The entry into force of the General Data Protection Regulation (GDPR) was celebrated as a major step forward throughout Europe. The old continent finally has an tool to tame the digital service industry while facilitating the integration of a previously fragmented market that was hampering the training of European digital champions. While the legislation that has recently entered into force can certainly help to restore the image of a European Union concerned with adopting a protective stance towards European citizens, its regulation inspired by mistrust of digital capitalism risks hampering the emergence of a competitive economy based on data across its territory. In fact, other than the few provisions which prohibit Member States from erecting arbitrary barriers to the circulation of data, the new European regulation essentially aims to limit companies’ ability to process individuals’ data for commercial purposes. Non-compliant companies face heavy fines of up to 4% of worldwide turnover. The problem with these restrictions is that they do not take into account how the data processing and information services trade actually works.
For a long time the abundance and accessibility of information services has kept the public under the illusion that they were free and that there was no consideration required for benefitting from them. This illusion stems from a narrow conception of the notion of “price” which, in the collective mind, refers only to monetary compensation. While it is true that most commercial transactions use pricing mechanisms that are expressed in monetary units, this is not the only way to acquire consideration for the provision of a service. A price is simply an exchange ratio. It can use monetary or non-monetary elements. In the labour market, for example, it is common for employees to hire out their labour in exchange for wages and other benefits (job security, benefits in kind, etc.) These other non-monetary benefits must therefore be taken into account in determining the cost of labour. Similarly, digital businesses generally provide their services in return for access to and processing of their users’ personal data. Personal data is preferable to monetary payments for optimum transaction costs. These services are therefore not free, as some operators would deceptively claim. The proof of this is demonstrated by companies like Facebook and Twitter who refuse access to their platform to those not paying the asking price, for example users who restrict the use of cookies by using their browser options.
This begs the question of the “fair price” of digital services. Applied to the personal data processing business, the question amounts to assessing what counts as acceptable concessions in terms of advertising intrusion, transparency of data processing processes and right to privacy. The European Regulation skirts around these last points and only mentions them in general terms. Article 5 of the Regulation only refers to “legitimate” purposes or to data processing limited “to what is necessary” while remaining vague. This is a deliberate lack of precision. The legislating body is aware that it is impossible to determine a priori specific standards for the industry as a whole. These criteria are therefore intended to be clarified on a case-by-case basis, i.e. as regulatory controls proceed and case law develops. However, if the legislator is unable to define the acceptable level of confidentiality, then how will regulators do any better?
So, just as for all other commercial sectors, there is no objective standard for determining the fair price of a service in the digital economy. This would only emerge after a free competitive process. Only the free interaction of supply and demand, which reflects the preferences of consumers and producers across the board, can dictate the acceptable standard of privacy and transparency of data processing procedures. Certain sectors by definition have very high confidentiality requirements that professionals are ready to satisfy (health, cyber-security, professional messaging etc.) Conversely, other sectors are defined by little or no demand for confidentiality (social networks, entertainment, etc.)
In any case, centralised imposition of a level of confidentiality for the industry as a whole is risky. That would constitute imposition of price control. Specifically, arbitrarily limiting data processing options is tantamount to imposing a kind of minimum pricing that is likely to affect the profitability of trade in digital services. As a result, market signals are disrupted, affecting business incentives in the sector. For example, several studies have shown that privacy regulations reduce investment in the online advertising sector and consequently have an impact on the services which advertising funds.[1] By way of illustration, some American press companies have withdrawn from investing in the European market after GDPR came into force. All this goes to fuel the fear of a diminution in digital services. Contrary to what these regulations suggest, cyberspace is not immune to the eternal law of supply and demand.
[1] Lerner, J. (2012). The impact of privacy policy changes on venture capital investment in online advertising companies. Analysis Group, 1-27
This post is also available in: FR (FR)DE (DE)