Economics of Privacy Regulation
Dr. Elif Kiesow Cortez will present on the paper Economics of Privacy Regulation. The paper analyzes the shortcomings of the EU privacy regulation (GDPR) by focusing on the information asymmetries between the regulator and firms. This paper shows that existing privacy regulation is based solely on a “stick” approach and it argues that a “carrot” approach would produce better incentives for firms to comply with privacy rules. We emphasize that the regulator’s access to information is limited and for this reason the regulating authority lacks the ability to effectively monitor firms’ compliance. We propose a model that addresses information asymmetries and thereby improves incentives of market participants to comply with privacy rules in order to gain advantage over their competitors. The proposed model includes two steps.
First, firms are given privacy scores that reflect their level of compliance with privacy best practices. We recommend replacing the compliance vs. non-compliance approach with a differentiated privacy assessment mechanism: privacy ratings. A privacy rating system allows consumers to differentiate between firms that invest a high amount of resources in privacy-respecting practices and firms that invest merely minimum amount of resources in privacy-respecting practices. These ratings would enable consumers that value privacy to choose firms with good privacy-respecting practices, and it would allow firms to better estimate the optimum amount of resource allocation for privacy-respecting practices given their clienteles’ preferences.
Second, we recommend that independent private actors with experience in data analysis be in charge of giving privacy ratings to firms. This system aims to improve the information asymmetry between firms and regulators by moving beyond traditional regulators and exclusively public monitoring mechanisms. A system where independent private actors with sufficient expertise are in competition with each other should result in more accurate privacy ratings.
This paper shows that existing EU privacy regulation is based solely on a “stick” approach and it argues that a “carrot” approach would produce better incentives for firms to comply with privacy rules. Furthermore, we point out that making privacy regulation more stringent might have unintended consequences. A combination of (1) overly stringent rules and (2) firms having an informational advantage over regulators can create incentives for firms to optimize around privacy regulations.
Dr Elif Kiesow Cortez, Cybersecurity Center of Expertise, Hague University of Applied Sciences
Dr Elif Kiesow Cortez
Cybersecurity Center of Expertise, Hague University of Applied Sciences
Dr. Elif Kiesow Cortez is a senior lecturer in the International and European Law Program and also a researcher for the Cybersecurity Center of Expertise at The Hague University of Applied Sciences (THUAS). Elif is the coordinator of the Commercial Law Unit and the Cybersecurity Minor at THUAS. Before joining THUAS, Elif was a John M. Olin Fellow in Law and Economics at Harvard Law School. Elif's doctoral research at the Graduate School in Law and Economics, University of Hamburg, was funded by the German Research Association (DFG). During her doctoral studies, Elif was a visiting fellow at Harvard Business School and a visiting scholar at Berkeley School of Law. Elif’s research is focused on utilizing economic analysis of law to provide recommendations for solving cooperation problems between public and private actors in the domains of data protection and privacy. Elif currently teaches courses on Data Protection and Privacy Compliance, Cybersecurity and Legal Analytics.