Three important facts have survived the political psycho-drama of the last two months.
- Despite approaching austerity, the Government remains committed to the removal or modification of all EU Regulations such as the GDPR by the end of 2023.
- The re-appointment of Suella Braverman (Home Office) and Dominic Raab (Ministry of Justice) increases the risks to the UK’s Adequacy Agreement, courtesy of these Ministers’ desire to fundamentally alter the Human Rights Act.
- Michelle Donelan returns to the DCMS as data protection supremo; she made the £23 billion costs-claim during her speech to the Conservative Party faithful (on October 3rd, see references).
The omens are that the Data Protection and Digital Information (DPDI) Bill will be further modified. During her conference speech, Ms. Donelan told delegates:
“Our new data protection plan [i.e. other than the plan in the DPDI Bill] will focus on growth and common sense, helping to prevent losses from cyber-attacks and data breaches, while protecting data privacy. This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection”.
Warming to her theme, Ms Donelan added: “We inherited GDPR from the EU, and its bureaucratic nature is still limiting the potential of our businesses. So much so that researchers at Oxford University estimated that it has directly caused businesses to lose over 8% of their profits” (my emphasis).
There are two comments to make:
- Wow!! Over 8% of profits! How much did that cost the economy? Donelan failed to give the number; this blog does.
- Donelan has ditched the previous Secretary of State’s inflated claims that the DPDI Bill saved over £1 billion.
In relation to that 8% claim, for companies registered in the UK, all profits are currently subject to 19% corporation tax; the HMRC website states that for each of the last four years, corporation tax has raised about £55 billion approximately for the Treasury (see references).
It follows that if £55 billion equates to 19%, the total taxable profits subject to corporation tax (i.e. the 100% of profits) is about £290 billion and the loss of “over 8% of profits” is a loss of over £23 billion. Hence the headline.
So, the Secretary of State wants us to believe that not implementing the UK_GDPR would have reduced the self-inflicted, Trussian, £40-£50 billion black hole in the UK economy by about half.
It does not take a genius to realise the 8% is an error – yet Ms. Donelan used it as if it were correct.
The Oxford research
The research is the first attempt to calculate the impact on firms’ profitability arising as a result of the implementation of the GDPR; this is a very valid objective. This objective is completely different to the publication of (bogus) DCMS numbers to justify the savings (about £1.5 billion over a decade) made by the Government’s implementation of the DPDI Bill (see references for my blog post on this false accounting).
To be fair to the Oxford research, it is a “Working Paper” (see references for URL); the research is not a finalised, peer reviewed, academic article. This alone is reason enough to say that the Secretary of State was very premature to quote a headline result from this Paper (the 8% loss of profits) without explaining its preliminary status.
One suspects, however, that more selective quotations will emanate from the Secretary of State about this research; hence the reason for this blog.
If this happens, the real problem is not the research (which is discussed below), it is the provenance of the research – Oxford University (see references for URL). Quite simply, the University’s prestige risks being used to cloak Ms. Donelan’s data protection changes with an aurora of respectability.
Research methodology
In summary, the research methodology looked at 3 million balance sheets, predominantly of companies with more than 500 employees, from 2011 to 2017; these have been collated by the OECD across 62 countries. This is compared with a second grouping containing the OECD balance sheets for the same companies from 2018 to 2020. The GDPR was agreed in 2016 and became law in 2018.
As the balance sheets contain information relating to sales, profits and employment, the basic idea is that any significant divergence in profitability from year to year (like an economic shock to the system) can be put down to the costs of implementing the GDPR if, as the researchers claim, other significant effects/shocks such as COVID can be excluded (e.g. by an extensive data cleaning process).
Because the raw data include sales, the research estimates that the GDPR implementation has also reduced sales by 2%.
However, the important point is this: the approach calculates the financial impact of the GDPR directly from these balance sheets. There is no data protection input into the econometrics – only the assumptions underpinning the econometrics.
Questions: three assumptions
The research assumes the major difference between the two sets of balance sheets from OECD countries (i.e. from 2011-2017 and from 2018-2020) arises from the implementation of the GDPR. This assumption is unreliable.
As is well known, many OECD countries have data protection laws with standards that approximate to the GDPR standards. For example, compliance with Principles (e.g. security, accuracy, transparency) and the data subjects’ rights (e.g. of correction, erasure or access) often form important parts of national legislation based on OECD’s data protection guidelines (e.g. in New Zealand, Australia). This has been the case since 1980 when the OECD Guidelines were first published.
Therefore, to lay 100% of these costs (e.g. of dealing with security, data subject rights or auditing compliance etc) at the feet of the GDPR, when they also arise in legislation based on OECD Guidelines, is likely to over emphasise the GDPR implementation costs.
The second assumption relates to the APEC Privacy Framework; these APEC privacy rules follow the OECD Guidelines and were published 2015, and their implementation in the Asian-Pacific region would be at the same time as the GDPR (published in 2016). As the research makes no reference to APEC, what could have been measured by the research is APEC plus GDPR implementation costs together.
