Now that we have discussed the economics of data privacy, people’s behavior towards data

privacy, the costs, and benefits of disclosed, undisclosed, and protected data on both firms
and consumers and have further analyzed the real-world implications of a strict data privacy
regulation, it is time to reflect on our findings and infer what provisions are necessary to
establish an optimum data privacy regulation that ensures its primary purpose of securing
the data of the consumers, while also facilitates the economy rather than inhibit it.

Addressing the behavior of the consumers.

As we have observed the privacy paradox in section XX, we have come to the findings that
users don’t have congenital data privacy concerns but rather their concerns have evolved as
a consequence of using data sharing applications, along with it is observed that people are
easily ready to forego their data privacy in exchange for trivial incentives. This is later also
observed in section XX that 87% of users want data privacy, which further strengthens the
premise of the privacy paradox that consumers want their data to be protected, but it is also
seen that these consumers are not taking sufficient steps to ensure these wants. Thus we
need a regulation that takes these steps for them, the regulation must provide a
comprehensive way to seek the consent of the consumers for their data but must also make
sure while doing so it minimizes the opportunity costs as illustrated in section XX.

Weighing the costs, and benefits of disclosed, undisclosed, and protected data.

While analyzing section XX, it has to be made clear that there is no winner or stand out
among the available options, which are disclosed, undisclosed, or protected data. For an
efficient regulation which as mentioned also has an optimum economic function, we have to
find a perfect balance among the three. Disclosure of data is necessary as illustrated in
section XX but it has to be in a manner that will not lead to consumer disadvantage also it
must prevent security mishappenings by encouraging encryption of data, limiting the scope
of storage and distribution. Nondisclosure and protection of data also come with the
humongous opportunity costs as observed in section XX, the regulation must try to minimize
these while exemplifying the positives.

Key takeaways from GDPR.

As mentioned earlier the GDPR has given us an amazing opportunity for a cost-benefit
analysis of the implications of strict data privacy legislation for a sovereign economy.

The main observations we have inferred are.

Compliance costs: It is essential that a privacy regulation have accommodating compliance
and maintenance costs, especially for small-scale industries and companies. As observed in
the case of GDPR the compliance costs incurred by the companies are humongous, big
companies are generally able to bear the costs of these new regulations and still profit but it
has been observed that small companies struggle to thrive which has led to their exits from
the market.

Regulation helps the startup culture rather than diminishes it: Empirical data has suggested
that stringent regulations bear a negative effect on the startup culture of an economy, this is
detrimental the regulations must be framed in such a way that it is lenient and encouraging
towards the startup economy.
Another important takeaway is that the legislation has to help in the development of the
economy and increment of revenues of the companies in the marketplace, this has not been
the case of GDPR as empirical data suggest in section XX there has been a considerable
decrease in revenues of industries, this phenomenon has to avoid at any costs especially for
developing economies.

Another indirect inference from the GDPR is that new regulations must always take a global
stand so that companies do not have to adapt and spend additional expenses to comply with
each new regulation in the zones and countries that they are operating, a more neutral and
universal form of regulation must be encouraged.

But a positive takeaway from GDPR is that the regulation has increased the trust of
consumers, as also observed in section XX. It has also protected companies from data
breach costs by limiting their liabilities.

Additional information:

The aforementioned points are not exhaustive, these are inferences from the research that
has been undertaken, there can and are many additional suggestions that might help in the
making of an “ideal data privacy regulation”.

India

The Data protection bill 2019 is an attempt by Indian policymakers to upgrade India’s Data
privacy regulations after the Supreme Court in the Puttaswamy judgment declared that the
Right to privacy is a fundamental right.

The regulation is a good effort towards data privacy regulations but it does bring with it
certain inefficiencies. As in the previous section we have established a blueprint for an “ideal
data protection regulation” which will have the most optimum function of security while
ensuring that the economy is flourishing, we will now comparatively analyze the data
protection bill 2019 with this blueprint to find out where the proposed legislation is lacking.

Not based on any empirical data.

The first problem that has arisen is that the understanding of the tradeoffs between
consumers and service providers that have been conceptualized is not based on any
empirical data. The Srikrishna committee which brought forward the first draft of the bill did
not conduct empirical research or study evaluating the conditions under which consumers
will be satisfied or willing to tradeoff data for the exchange of services. Consumer behavior
has not been analyzed sufficiently, the bill has tried to secure privacy without necessary
evidence of its relevance to the users, this is rather detrimental as it will lead to
consequential problems as illustrated below.

