back to article Europe's data protection laws cut data storage by making information-wrangling pricier

Europe's General Data Protection Regulation (GDPR) has led European firms to store and process less data, recent economic research suggests, because the privacy rules are making data more costly to manage. In a paper titled "Data, Privacy Laws and Firm Production: Evidence from the GDPR," distributed this week via the National …

  1. Anonymous Coward
    Anonymous Coward

    Cloud Multipass proposal

    There is a huge redundancy in handling personal information. Every service provider asks for an ID, proof of address, bank details etc. For many people all those details are already stored in their email accounts or smartphone-related storage. What happens is the data is unnecessarily replicated to badly managed business storages of all kind. This also keeps alive lots of redundant IT support businesses.

    Large cloud providers together with governments should form a consortium to unify such PII storage types, so the PII can be kept in one or few user-chosen *special provider* storages. Typically those would be Google, Apple, Amazon, Microsoft, but could be other providers certified for well managed security and to stimulate competition. Existing solutions such as Google Drive, S3 etc can be the basis for the service.

    Non-provider businesses will not store PII, only basic identifiers, like business-related account number, email and phone number. Each business has to register to access PII super-storage with access logged and users notified on each access. Businesses will pay reasonable fees for each access, which will be a monetary motivator to limit excessive usage, but also will pay for service maintenance. Any business can upload necessary additional data to the storage, but cannot access it later without user authorization. Users will be able to authorize over the smartphone. Documents can have hashes and time stamp to avoid content manipulation.

    Identify theft can be eliminated by immediate comparison of personal IDs across consortium providers. For example, instantly alerting if someone uses your passport photo to open an account in your name. Well, intelligence services might dislike the idea for impossibility to issue fake IDs.

    1. Dan 55 Silver badge

      Re: Cloud Multipass proposal

      That's a very brave proposal, AC. First it concentrates everyone's PII into the Big Tech oligopoly and gives them all the data they need for their advertising business that nobody else has. Second none of the corporations you propose are based in the EU and so they are beholden only by Safe Harbour, Privacy Shield, Privacy Figleaf or whatever it's called this year.

      If someone wanted to try and render GDPR worthless and make everyone in the EU more dependent on US cloud, that would probably be the way they would go about it, so this proposal should be stored in the round filing cabinet.

      1. Anonymous Coward
        Anonymous Coward

        > it concentrates everyone's PII into the Big Tech oligopoly

        The data has already got concentrated by Big Tech. In the proposed system they will be obliged to access the data on same basis as everyone else, log, request permission, alert the user. The proposed services can be separate from Big Tech main business by law, with data localized per country. As for dependence on US cloud - when will EU cloud get sufficiently competitive, like Airbus? Besides any EU cloud provider can join the consortium. The consortium itself is about common standards, not to reinvent the wheel.

        1. Anonymous Coward
          Anonymous Coward

          Re: > it concentrates everyone's PII into the Big Tech oligopoly

          How will this remove these companies need to store, process PII and be GDPR compliant? As long as they need access to any of this data they still need to be compliant and all the costs that come with it. If they don't want the costs, they need to change the business they are in.

        2. Dan 55 Silver badge

          Re: > it concentrates everyone's PII into the Big Tech oligopoly

          In the proposed system they will be obliged to access the data on same basis as everyone else, log, request permission, alert the user.

          And how would this cost be offset? We all know how Big Tech and PII works - either it gets sold to third parties or third parties pay them to target a campaign based on selection criteria.

          The proposed services can be separate from Big Tech main business by law, with data localized per country.

          No it can't, see the CLOUD Act.

          The consortium itself is about common standards, not to reinvent the wheel.

          The consortium itself doesn't exist and shouldn't exist.

      2. Doctor Syntax Silver badge

        Re: Cloud Multipass proposal

        "all the data they need for their advertising business"

        There's another thing. If anyone wants me to view their advertising I'm prepared to do this provided I'm paid for my time which I price fairly high. There is, of course, very little likelihood that I'll but what they're advertising and a very considerable likelihood that I'd avoid it.

      3. EricB123 Bronze badge

        Re: Cloud Multipass proposal

        "make everyone in the EU more dependent on US cloud"

        Uh oh, The Continent is starting to push back against the US.