The third assumption is that OECD companies have not implemented the GDPR until it came into effect in 2018. However, large OECD companies often establish in the European Union; this means they would be required to meet the GDPR obligations (or even perhaps obligations under the earlier data protection Directive 95/46/EC) at a much earlier stage.
One suspects, therefore, the size of the second cohort of balance sheets used in the research to identify divergences is too short a range. It should also have considered APEC implementation costs. If these two statements are correct, their combined effect would be to over-emphasise the headline GDPR costs on firms – hence the 8% is an over-estimate of the GDPR costs alone.
Questions: USA high tech companies
The researchers report that USA high tech companies experience no variation in profit or sales as a result of the implementation of the GDPR.
A likely explanation of this is because many of them (e.g. Google, Facebook) are established in Eire and were required to implement the GDPR much earlier. Indeed, because of the controversial Google Spain judgement in 2012, processing by Google in the USA was considered by the CJEU to be processing subject to the Data Protection Directive 95/46/EC.
In other words, this zero result recorded in the research could well be as a result that the cost of data protection compliance for USA high tech companies commenced from 2012 (and not in 2018 as assumed by most of the research).
As an aside, a “small” company as defined in the research has less than 500 staff (i.e. twice the size of the European Commission’s definition for a Small to Medium sized Enterprise). I suspect this point has been missed by Ms. Donelan, whose speech quoted above referred to a small business as one employing a handful of staff.
Questions: GDPR assumptions
Similarly, there is unsatisfactory commentary to explain the 8% figure in terms of GDPR implementation costs. For example, OECD firms trading with data subjects in the EU have “to appoint a DPO to oversee data management activities” or “are required to encrypt and anonymise any personal data it stores”.
This explanation is incomplete. DPOs are needed by firms but only when their processing presents high risks to data subjects (which is not the case for all firms). Encryption and anonymisations are not mandatory requirements; they need to be considered for implementation if their use would be both technologically appropriate and cost-effective.
Data breach reporting, picked out in the research, is a common feature of international data protection law, and is not unique to the GDPR.
Questions: consent
Also, the research places 2% of the loss of sales down to GDPR “consent” procedures (e.g. with respect to data sharing and third party marketing), thus overlooking the data protection implications of this conclusion.
As is well known, “consent” in Directive 95/46/EC was much degraded to such an extent that practices, employed by Cambridge Analytica (and in the UK Referendum) emerged. This created a scandal that still threatens to undermine or polarise the democratic process.
In the DPDI Bill, Ms Donelan is bent on replacing “data subject consent” (e.g. where the individual can control marketing and research options) and replacing it with “legitimate interests of the controller” (where the controller is in charge). She has yet to describe how these changes will protect individual privacy from the pervasive internet surveillance practices, which will increasingly depend on “legitimate interest”.
Concluding comment
In her speech to Conservative Conference, Ms Donelan concluded: “I am an evidence-based politician and over the coming months you will see that I am not afraid to make tough decisions”.
By relying on these preliminary research results, it appears that Ms. Donelan’s evidence for data protection change is of a kind displayed on the side of that red Brexit bus.
Data Protection Courses (Winter 2023)
I am holding a day workshop on the changes arising from the Data Protection and Digital Information Bill on Thursday, January 12th, 2023 (by Zoom only). The fee is £250 + VAT per delegate. Program available from: info AT amberhawk.com
Because of continued uncertainty (e.g. weather, transport, COVID), the following BCS Partitioner courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance) just in case “stuff happens on the day”.
- The next Data Protection PRACTITIONER Course is in London on Monday 30th January 2023 - 3rd February 2023 (5 days: 9.30am to 5.30pm).
- The next Data Protection FOUNDATION Course is in London on Tuesday February 7-9, 2023 (3 days: 30am to 5.30pm).
Full details (as we are upgrading our Amberhawk website), details of all the above courses can be obtained by emailing info AT amberhawk.com
References
Ms.Donelan’s speech: https://www.conservatives.com/news/2022/our-plan-for-digital-infrastructure--culture--media-and-sport
The Oxford University research: https://www.oxfordmartin.ox.ac.uk/publications/privacy-regulation-and-firm-performance-estimating-the-gdpr-effect-globally/
Government savings from the DPDI Bill: see DCMS fails to spend a penny to protect data subjects on https://amberhawk.typepad.com/amberhawk/2022/05/dcms-fails-to-spend-a-penny-to-protect-data-subjects.html
Google Spain CJEU Case C 131/12. The important point is that processing by Google USA became subject to Data Protection Directive 95/46/EC in 2012; costs of implementation of data protection can be assumed to start from that date and not from 2018 as the Oxford research assumes. Hence the zero result reported by the research.
Corporation tax receipts average about £55 billion over the last 4 years: see https://www.gov.uk/government/statistics/corporation-tax-statistics-2022/corporation-tax-statistics-commentary-2022
Comments
You can follow this conversation by subscribing to the comment feed for this post.