When the new General Data Protection Regulation (GDPR) comes into force in May this year, it may or may not arouse turmoil in the Tech industry. At the very least, however, ordinary people are likely to become much more aware of the value of their data.
One ought to point out that it is not easy to assign a value to things, services or products when they are not directly associated with a price. So it happens that, in a software-intermediated economy, personal information is bartered for supposedly 'free' services. The issue here is that people can easily perceive the value of the digital service they use but, evidently, not the value they hand over in exchange for using these services. The opacity creates the suspicion that this might not be a fair trade. You might argue that those service providers need to cover their fixed costs – coders' salaries, the cost of data centers, advertising fees, etc. – somehow, and so they have to exploit their data business models in order to generate revenue.
in revenues from direct advertising
Take Facebook as an example. In 2016 Facebook earned $27 billion in revenues from direct advertising – which basically means all those targeted posts that appear along each and every user's timeline. If you divide that $27 billion yearly advertising revenue by the total number of users (roughly 1.3 billion), it turns out that, on average, a single user's set of data contributes about $20.76. This is what our 'likes', 'shares', comments or pictures are worth – on Facebook alone. So how many networks or services do we use with the same frequency? In my case, the answer is four, which makes it easy to calculate the estimated value of my data. As Jaron Lanier writes in his book Who Owns the Future?: “An amazing number of people offer an amazing amount of value over networks. But the lion’s share of wealth now flows to those who aggregate and route those offerings rather than those who provide the 'raw material'.”
In the light of the value that an individual data set generates, a user might, one day, prefer to retain ownership of his/her data and choose whether or not to sell it to advertisers. Facebook would then be entitled to charge users a fee so as to cover at least the fixed costs of operating the network. What level of fees should the user expect to pay? The concept of Regulated Asset Base (RAB) can help to estimate a price. This approach has been implemented, especially in Europe and Latin America, to regulate the business models of companies – mainly monopolies or asset-intensive businesses – that provide services regarded as essential for society and from which it is extremely difficult or expensive to switch, such as telecommunications, utilities, airports, highways, etc.
The rationale behind this is that profits of the dominant player in the market should not exceed the level that a competitive market would allow. This implies calculating how much profit a new market entrant would need to make in order to finance the same asset structure as that of the incumbent company and also provide a risk premium on the invested capital – i.e. cover the cost of capital.
If we were to apply this approach to Facebook, assuming returns capped at 12% (in fact a 12% cost of capital is rather high, reflecting the risk premium for Tech business models), we would see 2016's operating profit fall by roughly 80%.
Under this new configuration Facebook generating a return capped at 12% – every Facebook user would have to pay $15 a year in order to enable the company to make its 12% return, but would earn $23 (a small but far from insignificant amount) from giving consent to Facebook to sell his/her data to advertisers and also enable advertisers to reach the user. This simple exercise gives us a glimpse of how much our data might be worth.
may have had their data used to influence political outcomes
These considerations take on an entirely new dimension in the light of the recent Facebook data misuse scandal. Mark Zuckerberg's social network – which was so keen to show how they were making changes to meet the new data protection standards – is now facing a public outcry. A whistle-blower explained that his firm, Cambridge Analytica, had allegedly used illegally-obtained data from more than 50 million Facebook users in order to try to influence political outcomes, including the UK Brexit referendum and the US presidential election. The company used an app to collect data not only from people who wanted to use it but also from their friends, without their consent or knowledge. Does this mean that a user's data is actually even more valuable since it can include information on their friends? Hopefully this dubious practice will be ended and strict implementation of the GDPR will ensure that every user is protected in terms of the use of his/her data.
The General Data Protection Regulation, specifically in the section on the 'Rights of the data subject', in fact transposes into legal requirements all common sense concepts regarding the value of an individual data set, stating that people are the rightful owners of their personal data, and that moreover they have both the right to access their data and the 'right to be forgotten' (i.e. to have their data erased). As a consequence, the 'data controller' (i.e. the company that stores and processes the data) is under an obligation to grant the data owner access to it. Failure to comply with this and other regulatory requirements laid down in the GDPR would trigger infringement penalties as high as a lump sum of €20 million or 4% of total annual worldwide turnover if that figure is higher.
Social network user data will soon enjoy the protection of the GDPR in the European Union. But what about the United States? Mark Zuckerberg has agreed to testify in front of the American Senate regarding data privacy. Is this the sign of a change to come? Are we going to see the advent of an American version of the GDPR?