THE ECONOMIC IMPACT OF REGULATION

Given the various justifications for regulation described above, a key question is the eco­nomic impact of various forms of intervention. The most-studied interventions are creat­ing markets in personal information; requiring disclosure of the uses of data and security breaches; liability for data abuses; and requirements for organizational and technical baseline standards for privacy protection.

12.4.1 Markets in Privacy

If individuals ‘owned’ or were given property rights over data about them, they could choose to restrict its use or sell access. Given that different individuals and organizations have different preferences for the use of personal information and protection of indi­vidual solitude, property rights in privacy requiring negotiation between parties is a way to synchronize preferences and maximize overall welfare. However, this will only work with low transaction costs - if the parties to the transaction can be easily identified, and can negotiate, carry out and enforce an agreement without costs in time, attention and legal fees that outweigh the benefits of this flexibility. The legal environment and industry structure must support the transactions, and the classic market failures of asymmetric information and negative externalities must also be dealt with. An example of such a solution would be telephones that could block incoming marketing calls unless the caller agreed to pay a certain price, which could vary according to the receiver’s willingness to be disturbed at different times of the day (Noam, 1996).

Noam (1996) suggests that a property-based approach is likely to fail. Second parties have very strong incentives to sell on personal data, since in doing so its value is hardly diminished to them. Privacy therefore would be extremely expensive to the data subject.

The concentrated industry structures commonly found in the communications and

information industries hinder the efficiency of market approaches, since they reduce the bargaining power of consumers. Monopolists can extract almost the full value of privacy to their customers. This is particularly true of monopoly government services - where else can someone obtain a passport or driver’s license? Market approaches are also of limited utility for managing employer-employee monitoring, since most employees have limited mobility and job choice is limited (Noam, 1996).

Because individuals have heterogeneous preferences for privacy, firms charging posi­tive prices for the same product have an incentive to differentiate themselves from their competitors using privacy policies and thereby occupy a profitable niche, rather than face greater price competition for a consumer with more average privacy concerns. Conversely, when offering a product or service at no charge - common for advertising- supported websites - firms would be expected to cluster around the average consumer’s preferences to maximize demand. Preibusch and Bonneau (2012) found evidence across five industry sectors to support these predictions: camera and DVD retailers, social networking sites, search engines, and blog hosts. In these sectors, websites facing little competition collected significantly more personal details from users.

12.4.2 Initial Allocation of Rights

If economic privacy rights are created, to which parties should they be initially allocated - the data subject, or organizations that wish to contact or profile that individual? Coase suggested that with low transaction costs, the same outcome would result even when parties’ preferences differ - the only difference being in the resulting distribution of wealth.

However, behavioral economists suggest an additional factor. Individuals generally value their own property at around twice the cost of acquiring the same property (the ‘endowment effect’). Whether a data subject therefore ‘owns’ his or her data, or has to pay a data controller for it to be protected, could therefore result in a significantly differ­ent evaluation and outcome (Grossklags and Acquisti, 2007).

Bouckaert and Degryse (2006) modeled three common privacy regulations: that con­sumers should remain anonymous; that consumers are required to opt out of further data processing; or that personal data can only be processed with explicit consent from the data subject. The latter two conditions equate to initial allocation of rights to the consumer or the data controller. Bouckaert and Degryse found that these regulations affected firms’ pricing strategy and market entry decisions, and that opt-out was most efficient, followed by anonymity and finally an explicit consent requirement.

12.4.3 Disclosure, Liability and Baseline Protections

Although new technology can reduce transaction costs in markets for personal informa­tion and attention, the other problems described above mean that this has not been a popular regulatory strategy. Much more common are three approaches that target the negative externalities and information asymmetry in privacy transactions. Mandatory information disclosure - of privacy practices and breaches - improves the informational position of the consumer, allowing him or her to make better-informed decisions about

The economics of privacy, data protection and surveillance 255 disclosing their personal data. Ex post liability allows consumers to claim damages from companies that have caused them harm by not adequately protecting their data. Ex ante regulation imposes basic standards of care for the processing of personal data, reducing the probability that it will be misused.

An ex post liability regime gives individuals harmed by misuse of their personal data a right of action against data controllers. This should force such organizations to take into account third-party costs potentially imposed by their decisions regarding personal data, thereby internalizing this negative externality. It also compensates individuals for losses. Liability provides an incentive for organizations to find efficient and effective mechanisms to protect data.

