United Breaks Guitars, or How the Internet is Transforming the Economy

Any readers who have not yet seen the United Breaks Guitars (+ associated statement) video and its follow-up on YouTube should do so. The artist, an amiable Canadian singer-songwriter called Dave Carroll, has also made skillful use of Facebook, and, for all I know, other Internet-based social media to attack United Airlines for its poor customer service after baggage handlers broke his guitar at O'Hare.
The episode is fascinating. Carroll's videos have been viewed well over 5 million times and have made it into countless blogs, Internet and TV news channels, and traditional print media. The man has reached a quite staggering number of potential United customers with a deeply embarrassing message, without the backing of large sums of money or a large PR organisation - in short, without any of the tools with which the corporate world is familiar. There is speculation that the recent drop in United's share price could be related to the campaign. although this strikes me at best as unscientific. In any case, United has apparently tasked one of its PR people to follow (and respond to) net chatter about the case, and is bracing itself for the promised 3rd and (they hope) final video in the series.
Carroll isn't your run-of-the-mill passenger, and United may feel unfortunate to have fallen foul of a man who, apart from appearing to be pleasant and reasonable, is clearly a reasonably talented musician. Worse, he just hasn't let go. The statement and Song 2 both express the view that United's efforts to "make this right" so far have been insufficient, thereby increasing the pressure on the company.
I am in no doubt that the PR departments of a great many high profile companies are watching this with intense interest, and preparing strategies for PR wars carried out over the Internet. Perhaps more importantly though, a great many CEOs and senior executives will hopefully be taking customer complaints about service much more seriously.
This may not be a completely unique phenomenon - ratings (of sellers, content, etc) have been around for a while - but it is the latest and most powerful expression of the new reality for businesses: the Internet has created tools for grass-roots-led commercial accountability of unprecedented power.

A Private EU Battle

Before you get too excited, this post is not about some highly secret European Commission insider gossip. It's about the EU and privacy policy. More specifically, it takes a look at some of the existing and looming institutional battles in Brussels about who is in charge of privacy policy, or "data protection", as it is known in the Brussels jargon.



The EU already has several pieces of privacy legislation on the books. The ePrivacy Directive bans SPAM, requires an opt-in from consumers for ads over email, and obliges telecoms operators and ISPs to delete subscriber traffic data when it's no longer needed for billing purposes. The Data Retention Directive, with rather painful Brussels irony, requires telecoms operators and ISPs to retain the same traffic data for up to two years to help law enforcement authorities fight crime, depending on national legislation.



But the most important law is the Data Protection Directive of 1995. It sets out the rights of the citizen with regard to personal data, and the obligations of organisations that hold such data. Perhaps most importantly, the Directive sets up some institutions at national and European level that are supposed to help protect our privacy.



Now, almost 15 years later, as those institutions have matured and as privacy/data protection starts to become a hot topic in Europe and around the world, a turf war is brewing within and between the big players on privacy in Europe.



Like most EU policy, privacy is an area where the European Commission has the power of initiative in the "First Pillar" - i.e. the Single Market. The lead department of the Commission is the Directorate-General for Justice, Freedom, and Security ("DG JLS"). However, DG SANCO (which covers consumer protection), DG INFSO (the "information society - i.e. telecoms, Internet, and IT), and possibly some other DGs all have strong claims to at least part of the privacy portfolio.



Then you have the European Parliament, which takes a keen interest in high-profile aspects of privacy policy, like the Passenger Name Record (PNR) agreement with the USA. Although it has co-decision powers on Single Market aspects of privacy, the EP does not (yet) have formal powers in Second or Third Pillar areas (foreign and security policy, justice and home affairs).



The relative newcomers to the institutional power game are the European Data Protection Supervisor (EDPS), Peter Hustinx, and the Article 29 Working Party (A29WP). The latter body was set up by Article 29 of the Data Protection Directive, and consists of the independent data protection authorities (DPAs) from all the Member States. Interestingly, although the EDPS, DPAs, and A29WP were set up by the (First Pillar) '95 Directive, their job descriptions are sufficiently vague to have allowed them to be fairly active in justice and home affairs areas, which are "Member State competences" under the EU treaties. The EDPS has an oversight function vis-à-vis the EU institutions' own data protection practices, but the EDPS and the A29WP share an advisory role vis-à-vis the European Commission on privacy policy generally. They regularly issue non-binding, but nevertheless influential, opinions.



So what is happening? It's pretty complicated, which is why I find it so interesting. Not only is there a developing internal turf war over privacy in the European Commission, but there is also a fight (more like a mass brawl) brewing between the Commission, Parliament, Member States, EDPS, and A29WP.



Before 1995, data protection belonged to DG Internal Market, and the EU's policy debate was primarily about the tension between civil liberties (or "fundamental rights") and essentially commercial interests. But after 9/11, as governments raced to ramp up electronic surveillance of terrorist suspects, concerns about abuse of personal data by commercial entities rapidly gave way to concerns about infringement of civil liberties by governments. Data protection was hastily moved to DG JLS. The unit sits responsible for data protection sits in the Directorate for Fundamental Rights and Citizenship. Under recent Commissioners Frattini and Barrot, this part of the DG has very much been dominated by the "sexier" Directorate for Security. The data protection unit has not been able to assert itself internally so far.



But while the internal security vs. privacy battle rages in DG JLS, DG INFSO, with responsibility for the ePrivacy Directive and a range of other ICT-related policies, and under the populist leadership of Luxembourg's Commissioner Viviane Reding, has got in on the act. Reding and her staff have managed a high-profile campaign to reconcile public concerns about the privacy impacts of RFID technology with the huge potential economic and social benefits they can bring. This culminated earlier this year with a formal Recommendation on RFID, proposing that retailers carry out privacy impact assessments (PIAs) on RFID systems, and deactivate tags by default if their systems were found to pose risks to consumers. More recently, Bulgaria's Commissioner Meglena Kuneva has taken an interest in the consumer protection aspects of data protection on the Internet, such as privacy policies, consumer redress, social networking, and child protection.



It seems that the EDPS and A29WP, which work closely together, have been making the most of the absence of clear Commission leadership on data protection to project themselves as the authoritative and expert, EU institutional voice on data protection. The Commission is not helped by the fact that the data protection unit at DG JLS has about one quarter of the staff (and probably also a fraction of the multi-million euro budget) of the EDPS.



With the possibly imminent ratification of the Lisbon Treaty and the resultant disappearance of the EU's "Pillar" system, all these institutions will be able to start playing freely in a new and exciting sandbox - law enforcement. In anticipation of the treaty changes and to respond to the need to update the '95 Directive, the Commission has launched a major public consultation on the entire legislative framework for data protection.



I have no idea what will happen (and I'd be interested in any insights that readers might have) - we don't yet know who the relevant Commissioners will be or how they will regard privacy. Nor do we yet have a firm handle on the new European Parliament. Almost the only certainty is that EDPS and A29WP will continue to seek to build their profile and stature, and perhaps even their formal powers.


Watch this space!