 |
| Nice people, but not IP folk ... |
This Kat was up till 1 am rewriting his paper for today's programme of the MAPPING Extraordinary General Assembly (on which see yesterday's Katposts
here,
here,
here and
here) after he realised that there were hardly any IP folk present and that his audience was to consist almost entirely of information law, surveillance and privacy experts. To remind readers, this EU-funded event is conducted under an optional Chatham House Rule, so speakers can agree to be quoted by name if they like. The Assembly is set to review issues relating to internet governance, security, surveillance, privacy and IP -- but the emphasis is very much on all the bits that aren't IP and this Kat had the most unusual experience of looking through the list of over 130 participants and recognising only four names on it, one of which was his own.
 |
Secure -- but is it
a sitting target ...? |
This morning's discussions began with a thematic session on privacy, economy and security. The first speaker gave a keynote address. He spoke of the experiences of his company, which provides both products and services for the secure purchase of physical and digital goods on the internet -- a sector which is not regulated, even though it is vulnerable to threats of fraud. The company has grown despite being in hostile competition with banks and credit card businesses, but has been assisted by the fact that the national competition authorities opened antitrust proceedings against these competitors. Now trading in 11 countries within the EU, the company plans ultimately to offer a pan-European payment system and is already accepted by over 25,000 traders.
 |
Security and choice: two
major priorities in the EU |
Non-cash-based secure payment is a sector that is largely dominated by US-based companies: is this something to worry about, and why does it happen? Google, Amazon, Facebook and PayPal have all established payment services, the first three of which already know through their software what sort of things consumers are prepared to pay for. The large and homogeneous local market, with a single language, makes it easier for such businesses to gather momentum in the US than elsewhere, and knowledge achieved through experience in the US -- where there is also a more liberal regulatory approach -- gives experience that can be easily transferred to the more fragmented markets across Europe. Some foreign enterprises are based in EU member states which take a less interventionist view of regulation and they also have aggressive lawyers, so they tend to be left alone.
In the EU, having to deal with 28 separate national regulatory authorities is inconvenient, particularly where they employ different standards, and this militates against setting up a single pan-European e-payment system: the EU only needs one regulatory authority. Also, while data protection authorities are inconsistent, some have now begun employing people with technical expertise as well as legal knowledge -- a real improvement when engaging them in dialogue as to the security of a specific software system.
Data protection, security and other legal priorities can be used by larger businesses as a pretext for keeping small start-ups out of the market, or at least of delaying their entry into it -- but that does not mean that these priorities can be ignored. Allegations of failure to maintain proper standards must be examined to see if they are evidence-based or simply a shot at foreclosing the market. It's also important to prevent a situation arising in which the sector is governed by a multiplicity of rules but where the big businesses already playing in that sector are not complying with them. Regulation should also be aimed at real issues and not at theoretical problems, so that the regulatory structure does not overburden the sector. In any event, regulatory standards for internet-based payment systems should be global, given the reach of the internet, not parochial.
In the ensuing discussion session, attention was drawn to the dearth of authoritative case law in this area, to the intermediary platforms offered by Alibaba for such transactions, to the burden of compliance with data protection requirements and whether it represents a disproportionate burden on SMEs (answer "yes, especially since some data protection laws appear to be drafted on the basis that data is recorded physically on paper"). It was also suggested that it was unfair to to regulator-bashing, since regulators were sometimes blamed by SMEs for their failure to comply with regulatory standards.
The conclusions? Data protection regulation is a hindrance and an expensive one -- but a necessary one, particularly now that it has become apparent that some regulated businesses invest time and money in seeking to circumnavigate it. Also, it can be more difficult to sign up for an online magazine than to buy a car on the internet: are we getting our priorities right, and the balance between them?