    2. Doctor Syntax Silver badge

      Re: Cloud Multipass proposal

      user-chosen *special provider* storages. Typically those would be Google, Apple, Amazon, Microsoft

      I wouldn't trust any of them to be the digital me that this implies, no more than would I trust anyone else who offered themselves to play the same role.

    3. localzuk Silver badge

      Re: Cloud Multipass proposal

      Ah yes, putting all your eggs in one basket never causes any issues does it?

    4. Rol

      Re: Cloud Multipass proposal

      I agree with the principle of personal data being stored in one place, but then you argued the gatekeepers should be the very organisations that have demonstrably abused that data again and again.

      It makes a lot more sense that my personal data is stored only on a server located in the UK and I give explicit permissions to others for a range of limited access.

      eg. When I open a new bank account I point them at my data. The server contacts me to advise the bank is requesting access to my data, and I give explicit permission for a one time access to x,y,z (proof docs that I am who I say I am, etc) and lifetime access to a,b,c (address, phone number, etc). The bank will never be allowed to store any of that data. It stays on my appointed server, and they access it as and when they need it, to say, email me, or write to me. I therefore have my very own auditable log of who's been accessing my data. And I only need change my details if I move house on that one server. No need to tramp around dozens of organisations updating my details.

      Question is. Who in the UK would I trust to look after my details.

      1. The man with a spanner

        Re: Cloud Multipass proposal

        The obvious answer is the banks as they at least are used to dealing with transactions securely.

        Yes, I know this is imperfect but I cant think of anyone more suited to the task

      2. Anonymous Coward
        Anonymous Coward

        Re: Cloud Multipass proposal

        Quite the opposite, many are proposing decentralizing personal data, managed by the data’s owner, through blockchain and smart contracts

  2. Mike 137 Silver badge

    Privacy?

    "Past research suggests that the privacy afforded consumers under GDPR is mostly beneficial, but can be detrimental when a monopoly is involved."

    Judging by the abstract, the paper ('Privacy Rights and Data Security: GDPR and Personal Data Markets') considers privacy breaches as equating to data leaks. This is the most common (and excessively narrow) interpretation of privacy to be applied to the Regulation. But the Regulation clearly expresses that privacy means data subject control over the processing of their data, so its definition is much wider -- including, for example, the right to object to specific processing on the basis of ethical grounds. So in principle if I object ethically to some social media platform I have a right under the Regulation to complain against any business that passes my personal data to it without giving me a prior opt-out, or to object to a business profiling my activities without my consent. Unfortunately, businesses have in general ignored this, and regulators have tended to refuse to act when alerted to such breaches of broader data subject rights. Consequently the Regulation has effectively been neutered as a real protection almost from day one because nobody has taken seriously the fact that the GDPR is human rights law relating to data, not data law.

    1. Anonymous Coward
      Anonymous Coward

      Re: Privacy?

      Good point.

      In my experience implementing GDPR does have a cost for any company which wasn't taking privacy very seriously but once it's there it costs virtually nothing. Of course any company starting in recent years should have been designed with GDPR in mind from day one which means it should effectively be free. In fact if GDPR means storing less and then less processing on the data you haven't got then it might actually be cheaper in the long run...

      Seatbelts and airbags also cost money but I wouldn't want to be without them now that I've got them.

  3. Anonymous Coward
    Anonymous Coward

    "Europe's General Data Protection Regulation (GDPR) has led European firms to store and process less data".

    This is a good thing, companies should not be endlessly hoarding personal data. Same with the "pay or OK" dilemma. It's not a dilemma, the GDPR is working as intended to protect data subjects.

    If a business cannot exist without the unlawful and unethical exploitation of data subjects then in the public interest is should close.

    Shareholders should not be the number one consideration in evey matter regarding business. If they lose out for investing in an unlawful unethical business then they should lose their money.

    1. AMBxx Silver badge

      The cost savings appear to assume that there was no benefit to holding the information. Doesn't sound likely.

      The missing cost is having to monitor all of this to ensure compliance.

      1. Doctor Syntax Silver badge

        Don't forget the cost of not complying. The more data is held the more there is to lose in the case of a leak.

        We should be well past the stage where the cost to the leaker is a year or five years or whatever of "monitoring" by some business which is itself a data hoarder. If the leaked data enables bank fraud the leaker should pay the losses. If every data subject has to spend hours or days rearranging their affairs they should be paid a fairly generous sum for their time doing that. If someone loses their house or their livelihood as a result of the leak that should also be made good. At present these costs are likely to fall on the data subject. They should fall on the leaker, together with any legal costs the data subject incurs in claiming them. In principle companies should be looking at the prospect of being wiped out by a leak. In practice they'd probably insure but the insurers would undoubtedly take a close look at the risks they were insuring and charge accordingly.

