Murat C. Mungan
Professor of Law
George Mason University
Data protection and privacy regulations take place through a patchwork of regulation in the largest jurisdictions across the globe. Moreover, each applicable regulation contains ambiguities within itself. This makes it difficult for businesses to know, with certainty, the exact content of the regulations that are applicable to them, and what they must do in order to be compliant with all relevant regulations. This regulatory uncertainty creates some subtle costs for businesses in addition to the obvious compliance and legal research costs that they face. This article surveys and categorizes the types of costs that can be generated by the existence of uncertainty in the regulation of data protection and privacy. This categorization reveals that any attempt to estimate the costs of regulatory uncertainty and/or the costs of introducing new regulation, generally, is likely to significantly under-estimate actual costs, if they fail to take into consideration the costs listed herein.
Data protection and privacy regulations take place through a patchwork of regulation in the largest jurisdictions across the globe. In the United States, for instance, data protection and privacy concerns are addressed by numerous acts directed at specific sectors, as well as through constitutional safeguards and common law. In Europe, the General Data Protection Regulation (henceforth, GDPR) is applicable in addition to any national regulations that may be in place in each European country. Quite importantly, some of these regulations, most importantly GDPR, have global reach, because they protect the rights of a very large number of individuals whose personal data can be collected and processed by businesses all over the world. Thus, a business in the United States may have to comply with state, federal, European, and other regulations, depending on the reach of its activities. This creates regulatory uncertainty for businesses whose activities involve the collection or processing of personal data. Moreover, the ambiguities contained in each regulation generate additional uncertainty for businesses.
Naturally, businesses have a desire to avoid liability for violating these regulations, and, thus, have an incentive to invest in clarifying which regulations are applicable to them, and how they can comply with the demands of each regulation. This is evidenced, for instance, by the large investments made by businesses in preparation for the new regulatory environment created by the GDPR. Of course, a large portion of these investments are made to ensure compliance, and, thus, they would be incurred even if all businesses were perfectly clear on regulatory demands. However, as explained in further detail, below, some of these costs are incurred to gain information about what the extent of regulatory requirements actually are. Perhaps more importantly, cost estimates are under-inclusive because they ignore harder to measure costs, which are discussed, below.
II. Costs of Uncertainty in the Regulation of Data Protection and Privacy
A. Research Costs
Businesses wishing to comply with data protection and privacy regulations have to first ensure that they understand what steps to take in order to be compliant. When the regulatory framework is complicated, this generates costs by necessitating the advice of legal counsel and/or data protection consultants. The regulatory patchwork which causes uncertainty is intuitively likely to increase these costs by increasing the amount of research that needs to be done. Although there does not yet appear to be a rigorous analysis of these costs, many anecdotes appear supportive of the claim that businesses are making considerable investments to ensure that they are aware of compliance requirements. A Forbes article, for instance, has noted this problem, in the context of GDPR, as follows: “[T]he new rules have been left deliberately vague, forcing corporates and startups alike to invest in (expensive) legal experts to interpret what GDPR means for them.” These research costs are perhaps some of the most obvious costs of regulatory uncertainty. Other, less obvious costs, are discussed next.
B. Deterrence of Entry, Less Competition
Entrepreneurs and investors contemplating entry into markets which face heavy data protection and privacy regulation will, implicitly or explicitly, take into account the costs that they will have to incur due to regulatory uncertainty. This will naturally increase the cost of doing business in these markets, and, thus, may deter entry by some firms who are on the margin, i.e. anticipate being close to breaking even in the counterfactual world where they do not have to incur costs due to regulatory uncertainty. Entry by fewer businesses in to these markets may have the effect of reducing competition among the firms which enter the market. This is likely to generate reduced consumer welfare for the consumers of the services and products that are offered in these markets.
C. Stifling of Research and Development
The existence of multiple regulations pertaining to data protection frequently generates conflicts between some of these regulations and other data requirements imposed by third parties, such as publishers associations, and funding bodies. In the context of data based research, some of these third parties often require researchers to deposit the data they use in to depositories so that their studies can be scrutinized and/or replicated. In these contexts, the objective of placing these requirements is often to foster new discoveries and boost future research.
It has been recently pointed out that some of these requirements “may conflict with the core privacy principles of European Union (EU) General Data Protection Regulation 2016/679 (GDPR), which focuses on the rights of individuals as well as researchers’ obligations regarding transparency and accountability.” In the United States, a scholar conducting health and insurance related research at an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) may also be concerned about what type of data is covered by HIPAA and what she can do to conduct research while complying with the demands of HIPAA.
Uncertainties with respect to what constitutes compliant behavior may cause researchers, on the margin, to refrain from engaging in research which they believe may cause compliance problems. Perhaps more importantly, uncertainty with respect to whether depositing rules are in conflict with data protection regulations may cause researchers to refrain from depositing data, and, thus, make their data analysis inaccessible for future research. The net effect of these types of behavioral responses is to stifle research and development.
D. Avoidance Costs
In economics, avoidance costs refer broadly to investments made by actors to reduce their potential liability. It has been suggested, for instance, that “offenders can engage in activities that reduce the probability of being caught and fined”. The magnitude of such costs is likely to be increased in environments with regulatory uncertainty. This is because, in addition to expending resources to evade detection and sanctions, actors are likely to refrain from engaging in activity, whose legal consequences they are unsure about. Alternatively, actors may be too careful in shaping their behavior to avoid liability.
