The New European Privacy Standards

It’s worth keeping an eye on the new European privacy standards that go into effect in May. Titled the General Data Protection Regulation (GDPR), the new rules provide significant privacy protection for European Union citizens. The new rules are required for all companies doing business in the EU, so that means it applies to the majority of web companies operating in the US. The GDPR rules also apply to brick and mortar companies that collect customer data like banks and doctors. The privacy rules apply to companies that collect data directly from customers (data controllers) as well as any secondary companies that process that data (data processors). Interestingly, under the new rules a data controller is responsible to know what data processors do with the data they provide to them.

The major basis for the new rules are that consumers own and have control of their own data and companies can only use data if there is at least one lawful basis for doing do. This includes:

  • A consumer gives specific permission to use personal data for one or more specific purposes;
  • Processing the data is necessary to meet a contractual arrangement with a consumer;
  • Processing the data is necessary to meet a legal obligation which applies to the consumer;
  • Processing is necessary to protect the vital interests of the consumer or some other natural person;
  • Processing is allowed for the performance of a task carried out in the public interest, such as by the government;
  • Processing is necessary to pursue legitimate interests of the data controller or a third party.

For the most part the new laws require consumers to give explicit consent to use their data, including the specific purpose for the use. Just like in the US, there are provisions for law enforcement to gain access to customer data through subpoena or court order.

Larger companies are expected to create the position of Data Protection Officer who is tasked to make sure that all parts of a company are compliant with the law. As you might expect, meeting these requirements is a major change for many companies and there has been a two-year transition period leading up to the May implementation.

The new law also changes the way that companies store customer data to minimize the impact of data breaches. For example, companies are encouraged to store data in such a way that the stored data cannot be attributed to a specific person without the use of additional data. The law calls this pseudonymisation which means encrypting stored data and storing it in a manner to make it hard for an outsider to use. For example, a company would not store things like a social security number, date of birth, address and email address all in the same record.

The law has teeth and allows for fines up to 4% of the worldwide revenues of a business for massive violations of the rules. The expectation is that there will probably have to be a few serious fines levied to get most companies to get serious about following the new rules.

Overall this law creates a drastic change in the handling of customer data. Companies will not be allowed to mine and sell customer data without specific customer approval. It seems to particularly discourage the practice of selling data to brokers who can then use the data in any manner they choose. In this country companies like Google and Facebook make huge revenues from data mining and the big ISPs are now leaping into this same business line. In Europe this is going to greatly restrict the value of selling customer data.

This new law is worth following since the big web companies that are so predominant in this country are going to be complying with the new rules. This means it would be relatively easy at some point to require similar rules here concerning customer data.

The GDPR data storage rules also have the purpose of limiting the value of data breaches. If we see a great reduction in damaging hacking in the EU because of this law, then companies here might begin following the EU recommended data storage methods even if the privacy rules are never implemented here. Some of the most damaging hacks we’ve seen here are when a hacker gets records that provide multiple data points for a given customer. If a hacker can’t use the data to put together a coherent picture of a given customer then the value of a breach is greatly reduced.

A Regulatory Level Playing Field?

European_UnionThere is an interesting discussion worth noting occurring in Europe right now – regulators there are asking if regulations that apply to traditional telecom providers ought not to also apply to companies offering similar services on the web. This discussion is the culmination of many years of lobbying by telecom companies asking for a ‘level playing field’. The executive branch of the European Union is expected this week to propose that online services be subject to the same regulation as companies that offers similar telecom services.

What might that mean for web companies? It might mean that if Skype or Google Voice allows people to make ‘telephone calls’ that these providers might have to provide their customers access to dialing 911. It might require that any online service that gives their customers a telephone number might have to allow customers to keep that number for other purposes (number portability). It might even mean that web companies might be subject to some of the provisions of net neutrality.

It’s easy to think that voice-related regulation of telecom companies is largely a thing of the past. Telecoms in the US have asking in a number of states to be deregulated for voice purposes – a trend that has accelerated since the FCC declared that landline voice is no longer a dominant service.

And certainly the days are gone when the FCC and the state Commissions regulated the price of every telecom product and set a lot of the rules about how a telecom company had to interact with customers. The most draconian aspects of telecom regulation have been relaxed, and in many cases are gone completely.

