Abstract
Big data and analytics have not only changed how businesses interact with consumers, but also how consumers interact with the larger world. Smart cities, IoT, cloud, and edge computing technologies are all enabled by data and can provide significant societal benefits via efficiencies and reduction of waste. However, data breaches have also caused serious harm to customers by exposing personal information. Consumers often are unable to make informed decisions about their digital privacy because they are in a position of asymmetric information. There are an increasing number of privacy regulations to give consumers more control over their data. This chapter provides an overview of data privacy regulations, including GDPR. In today's globalized economy, the patchwork of international privacy regulations is difficult to navigate, and, in many instances, fails to provide adequate business certainty or consumer protection. This chapter also discusses current research and implications for costs, data-driven innovation, and consumer trust.
TopIntroduction
Big data and data analytics are still evolving fields of study. Thus, an agreed-upon and fully comprehensive definition is yet to be established (Uthayasankar, Muhammad, Zahir, & Vishanth, in press). It is also debatable whether big data is a disruptive technology (Frizzo-Barker, Chow-White, Mazafari, & Ha, 2016). However, we do know that it is changing how businesses understand, connect with, and ultimately profit from their customers. Manyika and Brown (2011) state that big data has the potential to increase business operating margins by up to sixty percent. Data is becoming crucial for companies in decision-making, relationship-management, production, and maintaining an overall competitive advantage. It is particularly valuable once turned into digital intelligence.
The overall amount of data collected is doubling every two years, with an estimated 44 zettabytes of data by the end of 2019. That is equal to 99 billion years of music files, 686 billion 64GB tablets, or 1.4 billion years of HD video. Businesses can monetize all this data in several ways, including use for advertising revenue (Facebook, Google, etc.), marketplace transactions (Amazon, eBay, Alibaba, Uber, etc.), production optimization (Rolls Royce, Caterpillar, etc.), and the selling or renting of cloud services (AWS). Users often pay for seemingly free services, such as downloadable white papers and e-books, by signing up with their data.
Big data and analytics have changed not only how consumers interact with businesses, but also how they interact with the larger world. Smart cities, IoT, cloud, and edge computing technologies are all enabled by data and have the potential to provide significant societal benefits through efficiencies and the reduction of waste. While digitization has the potential to benefit both businesses and society at large through new intelligence, innovation, and profits, the primary challenges are that of privacy and security (Frizzo-Barker et al., 2016). In the age of big data and business analytics, concern over privacy and data protection is increasingly at the forefront of consumers’ minds. Massive data breaches have caused severe economic, social, and psychological harm to customers by exposing personal information. Data breaches have also severely damaged the consumer-trust relationship with the companies at issue, often reducing firm market valuations and forever tarnishing brands (Choong, Hutton, Richardson, & Rinaldo, 2017). A simple Internet search shows the scale of this problem, with massive data breaches involving even high-profile companies, such as Equifax, Marriot, Yahoo, and Uber, to name just a few examples. It is also worth mentioning that consumer privacy concerns can extend beyond unauthorized data breaches. For example, there was significant consumer backlash in the United States related to the Facebook sale of personal data to Cambridge Analytica for political purposes (Meredith, 2018). With the proliferation of big data, there are also numerous new policy questions relating to data ownership, a concentration of large companies that control this data, and data flows across international borders.
The objectives of this chapter are to:
- •
Provide an overview of the various international data privacy regulations, including GDPR;
- •
Discuss the pros and cons of the different data privacy regulations and lessons learned;
- •
Discuss the implications of data privacy regulations on data-driven innovation, the economics of privacy, and consumer trust; and
- •
Suggest potential solutions and recommendations.
Key Terms in this Chapter
Right of Erasure: The right of erasure, also known as the “right to be forgotten,” is a GDPR provision that means third parties must remove the personal data of an individual upon request if there are no real business reasons to store the information.
Omnibus Approach: The omnibus approach to data privacy regulations describes when there is one overarching law across multiple industries, like GDPR.
Data Protection Officers or DPOs: GDPR requires DPOs for any company that processes data about a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. DPOs serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs).
Information privacy: Information privacy is the ability to control personal data and associated identities.
Signaling theory: A theory that emerged from the study of information economics and deals with the notion of information asymmetry of buyers and sellers facing a market interaction. A signal is an action taken by the more informed party to communicate its actual characteristics credibly to the less knowledgeable party.
Right to Portability: A GDPR provision that gives consumers the right to transfer their data between different service providers more easily.
Brussels Effect: The process of regulatory globalization caused by the European Union externalizing its laws outside its borders.
Sectoral Approach: The sectoral approach to data privacy regulations is applied when laws only apply to specific industries, such as with consumer privacy laws in the United States.
Asymmetric Information: Asymmetric information occurs in circumstances in which two actors have different amounts of information. This asymmetry creates an imbalance of power, which can cause market failure.
Privacy Regulations: Regulations that are concerned with how businesses handle data and information privacy.
Pseudonymization: Pseudonymization is defined in Article 4 of GDPR as the processing of personal data in a manner that the data can no longer be attributable to a specific person without the use of additional information. Such additional information shall remain separate to ensure that the personal data cannot identify the individual.
General Data Privacy Regulation or GDPR: This regulation went into effect on May 24, 2018 and applies to all personal data across various industries within the European Union.