        TL;DR PII should be regarded as potentially toxic waste. The more you hold the more you have to spend onf containment.

      2. that one in the corner Silver badge

        > The cost savings appear to assume that there was no benefit to holding the information. Doesn't sound likely.

        If you're not concerned with any privacy implications, it is (initially, at least[1]) dirt cheap just to grab every bit of PII you can and hang onto it, rather than spending time & effort trying to decide if there really is any benefit to you from hanging onto that data: it looks juicy and interesting, we'll think of a use for it.

        A lot of stuff, of all sorts, gets hung onto without any benefit, or the apparent benefit evaporates. Haven't you ever been a part of the occasional "emptying of all the cupboards and dusty storage bins" in the office/factory?

        [1] as time passes and the company/clients/customers increase the unnecessary information can take up enough space to become notable - by which time it continues out of habit, assuming *someone* knows why it is being kept around.

    2. T. F. M. Reader

      Handling extra costs

      I don't think unlawful/unethical practices are necessarily implied. There is extra compliance-related cost even if you operate completely withing the laws of the land and the laws of ethics, and that's the point.

      If you act illegally and are caught you'll be fined which is additional cost, the cost of lack of ethics is not regulatory but is real nonetheless. A related point is that shareholders' value is the number one (and ultimately the only) consideration in every matter regarding business, as long as everything is legal and ethical. Note that the above does not mean you are wrong: the difference is that you seem to assume that businesses necessarily engage in illegal and/or unethical practices and I don't, that's all. You are quite right about illegal/unethical businesses, but the good guys - still the majority hopefully - also pay extra to be compliant.

      Companies will not (necessarily) change their processes w.r.t. data and storage, especially if they decide for one reason or another (good or bad) that the data are useful. They will notice that their operational costs are higher and will pass the costs to their customers. One may or may not consider it fair (my privacy, as protected by GDPR, comes at a cost and I am willing to pay it, etc., etc.).

      Or maybe companies will cut some data - if they decide that the data are not worth it - and reduce the cost without price increases. The article seems to say that is the case at least in some cases.

      1. Doctor Syntax Silver badge

        Re: Handling extra costs

        "but the good guys - still the majority hopefully"

        I know you're thinking about businesses as a whole but you have to extend this to the people who work there. How far back do you have to go through el Reg articles to find a report of someone, possibly in public service roles who turned out not to be one of the good guys? If you collected this toxic waste on the basis that it's of value to the shareholders you'd better contain it very safely. If you don't then your shareholders should expect to be heavily penalised for your failure. At the very least they'll expect you to have insured against it and in turn your insurers will be weighting up the risk and charging you for it. Non-compliance shouldn't be a free ride.

    3. uccsoundman

      "If a business cannot exist without the unlawful and unethical exploitation of data subjects then in the public interest is should close. Shareholders should not be the number one consideration in every matter regarding business. If they lose out for investing in an unlawful unethical business then they should lose their money."

      Obviously not an American. In the USA, unlawful and unethical is the very definition of business. When I was in Business school, a professor said "You know what they call people to obey the law? LOOSERS!!!, Soon to be bankrupt and unemployed. And Shareholders are GODS and their profit is the ONLY consideration. They can do anything they want, any time they want, to whomever they want, so long as it makes a profit. The government and the courts will back them all the way.

      1. 0laf

        Not American. But have done US based training and indeed legal non-compliance and fines were simply to be considered a business risk and or expense. The ethics of actions leading to that situation were not even a consideration.

      2. Tim99 Silver badge

        What do they set loose?

  4. Andy 73 Silver badge

    Law of unintended consequences

    So you make "doing business" 20% more expensive in an attempt to reduce competition from the big American companies... how's that working out?

    Or alternatively, this is about privacy and encouraging users to have control and receive value for their data... again, how's that working out?

    This has basically shifted revenue over to an entire class of compliance officers and consultants that spend most of their time trying to reduce functionality.

    1.7 million for an SMB? Just wait until they add in compliance for AI regulations.

    1. Doctor Syntax Silver badge

      Re: Law of unintended consequences

      So you're saying the data subjects should bear the cost of the businesses careless losses of hoarded data?