In the data protection and privacy context, businesses are frequently left having to speculate about what types of acts would be in violation of new regulations. There is no clear understanding among businesses, for instance, about what exactly ‘consent’ means in the context of data regulation. Thus, firms may over-comply by seeking user approval more frequently than is ideal. The same concern arises due to territorial or subject matter uncertainty. A company which organizes on-line tournaments and intends to reward the winners may not be certain about whether it is subject to data regulation designed for on-line gambling purposes, and, thus may choose not to give out monetary rewards to avoid the potential of being subject to such regulation.
These are simple examples meant to illustrate the idea behind what avoidance costs may include. It is, of course, quite hard to imagine all the different species of avoidance costs that may be generated as a result of regulatory uncertainty. Perhaps more importantly, these are quite hard to measure and quantify in monetary terms. However, the existence of avoidance costs and other similarly subtle costs undoubtedly imply that any attempt to measure the costs of regulatory uncertainty will provide an underestimate.
E. Free Riding
Businesses operating in the same industry, who face similar new problems due to the introduction of new and ambiguous regulations, may be the subjects of a version of what is called the ‘free-rider’ problem in economics. This problem occurs when “each individual will tend to avoid personal expenditure on the good in the hope that other individuals will make the necessary expenditure to provide the good.” To explain how this problem may arise in the current context, it is worth focusing on a simple and abstract example.
Suppose that multiple firms in an industry face a new regulatory requirement with respect to how much information consumers must be provided with, prior to collecting their data. Faced with this new regulation, some marginal firms may halt their data collection, with the hopes that other, perhaps larger, firms may start experimenting with some information providing practices. The firms which wait may observe what happens to the experimenting firms and gain a better understanding of which information providing mechanisms are compliant, and which ones are not. This way, the waiting firms avoid the risk of liability, whereas the large firms do not. The waiting firms would then be free riders.
A common problem with free riding is that it leads to below optimal investments in a good whose value is enjoyed by multiple entities. In this context, the good in question is increased knowledge regarding what constitutes compliant behavior, i.e. diminished regulatory risk. The investment to obtain more of this good takes the form of experimentation with the regulation. The firms that free-ride reduce the amount of experimentation, and, thus cause the scope of the regulation to remain uncertain for a longer period of time. This problem basically increases the amount of time over which the costs of regulatory uncertainty must be suffered, and, thus, increases the magnitude of the other costs that are studied.
F. Deterrence Reduction
The economic theory of deterrence posits that individuals will comply with regulation, if they perceive the costs of non-compliance to be greater than its benefits. Interestingly, this implies that when people are unsure about whether their benign behavior may nevertheless violate regulations, they may have greater incentives to engage in harmful behavior which they expect is more likely to violate regulations. This is because the prospect of being punished for benign behavior reduces the opportunity cost of committing the harmful act. In simpler terms, if a person thinks that he will be punished for doing the right thing, he has comparatively little to lose by doing the wrong thing. In the data protection and privacy regulation context, this means that if the presence of multiple regulations causes too much confusion for a business, such that it can never be sure whether its behavior violates regulations, it may simply choose to do whatever provides the largest (gross) gains to it, without even considering the potential effect of violating regulations. Thus, adding additional regulations which cause confusion for businesses may lead to the unintended consequence of causing firms to violate whatever regulation there was in the first place.
G. Quality Reduction
A rather intuitive cost associated with regulatory uncertainty takes the form of quality reduction. Software that we use on a daily basis have many features which are not essential to the functioning of the software, but whose presence enhances the quality of the software. Thus, one can think of these products as a bundle of features, some of which are essential to the main purpose of the product. In many cases, some of the non-essential features of software may give rise to data collection issues, and thus, offering them may subject the producer of the software to increased regulatory compliance and/or liability costs. Regulatory uncertainty basically increases the costs associated with including these features. Therefore, the impact of such uncertainty may be to cause software designers to provide products that contain few non-essential features that may raise regulatory concerns. The end result would of course be a lower quality product.
Regulatory uncertainty caused by the existence of multiple sources of regulation, and ambiguities contained within each regulation, generates a variety of costs. Some of these costs are quite obvious, e.g. costs incurred to learn about the regulatory landscape, whereas others are rather subtle. This article presents a categorization of some important costs that one must bear in mind when thinking about the costs of regulatory uncertainty in the context of data protection and privacy regulation. It is, of course, nearly impossible to list all conceivable costs which may be generated by regulatory uncertainty. However, even after reviewing the short list of costs categorized here, it should be clear that estimating the total costs of regulatory uncertainty is a very difficult task, and attempts to do so will generate underestimates if they fail to take the costs listed here in to consideration. Of equal importance is noting that the objective here was only to provide a list of costs. Needless to say, there may be benefits associated with regulatory uncertainty, as well. Thus, to better understand the likely net impact of regulatory uncertainty, one will of course need to consider the benefits that may be brought about from the existence of uncertainty in the regulation of data protection and privacy.