First we had the US administration influencing the European Commission’s drafting of privacy legislation, then we had the lobbying onslaught and the “lobbyplag” scandal. Now, we have absurd and misleading “studies” that make wild assumptions in order to come to outlandish conclusions regarding the “cost” of data protection. In the most recent example, the European Small Business Association launched a study on the alleged costs of the data protection reform at a breakfast (where, symbolically, no breakfast was served) in the European Parliament on 8 May.
A data protection officer would cost between €3-7k per yr for a typical #SME, or 16-40% of IT typical IT budget
— Sean Kelly MEP (@SeanKellyMEP) May 15, 2013
The words “assume” or “assumption” appears over 50 times in the report of 45 pages. Assumptions that were made include the reliability of a study by the UK’s Direct Marketing Association, on which some of the calculations of the “research” were based.
The study – from a leading association lobbying against the Regulation – came to the conclusion that impact of the proposed Regulation on direct marketing would be 330.98% of the total entire annual budget for direct marketing in the United Kingdom – and a saving of around 750 pounds per UK citizen on unnecessary purchases! The DMA’s calculations were not based on any detailed analysis of the business practices that would be impacted. Instead, the calculation was based on estimates of the costs made by companies that were polled by the DMA in 2012.
Perhaps, as the analysis was based on estimates by companies that will be directly impacted by the Regulation, the figures should be nonetheless taken seriously? Unfortunately not. In May 2013, a study by the UK Information Commissioner’s Office found that 87% of British businesses were “unable to estimate the likely costs of draft proposals to their businesses”. If a Member of the European Parliament is relying on estimates of costs from vested interests that demonstrably do not know what the costs might be, is it any surprise that the amendments being tabled and adopted in the European Parliament are so extreme?
Another assumption is the incompatibility of current SME software with the rather simple obligation to permit data portability. The obligation in the proposed Regulation is simply, “where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject” and the ability to “transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.”
The authors of the study – on the basis of unknown analysis – assume that “under the proposed regulation”, firms must “develop data management systems that allow for greater flexibility such as the right to data portability.” If we assume that there are no commonly used electronic data processing systems, then the proposed Commission text will cover no companies at all, and the cost will therefore be zero. If, on the other hand, we assume that “commonly used” data processing systems are “commonly used”, then it will be common that the companies in question will not need to invest in those systems because they are already using them!
ICO study: http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Research_and_reports/implications-european-commissions-proposal-general-data-protection-regulation-for-business.ashx
ESBA study: http://www.intertic.org/Policy%20Papers/CCER.pdf
DMA study: http://dma.org.uk/sites/default/files/tookit_files/putting_a_price_on_direct_marketing_2012_0.pdf