Yet there are still a lot of rules that apply to telecom companies both here and in Europe. There are rules about 911 and safety issues. There are the CALEA rules that require telecoms to comply with law enforcement surveillance of customers. There are privacy rules, and truth-in-billing rules and numerous other rules that telecoms are still expected to comply with, even as they are free to sell or bundle their products in any way they want.

The European Union is asking some good questions – and if this is adopted these same questions are going to get asked here in the US as well. Why, if Skype sells themselves as an alternative for service should they not have to provide the ability for a customer to dial 911? Why shouldn’t any web-based voice provider not have to comply with the same requirements for privacy, law enforcement or number portability as a landline or cellular telco?

Of course, given a choice the telcos would probably rather that these remaining regulations not apply to them. There is certainly a big push from the big US telcos to get out from all voice regulations. But there are at least some aspects of telecom regulation that are not likely to go away. It’s been proven many times how 911 saves lives. And there is a general belief among regulators that privacy and billing rules protect citizens from telco abuses. And law enforcement is unlikely to bend on the requirement that a telco of any sort help them implement a wire-tap order from a judge.

It’s interesting to me that the regulations here and in Europe are so similar. But I guess that a lot of regulation is the result of trying to address the same issues. For example, if customers have a right to privacy, then there are only so many ways this can be applied to a telephone customer.

The bottom line is that if this is implemented in Europe, and if the web-based companies are able to comply with these regulations, then I think we can expect that same concept to find it’s ways here in a few years. At the end of the day regulators like to regulate and there are a whole lot of voice-like services today on the web that are not subject to some of the basic things that are regulated for every other provider.

Europe Attacking Our Tech Companies

european unionIt’s clear that the European Union is attacking American technology companies. Evidence is everywhere. Consider the following examples or recent crackdowns against US technology in Europe:

  • Last year stringent rules were imposed on Google and other search engines to allow people to remove negative things from searches – these rules are being called the “right to be forgotten”.
  • The European Union is getting ready to file a massive anti-trust case against Google for the way that it favors its own search engine over others. The estimates are that the fines they are seeking could be as high as $6 billion.
  • Last year the EU voted in favor of making Google divest into multiple companies.
  • Numerous countries in Europe have blocked services from Uber.
  • The EU is going after Apple’s fledgling music business saying that they have the market power to persuade labels to abandon ad-sponsored sites like Spotify.
  • A decade ago there were several major antitrust cases filed against Microsoft.

There are numerous reasons for the antipathy that Europe seems to have towards American companies. President Obama said in an interview last month that the negativity was largely driven by economic competition and that Europe wants to find a way to support its own burgeoning tech companies over the behemoth tech companies like Google, Facebook, and Microsoft. He thinks a lot of the complaints by the EU are due to lobbying by European tech companies. He said that “oftentimes what is portrayed as high-minded positions on issues sometimes is designed to carve out their (European) commercial interests.”

But the president also admitted that some of the reaction to American tech companies is in reaction to the European history of suppression of freedom by dictators. For example, Germany just spent decades merging with East Germany and their history of oppression from the Stasi, the secret police. This makes some of these countries very sensitive to the recent revelations of the extent of the spying by the NSA. This one revelation might eventually be the beginning of the end of the open Internet as numerous countries are now building countrywide firewalls to shield them from such spying. It’s natural that this mistrust carries over to companies like Google and Facebook, which clearly have a business model based upon profiling people.

Another reason for going after American companies is tax revenues. The American tech companies have become adroit at claiming revenues in jurisdictions where they pay little or no taxes. Of course, this means that they avoid claiming profits in European countries which have fairly high tax rates. (This also means they avoid paying taxes in the US as well).

Finally, there might be an even more fundamental reason for the apparent European distrust and dislike of American technology. In this article published by Business Insider UK there is a look at the fundamental differences between the way that Europeans and Americans view entrepreneurship, technology, and uncertainty avoidance. The article shows the results of a survey and study done by the European Commission looking at how citizens in various countries look at certain issues. I think there has been a natural assumption that since both places are democratic and share a lot of first world values that we naturally think the same about technology. But the study shows some major differences between Europe as a whole and the US. Interestingly, England is very similar to the US in attitudes and perhaps our Yankee ingenuity and willingness to take risks is really part of our British heritage.

