Data protection legislation may protect our data locally, but internationally privacy is not just a personal issue, it lies at the heart of ensuring competitive markets.
As the digital revolutions continues to fueled in a large part by advertising spending, a data arms race is emerging, with a handful of multi-billion dollar corporations engaged in a battle to know more about us -- and therefore better target adverts -- than their competitors.
This race to the bottom, where respecting consumer privacy is an obstacle to greater profit is the stark reality of a digital world where services are free and data is valuable. We are not customers, but a product, to be repackaged and marketed to the highest bidder.
In March this year, perhaps the single most important test for this balance began. Google, in what was purported to be a simplification of their existing product-specific privacy policies, a new, all-encompassing policy was implemented, despite a request from European data protection regulators for more time to assess the impact for consumer privacy.
The silo-walls came down, with a tsunami of information released across Google's operations. European regulators launched an investigation, working together as the Article 29 Working party.
Last week, 36 global privacy regulators wrote to Google, endorsing a report that found Google "doesn't respect" European privacy law, is not transparent with users about what it does with their data. Crucially, they warned Google doesn't give consumers a real choice about how to protect their privacy.
Their concerns are not new -- indeed, as we warned when we highlighted that only 12% of people had even read the new policy, it was unlikely those who read it would have understood it. The policy uses eight different terms relating to data and personal information, which are seemingly the same and yet entirely different.
Following the report, I argued that Google was "keeping consumers in the dark" about how much data Google collects about them and what it does with that data. Consumer choice and consent relies on a full understanding of what is going on, and real choice. The Article 29 report highlights that consumers do not have such understanding, or a real choice.
The challenge going forward is not just how to protect privacy, but how to protect that choice. What use is a detailed understanding of a service's data collection if it's the only service to choose from?
Last week's letter details how Google currently controls 90% of the search market in Europe and around 50% of the smartphone operating system market. Combine that with details on billions of YouTube views, Gmails, websites visited where analytics software is installed and the full suite of Google services and you have an incredible wealth of data.
If more data means higher profits, or simply holding your own in the face of aggressive competitors, how do we protect privacy? By ensuring properly competitive markets. If data protection regulators cannot stop the collection of vast amounts of data -- a test failed long ago -- then competition regulators must step up to protect consumers. Limiting data collection and processing prevents one firm reaching the position where privacy regulator action becomes a cost of doing business, a price for staying on top.
Perhaps this is why we have seen so many arguably deliberate accidents in recent years at Google, from the illegal collection of Wi-Fi data from StreetView cars (and subsequent failure to delete all the data) to the Safari spying that saw iPhone users who had taken action to prevent tracking being tracked. The latter resulted in a $22.50 fine after the U.S. Federal Trade Commission found that Google had written code to deliberately evade the privacy protections in Apple's Safari Web browser, only a year after having signed an agreement with the same body to improve its privacy practices.
The test isn't just whether one company knows more about us than another -- it goes far broader than that. As our digital footprints grow exponentially, from the location data of our mobile phones to the videos we watch online, shopping habits to social media posts, we are gradually surrendering ownership of our identities.
The digital marketplace is already maturing, with the emergence of business models less dependent on advertising and privacy becoming a competitive advantage for some companies. The market is changing, but how can anyone compete in a marketplace dominated by Google -- the price of playing by the rules in a marketplace where one company can afford to set their own rules may well be total failure.
The investigation and global co-operation into Google's privacy policy is a good start, but the real test is if anything changes for consumers. The UK's regulator, the Information Commissioner, is limited to a maximum £500,000 fine, hardly likely to dent a company of Google's size. The time has come for privacy and competition regulators to act together, recognizing that it is essential for consumers not only to be fully informed about what happens to their data, but to have a real choice of service and on what terms those services are offered.
If the Internet is to become the next industrial revolution, it must not be built on the backs of a generation who never had a choice about how much personal information they handed over. The potential for a competitive, privacy-aware market to enhance innovation and empower consumers is too great an opportunity to miss.