However, while economists recognize potential or probabilistic harms, courts generally do not. They are unlikely to award damages for an increased probability of experiencing invasive advertising or being subject to identity fraud, or suffering a decrease in the value of widely distributed personal data. It is also difficult for an individual to prove the origin of misused data, if it is in the possession of multiple organizations, or to retrieve damages for losses suffered long after a data breach has occurred (Romanosky and Acquisti, 2009).

The costs of taking legal action are often high. Privacy breaches commonly result in small damages suffered by a large number of individuals - suggesting that a right of col­lective action would be required. Liability is only efficient if consumers always succeed in winning damages for the full amount of harm caused by firms (ibid.).

Ex ante safety regulation imposes certain baseline security and privacy protection requirements on data controllers. This may be required if the probability of successful liability action against a firm is extremely low. As well as probabilistic harms, Kolstad et al. (1990) explain that this can include potentially serious new harms whose likely victims and consequences are unclear, or harm so small it is not recognized by individuals but still has a high aggregate impact across a large group. These are all true of privacy harms such as identity fraud. Monitoring security measure implementation can also be much easier than measuring privacy harms ex post (Romanosky and Acquisti, 2009).

Ex ante regulation can impose significant costs. The safety standards might not be relevant to a particular action, but compliance is still required. If standards are specified in detail, data controllers have little incentive to seek out the most efficient mechanisms to reduce harm. Regulators may not have the necessary information to set appropriate standards (ibid.) - especially in fast-moving information industries, where incentives for self-regulation may better engage industry expertise in setting standards (Rubinstein, 2011).

Rules mandating disclosure of the uses and protections afforded to personal data and incidents of data misuse are a third option. The aim of this type of rules is to reduce the information asymmetry between data subjects and controllers. They allow individuals to choose whether to disclose personal data to specific organizations in light of their prac­tices, and to take remedial action if their data is lost.

The potential damage to their reputations caused by disclosure of data loss gives organizations an incentive to invest in protective systems and processes. In a survey of firms across the USA, UK, France, Germany and Australia, the Ponemon Institute (2010, p. 11) found that data breach incidents led to abnormal consumer churn rates between 3.4 and 4.5 percent. One survey found that California’s security breach disclo­sure laws provided corporate Chief Security Officers with a justification for improving

access controls, audit measures and the use of encryption, and improved security aware­ness generally within companies (Samuelson Law, Technology and Public Policy Clinic, 2007).

An FTC-sponsored survey found evidence that consumers that discovered incidents of identity fraud within six months suffered significantly less loss of time and money as a result (Synovate, 2007). Information disclosure reduces social harm if consumers take action to reduce their own losses. Disclosure is efficient if firms bear all consumer harm (Romanosky and Acquisti, 2009).

Of course, information disclosure rules face all of the challenges to perfectly rational consumer behavior identified by behavioral economists. Consumers may not have the time, interest or legal knowledge to understand all of a company’s privacy policies and breach disclosures, or be able to use that to carefully compute the risk of disclosing a specific item of information. They will incur transaction costs in finding out more infor­mation about a breach, and acting to cancel credit cards or fraudulent transactions. By moving to a competitor, they are inevitably disclosing the information at risk to another party. There is also a concern among regulators that customers could quickly ignore a torrent of breach notifications (ibid.).

Using FTC panel data from 2002 to 2009, Romanosky et al. (2011) found that security breach disclosure laws in the USA reduced identity fraud losses on average by 6.1 percent. However, Jentzsch (2010) found that consumers do not benefit equally from information disclosure, because of rent-shifting behavior by firms and consumers.

Tang et al. (2005) modeled a range of markets and the corresponding impact of privacy protection regulation. They found the key variables to be the number of individu­als affected by privacy losses, and the size of those losses. When few people are sensitive to privacy harms or when losses are low, then opt-out regimes are socially optimal. For intermediate levels of sensitivity and losses, privacy seals are socially optimal. When many people care strongly about privacy and face high losses, baseline protections are socially optimal.

Romanosky and Acquisti (2009) conclude that a combination of ex ante regulation and ex post liability would achieve better outcomes than each used separately. Acquisti (2004) suggests that technology, consumer awareness and regulation used together to generate and enforce liabilities and incentives will lead to the most socially optimal outcome.