      1. Andy 73 Silver badge

        Re: Law of unintended consequences

        Nope, I'm saying that an overly vague and poorly considered regulation turns out to be both ineffective and expensive - achieving few of its stated goals.

        1. localzuk Silver badge

          Re: Law of unintended consequences

          It isn't overly vague or poorly considered. Its clear and very well regulated... That's kinda the point of it.

      2. Evil Scot Bronze badge

        Re: Law of unintended consequences

        But it is not just Data subjects that are losing out.

        Those companies that are taken in by the "Big Data" lie are being taken for a ride. Web tracking collects data about sites I have visited. But not why.

        So I do research for replacing a do-lally Dolby digital receiver. find one with the right connectivity. Collect it from store.

        Facebook: You interested in a Denon Hi-Fi?????

        Me: Not any more.

        The only way big data has worked for everyone is "People who listened to x listen to y." Which has resulted in me purchasing tea from Professor Elemental (Not a euphemism) and also, whilst wearing a kilt, getting on stage with the Prof and shooting a confetti cannon over the audience (Also not a euphemism).

        BTW: Are you the same Dr Syntax that has collaborated with Elemental?

        1. Doctor Syntax Silver badge

          Re: Law of unintended consequences

          "Are you the same Dr Syntax that has collaborated with Elemental?"

          You need to consult mine onlie begetter Thomas Rowlandson.

    2. localzuk Silver badge

      Re: Law of unintended consequences

      Reducing competition from the US was not even slightly a consideration of GDPR. GDPR is about privacy and the rights of citizens.

      US companies have to comply with the same law if they operate in the EU, so the playing field is level. Well, other than US law being incompatible of course.

  5. Doctor Syntax Silver badge

    Although it might appear unrelated I'd like to think that the Post Office scandal would be the trigger for something like a Cyber Harms Act.

    The principle would be that any harm a mistake by an online system should be made good by the system operator in full and that would include ongoing harm during any delays, interest and any legal costs incurred by the victim in demanding satisfaction. In the event of bankruptcy the victims would be first in line with the possibility of chasing directors' personal wealth.

    1. WanderingHaggis

      Sounds good but ...

      The laws for handling the P.O. scandal already exist: starting with contempt of court, perjury, plus other things that a lawyer can update you on. In the end the problem was not the tech failure but the cover up and deceiving the courts. P.O. management, Fujitsu management and the experts who said everything was secure should be charged and not allowed to hide behind the corporation..

      1. Doctor Syntax Silver badge

        Re: Sounds good but ...

        Criminal legislation tells you what not to do. What's needed is legislation that tells you what to do when you get something wrong, irrespective of whether it was deliberately, negligently or anywhere in between. Lack of that allows the gross foot-dragging we're seeing in operation there.

  6. naive

    GDPR is not enforced in most countries

    Here in the Netherlands, there is no enforcement at all of GDPR or, for that part any other laws that don't bring in juicy fines when normal citizens are caught.

    Unless they kill people or blow up their surroundings, companies in the Netherlands can do what they want, all the agencies that are supposed to check if they are compliant to regulations, exist in name, but don't have any meaningful staff to investigate on a sufficient scale.

    Another indication that GDPR is neither enforced or respected is the wide spread use of US based cloud services, which are by US law not GDPR compliant.

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR is not enforced in most countries

      It is worse than that. Most tech-savvy commentators here have no clue how to enforce it, but think GDPR will work by magic somehow.

  7. t245t Silver badge
    Big Brother

    Grotesquely dysfunctional redundant rubbish (GDPR)

    To comply with GDPR, EU firms have had to adopt measures that are the equivalent of a 20 percent increase on average in the cost of data.

    How does it cost more to not do something. The only effect I've seen with GDPR is endlessly clicking on “allow cookies”.

    1. Dan 55 Silver badge

      Re: Grotesquely dysfunctional redundant rubbish (GDPR)

      Then you've not seen any effect with GDPR because cookie banners are from the ePrivacy directive.

      So that's being unobservant over two laws...

  8. Stoic Skeptic

    Training Data

    Will this put EU organizations at a disadvantage when it comes with the amount of data used to train AI models?

  9. Anonymous Coward
    Anonymous Coward

    For Example.......

    Link: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act

    Clear breach of GDPR in the UK.

