“The idea of privacy is not to keep everything private, but to set boundaries defining those with whom we want to share and those we don’t,” says K. Sudhir, professor of marketing at Yale SOM. “Everyday we evaluate what we might say to friends, coworkers, and so on, depending on how much trust they’ve earned.”
With this notion in mind, Sudhir and T. Tony Ke, at the Chinese University of Hong Kong, analyzed the European Union’s General Data Protection Regulation (GDPR), widely considered the regulatory gold standard of personal data protection. The GDPR is centered on three basic principles. Namely, consumer have,
- The right to explicit consent by opting into data collection;
- The right to be forgotten: data should be erased upon consumer request, and;
- The right to data portability: data should be transferred to competitors upon request.
GDPR also sets guidelines around how companies must store and protect consumer data.
Since the GDPR went into effect in May of 2018, much ink has been spilled decrying its harmful effects on the data economy. Sudhir and Ke, wading into the issue, modeled the interactions between firms and consumers to capture a clearer picture of what, in fact, the implications are. Does the GDPR throttle data sharing and, in that way, diminish value for both firms and consumers? Do only consumers gain from data protections, or might firms also derive benefits?
The model looks, broadly, at the ways in which firms are incentivized to earn trust: if they invest in better data security measures and are transparent about the ways in which they use data, for instance, then consumers will more likely trust them and be willing to share data. Consumers, on the other hand, when deciding whether to share personal data, must balance the value of customized services against the potential costs of privacy breaches and price discrimination.
Consumers may worry about how technologies will evolve, how partnerships will evolve, and because of that may be concerned about sharing data in certain sectors.”
Sudhir and Ke find that, for the most part, the GDPR benefits both consumers and firms. Though opt-in alone can detract from the quantity of data shared, when this is bundled with stronger security measures people seem to be more willing to share their data. “Consumers may worry about how technologies will evolve, how partnerships will evolve, and because of that may be concerned about sharing data in certain sectors,” Sudhir says. “But because the GDPR provides this right to withdraw, protecting personal data forever into the future, and because it encourages greater data security within firms, consumers are more confident and more likely to give their data today. That allows the data economy to grow.”
There are exceptions to this finding, of course, which this work reveals by modeling variations in the cost of data breaches. People, for example, may not be terribly concerned if data about their news reading habits were stolen; they would be more concerned if shopping habits and credit card information were stolen; they might be deeply concerned if their biometric data were stolen.
In these cases of extremely sensitive data—fingerprints, healthcare, and so on—the cost of a privacy breach may be so high that consumers are unwilling to share data no matter what. Here, too, the GDPR proves valuable: rather than forego a transaction entirely because of concerns about data breaches, consumers can unbundle their data from the exchange; the goods economy can keep going in sensitive sectors even when no data is shared.
“The challenge with a law like this—and it’s big—is that one needs to think about a way to make it somehow generally applicable and yet flexible enough for consumers and firms to both get value out of it,” Sudhir says. The GDPR seems to do this well. “The regulations set in place are able to offer protections not only for today, but for the future, which allows society, firms, and consumers to take advantage of the full benefits of the data-driven economy while keeping the core principles of privacy alive.”