GDPR, Innovation and the Cost of Privacy

In today's episode of *Told You So*: Balancing innovation and privacy is hard and has a real cost. And now there's research to prove it.

Pim Nauts, Founder

Reading time: about 4 minutes.

America and privacy, will you ever be friends?

The US Bureau of Economic Research (a reputable institute) looked into the number of available apps before and after the enforcement of the European Data Privacy Regulations (GDPR) in 2018, and found a decline in consumer choice in the app store driven by GDPR, hence (the study argues) less innovation because of it.

The researchers: “Whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation.”

To prove their point the NBER gathers some PII data before you can read the paper.

Credit where it’s due

We often run into ignorance when it comes to data privacy, especially outside of Europe - with GDPR being confused with cookie consent, seen as a nuisance instead of a fundamental element of the digital economy or considered “overly stringent”. We recently experienced that same sentiment at Data Council last March (where we had a blast), with privacy simply not being top (or bottom) of mind for primarily American data professionals.

That’s not to say GDPR cannot be improved - it certainly can. And so it’s important to understand its impact and learn from it. The study is therefore a courageous attempt to assess it, and they chose an interesting empirical setting to arrive at their conclusions. You have to look beyond the study’s major flaws (of which simply equating app store volume to innovation power is the first that comes to mind), but I was disappointed to learn this study eventually doesn’t raise more than an obvious point: when things are harder, less people attempt it.

(which they arrive at through fancy maths, admittedly)

Following half the recipe gets you no cake at all

My essential critique is that the study leaves out a conditional part of the equation: in order to assess foregone value, there’s a cost to realising that value. It’s like looking at profitability while leaving out purchasing. “Whatever the profitability impact of looking at our costs, they substantially drive down profits”.

So, the study begs the question: when less apps are using less personal data because of GDPR, is that indeed an undesirable outcome?

From a purely capitalist view, under the assumption of compliance, a higher standard indeed means the entry threshold and persistence require a deeper investment in both time and quality, so there’s less capital (whether money or time) attempting it. A lower base number and lower exponent = a lower yield.

Mind your gap

But privacy is a structural element of society. You might not care too much about your personal privacy to agree. Then consider this: the Dutch Tax Authority was fined because they used circumstantial data on people to deny them a payment schedule, pushing them into nearly unescapable debt for the rest of their lives, just because the data was available. That’s what I’d call an “adverse effect” privacy regulations like GDPR aim to prevent.

Everywhere in society structural and personal safety risks are guided by regulations, especially in domains where it takes considerable expertise to understand and reason about risk (like a mortgage), or when the potential impact to personal safety is serious. Data (and so privacy) is one such domain, as is real estate - we hold that to standards because collapsing buildings kill people and as a society we don’t want that.

Killing in the name of innovation

Back to the study’s logic. Building a new car is harder because of safety regulations/admittance and crash testing. So it means a (theoretically) lower number of new cars. But the ones that do enter drive a lot of innovation (hey there, Tesla). With, over time, less lives lost and safer choices for consumers. Following the study’s logic, we could have had both a lot more new cars and a higher risk of dying in them and that would be a desirable outcome.

Which brings us closer to the main point. Omitting the cost of not regulating privacy is a clear miss. I think the likes of Cambridge Analytica and repressive regimes serve an anecdotal but decent suggestion of that potential cost. So the real question before making claims on innovation power is if GDPR limits the resulting level of innovation (and so value creation).

Now I’m not an economist nor in research, but my hypothesis is it only extends the time it takes to get there - with a relatively short period of re-adjustment as a conditional cost to driving long-term innovation power.

So although a random app developer might have built the new Snap but refrained from it because of GDPR, foregoing that outcome does not amount to impact, it’s an economic cost traded for safety that will be leapfrogged in the long run.

GDPR is guiding, not limiting a digital future

The real impact of GDPR and privacy regulations in general is in laying the guardrails for a rapidly digitising economy and society, where data can be used and affect you in ways beyond the layman’s reasoning. Therefore, achieving value creation in the age of privacy yields more innovation, not less. Just not at the expense of personal safety and potential privacy train wrecks. You would also have more buildings if it weren’t for permits, but of much lower standards. Accepting a temporary “decline” in innovation value is a very reasonable trade-off, not negative impact.

Privacy is a balancing act, after all.

PS Always be selling

Did I say we’re making building for privacy easier so you can create value without the Cost of Privacy? Let us show you how

PPS We’re hiring!

Want to help data teams build awesome data products without sacrificing privacy in the process? There’s plenty of cool work left. Did we mention we are hiring!?

Decrease risk and cost, increase speed encode privacy inside data with STRM.