Policymaking and regulation at the centralised level in a union of countries such as the EU require care. Policymakers must strike a careful balance between the benefits of the harmonisation of policies and the costs of accounting for the differing preferences of individual countries (see Dewatripont et al. 1995).
This trade-off is at the basis of any cost-benefit analysis concerning decisions centralised at a union level.
An interesting example is emerging in the debate on the new European regulation on data protection, which represents an attempt to harmonise different national regulations on data protection and privacy (European Commission 2012). The new regulation seeks to create a single set of rules and introduces a number of new requirements to business and a new complex regulatory framework relating to the protection of individuals with regard to the processing of personal data.
In recent research joint with Greg Rafert from Analysis Group and Andrea Colciago from the University of Milan, Bicocca and the central bank of the Netherlands, we have contributed to the debate by evaluating the impact of the proposed EU data-protection regulation on small and medium-sized enterprises with a specific focus on the compliance costs associated to the direct application of the new regulation and to the indirect effects on job growth and business creation (Christensen et al. 2013).
As proponents of the regulation have noted, some of the proposed articles within the document will reduce costs for firms. For example, the ‘one-stop shop’ principle reduces some compliance costs by ensuring that data controllers and data processors that operate across countries are typically regulated by a single supervisory authority (though this is not the case for companies that happen to be both data controllers and data processors in different countries, for instance cloud-computing providers). Proposed binding corporate rules will potentially reduce legal ambiguity surrounding data transfers, and joint operations on the part of supervisory authorities will reduce bureaucratic burdens. There is an important effort in promoting secure data transfers, which is crucial for the development and the diffusion of cloud computing; however more needs to be done, for instance supporting and standardising a stronger and more transparent protection of data that are transferred outside of the EU for cloud-computing services. But while the proposed regulation contains some potential benefits for firms, there are significant costs as well.
Compliance with the proposed regulation poses a number of challenges for firms. The first challenge concerns the design of systems and procedures for data protection. In particular, under the proposed regulation, firms must develop data-management systems that allow for greater flexibility such as the right to data portability (i.e. the right to transfer data from one electronic processing system to another), as well as the right of data subjects (identified natural persons) to obtain personal data in a structured, commonly used electronic format. In addition, data protection impact assessments must be incorporated into IT project management so that firms can identify and mitigate specific risks associated with the processing of personal data.
Another major challenge is the designation of a data-protection officer. All public-sector bodies and enterprises with 250 or more employees, as well as small and medium-sized enterprises whose core activity involves the monitoring of data subjects, will be required to designate a data-protection officer. The controller (the entity that determines the purposes, conditions and means of the processing of personal data) and the processor (the entity that actually processes personal data on behalf of the controller) will be subject to different obligations and, possibly also to different supervisory authorities. Controllers and processors will have to ensure that their data-protection officer are involved in all issues that relate to the protection of personal data and maintain detailed documentation on all processing operations, a process which very likely will increase the companies’ costs. Other substantial costs of the regulation will be associated with the compulsory notification of any data breach to the supervisory authority within 24 hours and without undue delay to the data subjects. This will be very demanding, especially for non-serious data breaches. Together, these and several additional articles will result in additional added costs for firms, depending on the type and amount of information processed.
Costs to small and medium-sized enterprises
Our research seeks to determine the impact of the EU data-protection regulation, considering both the expected costs and benefits. To do so, we first estimated the direct costs likely to be incurred by small and medium-sized enterprises. Each article within the regulation was reviewed, and only articles deemed to have significant costs or benefits were selected. Where possible, we used the EC Impact Assessment on the reform of the data protection regulatory framework report as a starting point for our calculations. Baseline costs and benefits were reviewed and modified based on third-party research to estimate the cost of each article group to an small and medium-sized enterprise. Using this methodology, we estimate that the average small and medium-sized enterprise in the EU can expect its annual costs to increase by between approximately €3,000 and €7,200, depending on the industry in which that small and medium-sized enterprise is located; this represents between 16 and 40% of current annual small and medium-sized enterprise IT budgets. These estimates suggest that the net compliance costs are large and, most of all, larger than what could be expected for instance from the evaluation of the Impact Assessment prepared by the European Commission.
However, beyond these direct costs, there are indirect macroeconomic costs that are more difficult to measure, due to the impact that these additional costs have on the process of business creation and job creation. Based on the above estimates, we have simulated the impact of the EU data-protection regulation on business and job creation. Our simulation shows a substantial negative impact of the introduction of the EU data-protection regulation on business creation and employment. The reduction in employment and the number of operating firms is most severe in those sectors where compliance with the EU data-protection regulation will imply higher operating fixed costs for firms. For example, the effect is stronger in sectors where a large fraction of firms will be subject to the designation of a data-protection officer, which is mostly service sectors. Among the macro-areas that we have considered, the main impact is in those including real estate and other business activities, which may experience a decline in employment above 0.2% and a reduction in the number of market competitors above 3%. These estimates suggest that also the indirect costs of the regulation could be larger than what could be expected from the evaluation of the Impact Assessment prepared by the European Commission.
Christensen, L, A Colciago, F Etro and G Rafert (2013) “The Impact of the Data Protection Regulation in the E.U.”, Intertic Policy Paper.
Dewatripont, Mathias et al. (1995), “Flexible Integration: Towards a More Effective and Democratic Europe”, Monitoring European Integration 6, CEPR.
European Commission (2012), “Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”.