Achieving Privacy: Costs of Compliance and Enforcement of Data Protection Regulation

Anupam Chander,Meaza Abraham,Isabel Yu,Yuan Fang,Sandeep Chandy,Dayoung Park

doi:10.2139/ssrn.3827228

Abstract

Is privacy a luxury for the rich world? Remarkably, there is a dearth of literature evaluating whether data privacy is too costly for companies to implement, or too expensive for governments to enforce. This paper is the first to offer a review of surveys of costs of compliance, and to summarize national budgets for enforcement. The study shows that while privacy may indeed prove costly for companies to implement, it is not too costly for governments to enforce. This study will help inform governments as they fashion and implement privacy laws to address the “privacy enforcement gap”—the disparity between the privacy on the books, and the privacy on the ground.

Highlights

Is privacy a luxury for the rich world?1 This paper seeks to understand how much data privacy laws cost to implement and enforce
Like some other legal domains, data privacy laws are subject to an “enforcement gap”—“that is, a wide disparity between the stated protections on the books and the reality of how companies respond to them on the ground.”[2]. A decade ago, Kenneth Bamberger and Deidre Mulligan observed that “no one has conducted a sustained inquiry into how corporations manage privacy and what motivates them.”[3]. Their study helped understand how companies were responding to regulations and enforcement
The cost for complying with privacy law varies dramatically—from the baker managing a relatively small database of her regular customers’ orders to the 1,000-person company supplying information services to a variety of clients across multiple jurisdictions. In this Part, we summarize a variety of studies on the costs of compliance with respect to data privacy law in the EU and the United States

Summary

Introduction

Is privacy a luxury for the rich world?1 This paper seeks to understand how much data privacy laws cost to implement and enforce. Data protection policies by their nature expand regulatory control over the activities of private companies and individuals, paving the way for China to operate its web and flow of data under the model of a cyber-sovereignty.[30] By focusing on state security, China prefers to implement regulations such as data localization laws to keep all its information within its borders, which enhances its ability to monitor and regulate information.[31] In 2016, the Cyberspace Administration of China (CAC) issued Administrative Rules on Information Services via Mobile Internet Applications (the App Rules), seeking to directly regulate China’s burgeoning app industry These rules require app providers to obtain any necessary licenses or qualifications required of information services, make clear the nature and scope of data collection and use, and obtain consent from users before using location, address book, and camera features. One significant challenge was to change the internal culture to prioritize privacy

Costs of Private Compliance

Overall Costs of GDPR Compliance

Components of GDPR Compliance

Method for handling Data Subject Requests

HIPAA Compliance Costs

GLBA Compliance Costs

COPPA Compliance Costs

Compliance in China

Costs of Public Enforcement

Enforcement in the EU

HIPAA Enforcement Costs

FTC and Privacy and Data Security Enforcement