Here are some of the findings of that study:

  • Over 90% of Americans think that individualism is more important than compliance with expected social values. In Europe only a little less than 60% of people value individuality first. And in some places like Russia and Denmark less than 30% valued individualism more than compliance with social expectations.
  • When asked to agree or disagree with the statement, “entrepreneurs exploit other people’s work”, only 28% of Americans agreed with that statement (and the American dream is largely to own your own business), while the results in Europe spanned from only 40% agreeing in France, to 50% in the Netherlands, and over 70% in parts of southern and eastern Europe.
  • The US has a much lower threshold of uncertainty avoidance (unwillingness to take a chance on new ideas and new technologies). In the US only a little over 40% of people view themselves as risk adverse while in Europe it’s over 70%.

This means that to some extent the European Union is representing the will of its people when they crack down on US technology firms, which are viewed negatively as entrepreneurial and high risk. These kind of cultural gaps are very hard to bridge and US companies might have problems in Europe for decades – if they’re even resolvable at all.

A Right to be Forgotten?

International_newspaper,_Rome_May_2005In a surprising ruling, the European Union’s Court of Justice has ruled that Google must expunge information that is “inadequate, irrelevant or no longer relevant” from the results of its search engine upon request. The case that drove this ruling was one where a Spanish man, Mario Gonzalez, asked to have information deleted from Google. In 1998 he received a notice that his house would go into repossession for not paying his property taxes.

You’ve probably seen these kind of notices that are put into newspapers once a year for everybody who is delinquent on their property taxes. Like most people, the taxes were paid and the house did not go to tax foreclosure. But Sr. Gonzalez had asked Google to delete the information since he found it embarrassing. The information recently came into Google when the newspaper that had printed the original notice digitized their older newspapers.

There was no dispute in this case that the facts stated in the newspaper were true, because Sr. Gonzalez had been late paying his property taxes and was properly notified of this fact along with everybody else who was late in paying his tax bill. He simply wanted this information deleted because he found it embarrassing and he thought it was no longer relevant.

As I have thought about this I think this is a dreadful ruling. It is being called having the right to be forgotten. But it is something else and it gives people the right to edit their life on line to say what they want it to say. To hell with the facts, but if anything pops up in a Google search you don’t like, then let’s get rid of it. Had a DUI ten years ago – how embarrassing. Raped somebody twenty years ago before you cleaned up your act and became a preacher – kill the story. You’re a politician and people write unflattering articles about your votes – then wipe them out.

This ruling is not about privacy, it is about changing what the world sees about you, regardless if those things are true. If this ruling is allowed to stand it will make the European Internet look like the Chinese one where ten thousand censors read the net all day to scrub out things they don’t find politically correct. Every unsavory person in the world can partake in revisionist history and make themselves look as chaste as the Flying Nun.

This ruling would make Google the policeman of what people want on the Internet instead of just a neutral purveyor of facts. In this case, Sr. Gonzalez and many of his neighbors did not pay their taxes on time. What if he did this every year, not just once in 1998? A prospective employer might want to know this sort of thing about somebody before they hire them.

The trouble with this ruling is that only the worst among us will use this ruling to erase their history. Most people would not be bothered by having true things about them on the web, but thieves, child molesters, political demagogues and con artists will have a field day with this ruling erasing the truth about themselves. There will be no police crime reports on-line because they might offend the criminals. There will not be a big pile of stories about the Westboro Baptist Church or the Nazi party because those groups will get them all expunged.

I certainly hope that some sanity comes to the courts there and this gets overturned. It is an insane ruling and it puts Google and other search engines into an impossible situation. Carried to logical conclusion it puts every newspaper and blogger at risk for having to pull down anything negative they have said about somebody, even if it is true. This protects the first amendment rights of somebody who doesn’t like something said about them in favor of the rights of somebody else to have a negative opinion of them. It effective says that anything ever printed about somebody is slander, even if it’s true.

