Sorry to be a bit slow in responding - I was attending a hearing on Data Retention demonstrating how badly the present appraoch create crime and damage the european economy.

Also, it is not a simple quickfix to re-empower the demand-side to pull the value chains.

There are multiple aspects of this and different contexts have different requirement. The biggest problem is the many interest in taking ownership over people and creating various kinds of lock-in.

A simple example of empowerment that primarily technical people can easily understand is the need for Digital Cash (do NOT require identifcation and do NOT reuse keys) everywhere where you might pay with a credit card (require identification and some 3rd party become a treat).

WHy and then again how?
a) Free Empowered Choice.
you need to ability to make the choices and you need to POWER to enforce a NO (to EMV cards) to enable competition.
b) Flexiblity and interoperability,
You need interfaces to be open for competition instead of the bad technical/standards lock-in, we presently see everywhere in internet-related situations.
c) Security.
More complex as the legitimate security requirement to resolve prior to the transaction depends heavily on the context and we presently lack both open security standards and empowering security technologies (client-side key and channel creation and management).

A good standard is e.g. RFID - ISO 14443A or ISO 15693B whereas the overlay ISO18000 / NFC is a bad. telco kartel standard. Why - because the two first are OPEN to push-through (of e.g. any cryptographic credential) without identifying the RFID in the network layer whereas NFC enforce a gatekeeper and in many aspects terrible security.

So with ISO 15693b, you could start with a NEUTRAL session. Provide non-invasive blidned proofs (e.g. Not on a Wanted-list) and pay cash with Digital Cash and get e.g. a train ticket and later show this - WITHOUT ever creating personal data to protect.
You cannot do this with a smartphone/NFC.

What should EU do? Many things

a) Stop making regulation that enforce bad security and prevent good security. E.g. Data Rention is without nuance and enforcing bad security - even if the police have a legitimate need for access to data for a specific transaction, why should the telco have and why whould the entire transaction security be undermined?.

b) Require openness and open standardsas in mdel-driven, poaramterixed and onthoilogy-supported. Especially in security, communication and payments.

c) Drive Empowering Security - e.g. eIdentity instead of PKI isolated and make non-identified Identity Legal tender, i.e so citizens have a RIGHT not to identity.

d) Make public services that ensure control stay out side servers in such as way that they request data and proofs in open standards.

e) Continue untill all areas and sectors are covered. Some areas are more difficult but also more important than others e.g. eHealth.

Etc.

Sorry - feudalism the the state structure where the king made local aristocrats own people in order to have the kings collect tax and support the kings power. It originates back to 11th century.

What happens with data retention is that the state dis-empower the citizens and enforece some 3rd party in infrastructure are in control of (own) transaction. Th
This re-creates the symbiosis between bureacuratic power and commercial infrastructure power in a neo-feudalist manor.

Remember that e.g. telco´standards PREVENT competition on innovation and security. You cannot introduce a secure non-trackable mobile phone because the kartel standard enforce channel owner ownership through the SIM-card and the protocol leaking persistent identifiers.

We need to be more explicit so we do not end up in a strawman discusson with a lot of unstated asumptions.

One of the main points of Empowerment is to ELIMINATE the "privacy trade-offs".

If you are an honest service provider you do NOT loose anything by allowing citizens to have control of linkability accross purpose.

If you are a dis-honest service provider spying on customers and abusing claimed implicit or otherwise non-valid "consent", then no regulation will prevent you. Look to how fast industry circumvented ePrivacy with nonsense "do-not-track" knowing very well that commercial data crimes are almost impossible to prove - e.g. you cannot see or track exactly how Google use which personal data.

In public services there is a much more important element - the lack of markets make control of data a way to enforce citizen actual need to dominate public sector vaue chains. Today there are NO effectiveness driver in the public sector and it is killing european competetiveness as the public sector slowly reduce overall productivity exporting jobs oversees to low-wage contries (complex discussion in itself, but security and empowerment is the key to public sector productivity).

The emphasis of what I am saying is the the surveillance regime is a certain economic and security failure because all normal transactions and markets are severely damaged.

We URGENTLY need a shift from surveillance to security, i.e. so that DEFAULT is contextual isolation or one-purpuse-one-pseudonym kind of end-to-end security. This include telecommuication, i.e. so the cahnnel providers will NOT be able to link unrelated transactions with the same person/device/organisation unless explicitely desired.