12.4.4 Impact on Innovation

Many online businesses are both driven by and financially reliant upon user data, to the extent that personal information has been called the ‘new oil’ of the information economy (World Economic Forum, 2011). Such businesses are frequently critical of privacy regula­tion as a brake on innovation.

In a study for the European Parliament, Cave et al. (2011) found that in some cases, privacy regulation can lead to ‘stranded investments’ when products (such as Facebook’s Beacon and Google’s Street View) must be abandoned or significantly altered following ex post regulatory intervention. For this reason, they recommend an increased focus on ex ante regulatory mechanisms such as pressure on companies to include ‘privacy by design’ in new products and services. They also found weak busi­ness drivers for privacy-friendly products, correspondingly weak self-regulatory activ-

The economics of privacy, data protection and surveillance 251 ity in industries such as online behavioral advertising, and hence a need for continued regulatory intervention in societies that value privacy as more than an individual prefer­ence in the marketplace.

Some limited empirical studies have shown that privacy regulation can have a sig­nificant impact beyond the direct costs to regulated firms. Goldfarb and Tucker (2011) used differences in EU member state privacy regulations to show that limits on using individual profiles to target online banner ads reduced their influence on purchase intent by 65 percent, particularly for smaller non-intrusive ads. This is a serious challenge for news websites and others that do not attract obvious communities of interest that can be shown related ads (such as sports or fashion sites).

Campbell et al. (2011) developed a model of the impact of regulations requiring customer opt-in for the use of personal data, suggesting this will disproportionately benefit incumbents and larger firms that are more likely to have an existing relation­ship with a given user. This anticompetitive effect can be reduced if standardized or global mechanisms for giving consent are provided. The model is extremely pertinent to the default cookie settings of Mozilla’s Firefox browser, which block cookies from third parties such as advertising networks while allowing third-party cookies from sites that the user has visited directly. This gives companies such as Google, Facebook and Twitter (which all display ads based on users’ previous browsing behavior across third-party sites) a significant advantage over competitors without direct customer relationships.

12.4.5 Examples of Privacy Regulation

Regulatory measures to protect privacy vary significantly between countries. In August 2012 the US National Conference of State Legislatures found that 46 states, the District of Columbia, Guam, Puerto Rico and the US Virgin Islands require companies that suffer data breaches involving personal information to notify affected consumers. Some skepticism has been expressed about the effectiveness of such rules; Calo (2013) con­cluded that ‘the only thing piling up faster than examples of mandated disclosure as a regulatory strategy is the evidence it does not work... time and time again, disclosure ends up helping few if any consumers or citizens actually make better decisions’.

The FTC and state attorneys general can take action against unfair or deceptive practices - as the FTC has done against Facebook for misleading privacy policies, Google for the flawed launch of its Buzz social network and resulting user data breaches, and Apple for bypassing privacy settings in its Safari web browser. Consumers can also take legal action against companies that have broken contractual privacy policies, although it can be difficult to quantify privacy-related losses. Additionally, the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501-6506) restricts the collection of personal information from children less than 13 years of age - although one study found that 38 percent of European 9-12-year-olds had social networking profiles, many on US­based services (Livingstone et al., 2011).

By contrast, the European Union has comprehensive rules covering almost all process­ing of personal data. While this ex ante approach is sometimes criticized as bureaucratic and stifling of innovation, it may well be appropriate given high levels of continuing privacy concern from a majority of Europeans, and the core constitutional role privacy

rights play in most EU member states. A major revision of these rules took place in 2013 to improve their effectiveness and create a higher level of harmonization (European Commission, 2012).

The EU approach has apparently been persuasive to dozens of other states, which have introduced comprehensive data protection rules despite US attempts to encour­age laissez-faire regimes through APEC and other international trade negotiations (Greenleaf, 2013). The EU regime encourages other states to develop comprehensive rules by restricting the export of personal data from Europe to countries that do not have such a legal framework. Even the laissez-faire USA has created a ‘safe harbor’ (enforced by the FTC) for firms that wish to voluntarily commit to follow EU-style privacy rules. This framework has been judged adequate by the European Commission (2000), and joined by major Internet companies including Facebook, Google and Microsoft.

12.5