Some economic consequences of the GDPR

With Darcy Allen, Alastair Berg and Jason Potts. Originally a Medium post.

At the end of May 2018, the most far reaching data protection and privacy regime ever seen will come into effect. Although the General Data Protection Regulation (GDPR) is a European law, it will have a global impact. There are likely to be some unintended consequences of the GDPR.

As we outline in a recent working paper, the implementation of the GDPR opens the potential for new data markets in tradable (possibly securitised) financial instruments. The protection of people’s data is better protected through self-governance solutions, including the application of blockchain technology.

The GDPR is in effect a global regulation. It applies to any company which has a European customer, no matter where that company is based. Even offering the use of a European currency on your website, or having information in a European language may be considered offering goods and services to an EU data subject for the purposes of the GDPR.

The remit of the regulation is as broad as its territorial scope. The rights of data subjects include that of data access, rectification, the right to withdraw consent, erasure and portability. Organisations using personal data in the course of business must abide by strict technical and organisational requirements. These restrictions include gaining explicit consent and justifying the collection of each individual piece of personal data. Organisations must also employ a Data Protection Officer (DPO) to monitor compliance with the 261-page document.

Organisations collect data from customers for a range of reasons, both commercial and regulatory — organisations need to know who they are dealing with. Banks will not lend money to someone they don’t know; they need to have a level of assurance over their customer’s willingness and ability to repay. Similarly, many organisations are forced to collect increasingly large amounts of personal data about their customers. Anti-money laundering and counter-terrorism financing legislation (AML/CTF) requires many institutions to monitor their customers activity on an ongoing basis. In addition, many organisations derive significant value from personal data. Consumers and organisations exchange data for services, much off which is voluntary and to their mutual benefit.

One of the most discussed aspects of the GDPR is the right to erasure — often referred to as the right to be forgotten. This allows data subjects to use the government to compel companies who hold their personal data to delete it.

We propose that the right to erasure creates uncertainty over the value of data held by organisations. This creates an option on that data.

The right to erasure creates uncertainty over the value of the data to the data collector. At any point in time, the data subject may withdraw consent. During a transaction, or perhaps in return for some free service, a data subject may consent to have their personal data sold to a third party such as an advertiser or market researcher. Up until an (unknown) point in time — when the data subject may or may not withdraw consent to their data being used — that personal data holds positive value. This is in effect a put option on that data — the option to sell that data to a third party.

The value of such an option is derived from the value of the underlying asset — the data — which in turn depends on the continued consent by the data subject.

Rational economic actors will respond in predictable ways to manage such risk. Data-Backed Securities (DBS) might allow organisations to convert unpredictable future revenue streams into one single payment. Collateralised Data Obligations (CDO) might allow data collectors to package personal data into tranches of varying risk of consent withdrawal. A secondary data derivative market is thus created — one that we have very little idea of how it will operate, and what any secondary effects may be.

Such responses to regulatory intervention are not new. The Global Financial Crisis (GFC) was at least in part caused by complex and rarely understood financial instruments like Mortgage-Backed Securities (MBS) and Collateralised Debt Obligations (CBS). These were developed in response to poorly designed capital requirements.

Similarly, global AML/CTF requirements faced by financial institutions have caused many firms to simply stop offering their products to certain individuals and even whole regions of the world. The unbanked and underbanked are all the poorer as a result.

What these two examples have in common is that they both have good intentions. Adequate capital requirements and preventing money from being cleaned by money launderers are good things, but good intentions are not enough. Secondary consequences should always be considered and discussed.

Self-governance alternatives, including the application of blockchain technology, should be considered. These alternatives use technology to allow individuals greater control over the personal data they share with the world.

Innovators developing self-sovereign identity solutions are attempting to provide a market based way for individuals to gain greater control over — and derive value from — their personal data. These solutions allow users to share just enough data for a transaction to go ahead. A bartender doesn’t need to know your name or address when you want a drink, they just need to know you are of legal age.

Past instances of regulatory intervention should make us cautious that even well-meaning regulation will achieve its stated objectives with no negative effects. Self-sovereign identity, and the use of blockchain technology is a promising solution to the challenges of data privacy.