting (which brought about the provision in question) has been abolished through the regulation, therefore there will be a principle of self-evaluation and maybe controls further down the line, more in line with a rapidly developing economy.  Which all goes in the direction hoped for in this article, with a view to simplifying and increasing time-to-market, even if there is greater legal uncertainty. In all this, the Guarantor’s times, which are short compared to an ordinary ruling, but which are still not negligible, may still leave this type of uncertainty in play for some time, so in many cases there may be a return to preferring a preventive consultation.

Uncertainties cannot easily be solved by simply examining the law. For example, if we look at what happened with the rather unexpected introduction of a strong right to be forgotten ante litteram, in that this law will only be formally codified by the regulation. The right to be forgotten, which is general and mostly discretional, could be a hindrance, even in doubtful cases like that of Mevaluate which could – or rather, could have, at this point – be based on information that is covered by the right to be forgotten unknown to the party involved.

Carlo Piana