Economics of Privacy Regulation

Seminar/Forum

Economics of Privacy Regulation

Dr. Elif Kiesow Cortez will present on the paper Economics of Privacy Regulation. The paper analyzes the shortcomings of the EU privacy regulation (GDPR) by focusing on the information asymmetries between the regulator and firms. This paper shows that existing privacy regulation is based solely on a “stick” approach and it argues that a “carrot” approach would produce better incentives for firms to comply with privacy rules. We emphasize that the regulator’s access to information is limited and for this reason the regulating authority lacks the ability to effectively monitor firms’ compliance. We propose a model that addresses information asymmetries and thereby improves incentives of market participants to comply with privacy rules in order to gain advantage over their competitors. The proposed model includes two steps.

First, firms are given privacy scores that reflect their level of compliance with privacy best practices. We recommend replacing the compliance vs. non-compliance approach with a differentiated privacy assessment mechanism: privacy ratings. A privacy rating system allows consumers to differentiate between firms that invest a high amount of resources in privacy-respecting practices and firms that invest merely minimum amount of resources in privacy-respecting practices. These ratings would enable consumers that value privacy to choose firms with good privacy-respecting practices, and it would allow firms to better estimate the optimum amount of resource allocation for privacy-respecting practices given their clienteles’ preferences.

Second, we recommend that independent private actors with experience in data analysis be in charge of giving privacy ratings to firms. This system aims to improve the information asymmetry between firms and regulators by moving beyond traditional regulators and exclusively public monitoring mechanisms. A system where independent private actors with sufficient expertise are in competition with each other should result in more accurate privacy ratings.

This paper shows that existing EU privacy regulation is based solely on a “stick” approach and it argues that a “carrot” approach would produce better incentives for firms to comply with privacy rules. Furthermore, we point out that making privacy regulation more stringent might have unintended consequences. A combination of (1) overly stringent rules and (2) firms having an informational advantage over regulators can create incentives for firms to optimize around privacy regulations.

Presenter

  • Dr Elif Kiesow Cortez
    Dr Elif Kiesow Cortez, Cybersecurity Center of Expertise, Hague University of Applied Sciences