It is a dangerous step when we start hiding the truth and can edit our lives retroactively. Mr. Gonzalez was late paying his taxes. He doesn’t dispute that he belonged on the public list of late payers. The newspaper that published that list had every right to do so, and until this ruling Google has every right to search old newspapers as parts of its search engine. The truth is the truth and none of us are going to like the consequences of people having the ability to change their public past. Once implemented this means that you can no longer have any faith in anything that you find on the Internet because it might have been edited.

At Least We are Not Europe

Europe Simulator

Europe Simulator (Photo credit: wigu)

In this country the FCC has undertaken various policy initiatives to promote broadband. However, except for some universal service funding that will bring broadband for the first time to tribal areas and very rural places, these initiatives come with no federal money. And so the real broadband policy in the country is to wait for the private sector to build the infrastructure. The FCC may make proclamations about creating gigabit cities, but it’s completely up to the private sector to make it happen.

And we all know how that is working out. We have a checkerboard of broadband coverage. At one end of the spectrum are the fiber networks – Google and a few others bringing gigabit fiber, Verizon with FiOS, and many smaller communities with fiber built by municipalities or independent telephone companies. In the middle most metropolitan areas are served by decently fast cable modem service and ADSL2 DSL. And then there are a lot of smaller cities and rural communities where the DSL and the cable modems are a generation or more old and which deliver far less bandwidth than advertised. And we have many rural areas still with no broadband.

But what we have, by and large, is still better than what has been happening in Europe. And this is because our regulatory policy for last-mile connectivity is mostly hands-off while the European markets are heavily regulated. After the European Union was formed the European regulators went for a solution that promoted low prices. They have required that all large networks be unbundled for the benefit of multiple service providers. This has turned out to be a short-term boon for consumers because it has brought down prices in every market where multiple providers are competing.

But there is a big catch and the European policy is not going to work out well in the long-run. Over the last five years the per capita spending on new telecom infrastructure in Europe is less than half of what it is in the US, and this is directly due to the unbundling policy. Network owners have no particular incentive to build new networks or upgrade existing ones because it brings their competitors the same advantages they get.

In the long-run, Europe is going to fall far behind everybody else in fiber deployment because nobody wants to invest in fiber to connect to homes and businesses. There have been several major fiber initiatives in recent years in Europe, but these have largely been driven by large cities who are spending the money on the fiber infrastructure, much as is happening with some cities here. But the normal kinds of companies that ought to be investing in last-mile fiber in Europe, the cable companies and the telcos, are not doing so.

We tried something similar here for a few years. When the Telecommunications Act of 1996 was enacted, one of the major provisions was that the RBOCs (Bell companies) had to unbundle their networks, much as is being done in Europe. This was to spur competition by allowing new competitors to get a start in the business without having to invest in a new network. And this brought short-term benefits to consumers for a while. Companies were leasing RBOC unbundled loops and providing voice and data (DSL at the time) to businesses and residences all over the country.

But the FCC didn’t go the whole way like they did in Europe or else they would have also unbundled the large cable networks in this country. The unbundled telecom network business plans broke apart after cable modem service began winning the bandwidth war. And of course, there was the telecom crash that killed the larger new competitors. There are still a few companies out there pursuing this unbundled business model, but for the most part it didn’t work. And the reason it didn’t work is that it is a form of arbitrage. The business plan only worked because federal regulators made the RBOCs unbundle their networks and then state regulators set the prices for the network elements low to spur competition. But the services the competitors were able to offer were no better than what the RBOCs could offer on the same networks.

It’s always been clear to me that you can’t build a solid business on arbitrage. A smart provider can take advantage of temporarily low prices to make a quick profit when they find arbitrage, but they must be ready to ditch the business and run when the regulatory rules that created the opportunity change.

And Europe is currently engaged in one gigantic arbitrage situation. There are multiple service providers who are benefitting by low network costs, but with no burden to make capital investments. Customers there are winning today due to the lower prices due to competition. But in the long run nobody wins. The same rules that are making prices low today are ensuring that nobody makes any serious investment in building new fiber networks. So the competitors will fight it out on older networks until one day when the arbitrage opportunity dies, the competitors will all vanish like the wind. We know it will happen because it happened here. The CLECs in this country had tens of millions of customers, and they disappeared from the market and stranded those customers in a very short period of time.