Does not address the privacy paradox.

In section XX we have concluded with the relevance of privacy paradox while regulating data
privacy. Due to a lack of empirical research, this issue has not been addressed. Consent is
made an unnecessarily important part of the data security system. This over-emphasis on
consent is detrimental, as already established in section XX even though consumers want a
higher data security standard but are provided with an option to evaluate the standards
themselves they choose to ignore it. Therefore even though the bill includes the provision for
seeking the explicit consent of the consumers, it will not help in enhancing data privacy. Also
according to a study 2011 the average time spent by consumers while going through privacy
policies while installing software is 6 seconds, this time is not sufficient to form a
well-informed consent, and even if consumers started going through all the privacy policies
before providing consent, this will lead to enormous opportunity costs of up to 800 billion
dollars as mentioned in section XX. Hence this ver reliance on “consent” by the regulation is
not ideal.

Detrimental towards small-scale industries and businesses.

The privacy protection system that has been introduced in the bill will lead to a manifold
increase in the compliance costs for small-scale industries and private businesses. All
sectors of the economy will be regulated by the bill, this new regulation will establish new
compliance costs to a large section of business, that is any sector that is dealing with data or
data processing. Compliance costs are to be borne by all companies whether large or small
apart from the few exempted ones such as journalistic research. As illustrated in section XX
large businesses tend to accommodate these compliance costs and manage to earn profits
but small scale industries will succumb to these new financial expenses And give that in
India a vast majority of businesses are small scale (most firms in India are classified as
micro-enterprises, citation), Such compliance requirements would be especially damaging
for them and will also reduce their competitiveness.

Detrimental Economic aspects

The effects of high compliance costs on businesses in the EU due to GDPR has been
described in section XX, but it is important to note the economical difference between the EU
and India, India being a developing economy unlike the European Union requires higher
investments, industries, and startups. There have been several market exits by major
companies in the EU post GDPR.
The bill has also mandated data localization for Indian businesses. Even though there are no
exclusive economic benefits arising out of it businesses will have to invest in multiple
degrees of data localization. Research from 2014 (citation) has suggested that data
localization will hurt the GDP of countries like India and Brazil, the same study has
suggested that domestic investments will shrink by 1.4% as a consequence.
According to a report by the Ministry of justice of the UK, the post GDPR cost for the country
for the next 14 years will amount to a total of 2.1 billion GBP This type of expense for a
developing economy like India are not fruitful. By introducing stringent compliance costs the
bill is inhibiting economic growth, the Indian economy cannot afford this.

Improper limitations to undisclosed data and indifference towards technology evolution

The bill has introduced multifarious limitations on data processing, this might on the face of it
seem like necessary protection of data but will lead to over-regulation, and improper
utilization of data which, is essential for the growth of the economy as observed in section
XX. The bill rather than providing distinctive circumstances where data processing is harmful
has chosen to cover all major data processing activities in a broad veil of scrutiny.
The bill fails to take into account the evolving nature of the digital economy, it fails to
distinguish between conventional analysis and machine-based AI analysis. It also fails to
take into account the concept of decentralized blockchain systems and only refers to
centralized blockchain systems. The broad classification of technology and the indifference
towards identifying new and evolved variations will prove detrimental to the holistic use of
undisclosed data.

Does not take a global approach.

The bill fails to account for the global impacts that it might have on multinational businesses
based in India. Especially those companies for which the Data protection bill and GDPR will
overlap. India’s share in the IT-BMP industry in European Union is about 200 billion dollars.
The bill provides exemptions to the Indian Government to access personal data from data
regulators. Since India is a global IT hub, where the European Union accounts for 11% of
India’s IT services market and the United States of America and United Kingdom account for
62% and 17% respectively has worried these countries that the Indian Government now has
the power to access data of their citizens. Even though the Government might not exercise
these exemptions without proper procedure, they have certainly caused caution in the minds
of these countries and global data regulators. The IT industry has sought a re-evaluation of
these broad exemptions as they believe they might negatively impact the 200 billion dollar
industry.