From a constitutional perspective data protection is firstly personality protection and as such closely related to human dignity as guaranteed by Art. 1 para. 1 of the German Grundgesetz. But can data protection at a lower-ranking point mean something else than that? Like in all other areas the underlying legal framework can be a criterion for global investment decisions. Furthermore, the guarantee of a high level of data protection given by companies can be regarded as an advantage by users and as a disadvantage by other business and advertising clients. Against the background of this year’s surveillance revelations the questions arise anew, if and how far implemented data protection can constitute a competitive advantage and a clear, well-balanced data protection law may pose a locational advantage.
Data Protection Law as a Locational Advantage
It is important to distinguish between these questions as the respective actors and the underlying assessment differ in many points. Locational advantages include all those regional parameters that companies may benefit from and that – provided there is a certain mobility – may therefore play a role in location selection. This entails the legal framework that is applicable to the particular business model. Data protection law is potentially relevant to every company, but becomes highly important to companies that sell goods or provide services using the internet. The stronger the core business model is focused on the collection, analysis, and further exploitation of personal data (e.g. for advertising purposes), the more vital the limits set by data protection law are for the company as a whole. If one takes two possible locations for companies as, for example, the USA (esp. California) and Europe (esp. Germany), California with its successful but data-hungry large-scale companies – first of all Facebook and Google – seems to have the edge over Germany. Why are digital large-scale companies so rare in Germany? Why did StudiVZ lose against Facebook?
However, there are of course much more and notably more important locational factors than data protection law, that are able to explain the rise of large-scale companies in Silicon Valley.1 And when it comes to the defeat of StudiVZ by Facebook the blame is hardly ever pinned on German data protection law.2 In anyway these observations do not make a case against data protection law as a locational advantage. This is confirmed when one takes a look at the prospering German start-up scene. Here and there entrepreneurs complain about strict German data protection laws.3 But does it really keep companies from being innovative and to stand their ground in a competitive market?
On the contrary, a high level of data protection with clear rules can turn out to be a locational advantage, when it comes to winning customers (see below). Naturally, companies remain free to exceed the mandatory level of data protection. But a common legal ground – in shape of a General Data Protection Regulation – can ensure that a minimum level of data protection is guaranteed when it comes to European and German companies. This view is shared by many companies by now and they therefore advertise with “Datenschutz made in Germany”4 or similar slogans. The companies themselves seem to view the German legal frame as a locational advantage or have at least learned to appreciate it and use it for their purposes.
Strict Data Protection as a Competitive Advantage
Furthermore, the compliance with high data protection standards can bring companies a competitive advantage, i.e. to provide them with a benefit on the respective market in comparison with their competitors. This advantage can in global markets be provided by a high level of data protection guaranteed by the relevant legal space and it may be enhanced by exceeding this level. The soft US-American data protection laws and the secret services’ broad access to personal data stored with US companies as revealed by Edward Snowden pose a considerable disadvantage to the US-American internet economy. First and foremost European companies feel the pressure to no longer trust US-American services when it comes to data security.5 Even if a cooperation with US authorities may not necessarily take place in the individual case, US companies are under strong general suspicion. Besides that, despite of the so called “privacy paradox”6 European cloud and communication services are increasingly sought after – and in post-Snowdon times this especially applies to those services that promise an extra amount of data protection. The number of customers of the little German email provider Posteo, for instance, have increased by 30 per cent since NSA mass surveillance was disclosed.7 Also the Swiss instant messaging service Threema, that provides usability not inferior to the one of market leader WhatsApp, rocketed to prime places in app rankings.8 The more secure alternative to Dropbox called Wuala observed a considerable increasing popularity with users in the aftermath of the revelations and also the enquiries of business clients pile up there.9 European companies fear for their corporate secrets and want to store their customer data securely. This has not gone unnoticed by US-American cloud providers: They expect a loss between 35 and 180 billion US-Dollar over the next three years.10 Facing the legal situation in the US and possibly actual government requests the US-American email services of Lavabit and Silent Circle felt to such an extent threatened in their business model and their principles that they preferred to close down their email services altogether.11
Although a German large-scale internet company is still to emerge, in the wake of European and German data protection law a digital Mittelstand is prospering. This Mittelstand with its privacy-considerate and sometimes special products does certainly not play on par with big US-American companies yet, also because its services do not always aim at especially price-conscious end-users. If it can stand its ground in the competitive global market in the long run, is yet to be observed. But as long as scale and form of US-American surveillance remain unclear, European internet companies have at least a protected playing field for themselves.
Additionally, Europe has to ask itself if it wants to be home to some business models based on the radical exploitation of personal data at all costs. Data protection as an aspect of the general right to personality is more than mere “digital hygiene”, but a vital part of German and European constitutional identity.
- 1 Cf. for example Ferrary/Granovetter, The role of venture capital firms in Silicon Valley’s complex innovation network, Economy and Society, Vol. 38, No. 2 (2009), 326.
- 2 Instead mentioned were the limited target group of “German-speaking students” as well as a lack of innovative functions and the outdated design, http://gigaom.com/2012/06/12/studivzs-answer-to-facebook-change-names-go-niche/, http://www.heise.de/newsticker/meldung/StudiVZ-legt-im-Wettbewerb-mit-Facebook-haertere-Gangart-ein-947814.html, http://netzwertig.com/2008/08/04/studivz-chef-riecke-wir-sind-teilnehmer-nicht-treiber-der-innovation/.
- 3 http://stefangrossselbeck.wordpress.com/2013/05/14/die-mar-vom-datenschutz-als-wettbewerbsvorteil/, http://netzwertig.com/2011/10/27/whatsapp-kik-und-viber-datenschutz-als-bremsklotz-der-vernetzung/, and http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=147179.
- 4 This not only includes renowned providers for email services such as Telekom and United Internet’s GMX and Web.de (http://www.e-mail-made-in-germany.de) but even social networks like XING. “E-Mail made in Germany” also faces criticism, https://netzpolitik.org/2013/e-mail-made-in-germany-deutsche-telekom-web-de-und-gmx-machen-ssl-an-und-verkaufen-das-als-sicher/.
- 5 An example provides XING itself: http://www.horizont.at/home/detail/xing-kritik-an-datenschutz-werbung.html.
- 6 “Privacy paradox” describes the phenomenon that the concern about one’s privacy does not necessarily influence one’s behaviour in this regard, Barnes, A privacy paradox: Social Networking in the United States, First Monday, Vol. 11, No. 9 (2006).
- 7 http://mediacenter.dw.de/german/video/item/1041315/Ansturm_auf_sichere_E_Mail_Konten/.
- 8 http://www.zeit.de/digital/mobil/2013-07/threema-app-manuel-kasper.
- 9 http://www.wsj.de/article/SB10001424127887324823804579014691361615238.html. Further examples of benefiting European cloud services can be found here: http://uk.reuters.com/article/2013/06/17/us-cloud-europe-spying-analysis-idUKBRE95G0FK20130617.
- 10 http://www.fastcoexist.com/3015860/people-are-changing-their-internet-habits-now-that-they-know-the-nsa-is-watching. Cf. also http://www.networkworld.com/news/2013/071913-nsa-snowden-272024.html?page=1.
- 11 http://www.theguardian.com/commentisfree/2013/aug/09/lavabit-shutdown-snowden-silicon-valley.