The entry into force of the General Data Protection Regulation (GDPR) was celebrated as a major step forward throughout Europe. The old continent finally has an tool to tame the digital service industry while facilitating the integration of a previously fragmented market that was hampering the training of European digital champions. While the legislation that has recently entered into force can certainly help to restore the image of a European Union concerned with adopting a protective stance towards European citizens, its regulation inspired by mistrust of digital capitalism risks hampering the emergence of a competitive economy based on data across its territory. In fact, other than the few provisions which prohibit Member States from erecting arbitrary barriers to the circulation of data, the new European regulation essentially aims to limit companies’ ability to process individuals’ data for commercial purposes. Non-compliant companies face heavy fines of up to 4% of worldwide turnover. The problem with these restrictions is that they do not take into account how the data processing and information services trade actually works.
This begs the question of the “fair price” of digital services. Applied to the personal data processing business, the question amounts to assessing what counts as acceptable concessions in terms of advertising intrusion, transparency of data processing processes and right to privacy. The European Regulation skirts around these last points and only mentions them in general terms. Article 5 of the Regulation only refers to “legitimate” purposes or to data processing limited “to what is necessary” while remaining vague. This is a deliberate lack of precision. The legislating body is aware that it is impossible to determine a priori specific standards for the industry as a whole. These criteria are therefore intended to be clarified on a case-by-case basis, i.e. as regulatory controls proceed and case law develops. However, if the legislator is unable to define the acceptable level of confidentiality, then how will regulators do any better?
So, just as for all other commercial sectors, there is no objective standard for determining the fair price of a service in the digital economy. This would only emerge after a free competitive process. Only the free interaction of supply and demand, which reflects the preferences of consumers and producers across the board, can dictate the acceptable standard of privacy and transparency of data processing procedures. Certain sectors by definition have very high confidentiality requirements that professionals are ready to satisfy (health, cyber-security, professional messaging etc.) Conversely, other sectors are defined by little or no demand for confidentiality (social networks, entertainment, etc.)
In any case, centralised imposition of a level of confidentiality for the industry as a whole is risky. That would constitute imposition of price control. Specifically, arbitrarily limiting data processing options is tantamount to imposing a kind of minimum pricing that is likely to affect the profitability of trade in digital services. As a result, market signals are disrupted, affecting business incentives in the sector. For example, several studies have shown that privacy regulations reduce investment in the online advertising sector and consequently have an impact on the services which advertising funds. By way of illustration, some American press companies have withdrawn from investing in the European market after GDPR came into force. All this goes to fuel the fear of a diminution in digital services. Contrary to what these regulations suggest, cyberspace is not immune to the eternal law of supply and demand.