We need an eSignature, but only person-to-person and to create pseudonyms customized to context for all serverside and online use under strict personal control.

The Data Retention question will then be reversed - instead of enforcing bad security, eliminating data security and distorting gatekeepers for all transactions, you isolate each transaction and control WHO is able to link data to the citizens under what circumstances. Security is all exclusivelyu about eliminating trafic data (hear the NSAs, bureacrats and commercial profilers scream and begin listing their non-legitimate excuses - which I agree on)

There are at least three layers to this hardcore security question - assuming we secure transaction by default and EMPOWER the citizens which is the critical for economical and security.

a) If any stakeholder in a transaction as part of the transaction negotiation have to accept a risk related to some of the the other stakeholder, then he will legitimately require and get accountability (isolated to him), i.e. a conditional way to establish a non-reputable and pre-transaction verifiable identification in case of e.g. non-abiding to contractual agreements. If you dont pay the debt, you face the consequences under law is vital to ensure.

b) Next question is for which contexts government (not telcos even telcos might act on behalf of government without access to privatet encryption keys) need the same or represent other stakeholders, e.g. in traffic car-related to risks such as speeding or hit-and-run, someone has to represent the potential "wictims" as a car is a "leathal weapon" often resulting in accidents.

Please note that TAX does NOT have to be treated under this as the proof of taxation can be a standard and verifiable requirement of all entities engaging in involving taxation. Government DO NOT NEED to know how you made your earnings as long as taxation is ensured (hear the bureaucrats scream - and society recover).

Point is here - we can establish ISOLATED accountability. You can make the specific transcation identifiable without linking OTHER unrelated transaction to the citizens.

c) The REALLY unpleasent test of democracy is when we ask for which context and under which circumstances should government (not telcos) are to be ABLE (NOT allowed but capable) to LINK many or all your transactions to you.

This can be a court order - e.g. a convicted phaedofile having done his prison time will perhaps never fully recover his citizens rights. But here we are talking ONE SPECIFIC individal under court order having lost some rights. We have lots of this around, but no way to manage it because we e.g. in connection with child day-care emmployment simply just violate the rights of all requiring a police record as employment pre-requisite.

The real problem is the capability of HIDDEN non-prior sanctioned and especially non-transparant to citizens surveillance and tracking. This is what commerciual infrastructure behavioural profiling, the NSAs and other "criminals" do.

We need to remember here - there are truly bad guys out there. If government become aware of e.g. a specific terrorist or violent criminal threat, we do require and we do accept a massive SPECIFIC surveillance.

My suggestion is NOT to protect the criminbals, but to STOP government surveillance like eSignature, unsecure payments and Data Retention from severely damaging society and the entire economy as it is already doing.

I am not saying that further regulation has no impact, but I am certain you would agree that it

a) will increasing burecuacy for all

b) is non transparant to consumer (and never can be so informed consent to e.g. Google profiling does not make sense and can never be informed or without purposespecifikcation)

c) the secondary usage is rapidly escalating / security is failling. Factis that European companies and their customer interactions are getting profiled from infrastrcuture due to bad security leading to loss of competitiveness.

d) the enture approach means that we CANNOT SECURE any transaction just as we are not allowed to.

e) I dont see this as an either/or - if we have no security then you have to rely on data protection regulation. If we have security then data retention is not an issue, new oppounities are enabled (dont need bureaucratic rules and consent) and in case data becomes identifiabl, the data protection regulation "cathes" the problem.

The problem is that Data protection regulation do not giv any discount or incentives to secure tranactions and data upfront - e.g. on non-identified but accountable data as the existense of e.g. judge with capability to make data linkable does not give discount on the strict requirements on informed consent.

f) If you notice my walkthrough on the security aspects above, I do assume data rentention regulation - however I show how to make it (more) trustworthy, durable and not damaging the economy / security.

g) The BIG concern is actually public sector Command & Control econmics where competitiveness disappear in ineffektive public sector services which is then either directly or through taxes distributed to the private sector. Remember we have to be a lot more effektive to compensate for the differences in wages/required living standards.

Why polute (digitally) when we can avoid it?