The only policy that is really going to benefit consumers here, or in Europe, is one that fosters the building of state-of-the-art networks. The commercial providers have not stepped up nearly enough in this country and there is still not a lot of fiber built to residences. But in Europe it’s even worse. So, as much as I read about people criticizing the broadband policies in the US, I have to remind myself – at least we are not Europe.

Open Access: Europe versus the US

Europe - Satellite image - PlanetObserver

When cities build fiber networks in the US, one question they always ask is if they can make their system open access. By this, they mean that they want to build a fiber network, but they prefer not to be in the telecom business and instead would prefer to attract multiple providers to the network to use the fiber and compete for customers. The cities just want big bandwidth for their citizens and most cities would prefer to not compete in the telecom business.

Open Access works well in Europe but has been a failure in the US. Why does it work there and not work here? The main reason it works in Europe is that a number of high-quality service providers are willing to use somebody else’s network, especially a fiber network, to provide service. In Europe ISPs are willing to compete side-by-side with other ISPs even though there is no inherent advantage of one service provider versus another when they are all on the same network.

A perfect example of a European open access network that attracted competition is the one built in Amsterdam. Much of the basic infrastructure has been built by the City, although there have been some private partners recently building some additions to the network. But all parts of the network are fully open access. There are thirteen major service providers offering services on the Amsterdam fiber network – Canal Digitaal, Concepts, KPN, Fype, Online NL, Ligbrandt, Scarlet, Tele2, Telfort, UPC, Vodafone, XS4ALL, and Ziggo. In addition there are around 25 other ISPs who serve smaller niches of customers, often with specialty products such as medical monitoring or small business service.

A few of these service providers are large incumbent providers that had monopolies in their own countries before the formation of the European Union. For example, KPN is the incumbent provider for the Netherlands. Vodafone was an incumbent provider in Germany.

It’s easy to contrast this with the US. There have been a number of cities that have built open access networks in the US and who then tried to lure ISPs to serve in the networks. Some of the open access networks include Tacoma, Provo, Utopia (small towns in Utah), Chelan PUD and a number of other smaller PUDs in Washington state. In none of these cases did a large or incumbent cable provider or telephone company agree to bring service to these fiber networks. In every case the cities that built the networks had to scramble to find local ISPs who were willing to tackle the business. And in almost all cases the Cities had to give a lot of help to these local ISPs in the early days to help them succeed. The ISPs that have operated on US open access networks are generally small, local and under-capitalized. None of the US competitors are of the size or strength of the competitors in Europe.

Why do the big telcos and cable companies in Europe step up and compete against each other while the ones in the US do not? On the European side of the equation, the competitive attitude goes back to the beginning of the European Union. The European Union built slowly since the early 1970’s, but it took on most of its current membership by the early 1990’s. In the mid-90’s there were various treaties signed which opened the borders between European nations, both physically and in terms of commerce. Before that time almost every European country had a monopoly telecom provider. But when the gates were opened to competition, a few of them crossed borders to compete and soon everybody jumped into the competitive fray.

But in the US I can’t find one example of an incumbent cable company competing against another incumbent cable provider. And the large telephone companies barely compete against each other. They fight hard for things like the contract to serve the US government, but overall they barely compete in each other’s territory. And even in most of the US where there are two providers, a telco and cable company, for the most part both parties charge high prices and do not compete heavily with each other. The system in the US is referred to in economic terms as an oligopoly, where a few large providers have divvied up the market to mutual benefit. While there is competition, it is nothing like the real competition seen in Europe.

But I must grant that it probably would be difficult for a large US telephone or cable company to provide service on somebody else’s network. These companies are highly decentralized and it often requires groups from many states to come together to provide service to a new customer. The processes used by the large incumbents are so specific to the way they do things on their network that it might just be too costly for them to modify those processes to serve on a different network.

But whatever the reasons, Europe enjoys tremendous competition for customers, particularly where somebody has built a fiber network. But in the US no such competition exists, other than in metro areas where CLECs still vigorously compete for large business customers in highrises.