    Result: Nothing, nada.....no fines, not even a slap on the wrist!

    Discussions like this are exacltly like the age old question: "How many angels can stand on the point of a needle?" Meaninlgess argument while millions of citizens have their data stolen!!!!

    Let me see MANY C-level executives in jail.....Let me see million pound or million Euro fines......then I might just start to think that GDPR is more than bad joke!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: For Example.......

      Indeed. GDPR is treating symptoms instead of disease. It addresses the problem of legacy PII handling, not the future.

      Most small and medium businesses do not understand GDPR. Cybersecurity is an obstacle to run their business, and they mostly ignore it. They just take a photo of your passport with a personal smartphone and upload it somewhere, where it will probably exist forever until leaked.

      Instead a full solution should be provided to all of them and a BIG warning "Do Not Collect Any PII", or your license will be cancelled should be sent to every business owner. The solution should be provided by competing companies, so that no business is locked into bad software, like it happens with no-alternative online gov services.

      Law makers mostly produce laws. They are not solution-oriented.

      1. Anonymous Coward
        Anonymous Coward

        Re: For Example.......

        @AC

        Quote: "Law makers mostly produce laws."

        Ah, AC, you are simply too generous......a good characteristic, to be sure.

        But usually we hear "law makers" saying something like this: "We are doing something".

        Yup...."something" at the rate of £80,000 per annum for an MP......

        .....plus, of course, the occasional(!) Fortnum and Mason's bag stuffed with "folding".....

        So, so good to be "working" in SW1!!!

  10. John Smith 19 Gold badge
    Unhappy

    Ever read Bill Gates?

    Because (years ago) Gate theorised people would accept a small loss of privacy in return for a "micro payment" for the use of their personal information.

    Which is the sort of Adam Smith trade-something-you-have-for-a-benefit-you-want idea that seems reasonable.

    But IRL they just took the data and paid nothing.

    So if the GDPR forces every business to think twice about collect just 1 piece of information about someone I reckon that's pretty worthwhile.

  11. BinkyTheMagicPaperclip Silver badge

    Less data stored is the entire point of GDPR!

    I've very mixed feelings about GDPR.

    Data can only be stored for defined purposes for as long as required to achieve those aims. Given that some types of data are only legally required by the authorities for the past <n> years data shouldn't be kept for longer than that, and that results in lower storage costs.

    Having implemented clear down for various customers it's not straight forward either, particularly if the functionality isn't built in to a pre GDPR product. Ensuring data are cleared down, it doesn't impact on performance, data aren't prematurely cleared down due to customer mistakes, and ideally that there is a (temporary, which is itself shortly cleared down) log that a clear down occurred for instances when data are incorrectly marked as old, cleared down, and the customer asks where the data have gone..

    However, whilst GDPR is a worthwhile principle, legally mandating it is the point at which my enthusiasm fades. Companies who do the right thing will do the right thing regardless. The cowboys will continue to flout it and the punishment is, precisely what, exactly?

    It's added another layer of useless cruft to the web, and again, sites that don't apply GDPR properly are very rarely corrected.

    Not to mention that the government, perhaps the prime target to apply the GDPR properly, have exceptions, routinely flout the rules, and don't apply it. Remember the DVLA contacting every holder of a HGV license to ask if they wanted to drive trucks again? Certainly illegal under the GDPR, but they did it anyway. Witness the obscured and redacted ongoing dodgy Palantir contract with the NHS. Etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Less data stored is the entire point of GDPR!

      From my perspective GDPR does not merely impact the web. The existence of the law means that should things go wrong and a leak hit us we can expect no mercy for storing more then we should.

      1. BinkyTheMagicPaperclip Silver badge

        Re: Less data stored is the entire point of GDPR!

        That shouldn't be a problem though? There was plenty of notice, and there very probably still is time to do so before any potential disaster hits.

        To give work credit, although they're not perfect we do take things quite seriously. Every year has been an improvement in data storage and security. Far, far better than a decade ago (but we were then owned by another company who had less stringent standards, and insufficient interest in improving them).

        The slightly depressing part is that although we offer GDPR provision for every customer, only a small subset have requested it to be set up.

        There is also a degree of self interest. For some customers we're actively pruning historic data, not because of GDPR, but because regular penetration tests and security audits are such a huge pain for legacy customers it's to our advantage to get rid of legacy systems. Which admittedly does make all this testing pretty useful.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like