Balancing Privacy Regulation With Innovation and the Needs of Small and Medium-Sized Businesses

Personal privacy is important. Some of us need at least a couple of hours of it every day just to function. However, too much privacy can also be harmful because, at its core, privacy means isolation. As the American writer Ralph Waldo Emerson wrote in Solitude and Society:

Solitude is impracticable, and society fatal. We must keep our head in the one, and our hands in the other. The conditions are met, if we keep our independence, yet do not lose our sympathy…We require such a solitude as shall hold us to its revelations when we are in the street and in palaces; for most men are cowed in society, and say good things to you in private, but will not stand to them in public. But let us not be the victims of words. Society and solitude are deceptive names. It is not the circumstance of seeing more or fewer people, but the readiness of sympathy, that imports; and a sound mind will derive its principles from insight, with ever a purer ascent to the sufficient and absolute right, and will accept society as the natural element in which they are to be applied.

Simply put, we should strive for balance. For this reason, even in parts of the world where privacy is considered a fundamental right, that right is not absolute. Wise men and women have long recognized that sometimes even a fundamental right must give way to other considerations. Nothing could be more true as we sit at the precipice of the fourth industrial revolution: a digital age that will blur the lines between the physical, the digital, and the biological. 

With good reason, many worry about what this next age will bring. Commentators demand that forward-looking laws be enacted to protect against so-called acquisitive and exploitive corporations. Without question, even well-intentioned businesses should be regulated. But how much can businesses be regulated before innovation is stifled and that new age with all its promised cures and fixes becomes little more than smoke? 

The fact of the matter is that the world is facing numerous, urgent crises that mankind will not be able to solve without the assistance of technology—particularly artificial intelligence (AI). The reliable AI that we need to address these challenges is (or should be) powered by vast amounts of high-quality, unbiased data. As such, when we talk about regulating the collection and use of personal and sensitive information, we are also talking about regulating AI and other potentially lifesaving technologies powered by data.  

Recently, there has been a push in the United States to pass a comprehensive data privacy and protection law at the federal level. The most recent effort is the American Data Privacy and Protection Act (ADPPA). While there is certainly enough to criticize about the proposed law, there has been relatively little discussion about how the passage of the ADPPA could impact innovation. 

Like many data privacy laws throughout the world, including the California Consumer Privacy Act (CCPA), the ADPPA draws inspiration and/or borrows from the European Union's General Data Protection Regulation (GDPR). As such, it is with almost suspicious timing that the National Bureau of Economic Research (NBER) published a working paper titled "GDPR and the Lost Generation of Innovation Apps" one month ahead of the ADPPA's release in June of this year. 

The authors of the paper—while admitting that their conclusions are subject to various unknowns—found that after the GDPR went into effect, there was a sharp decline in the number of potentially useful apps entering the market. Specifically, after implementation the entry of new apps into the market fell by half. Why? The short answer is that compliance with the GDPR increased the cost of producing and introducing the new apps. Based on those findings, the report concludes that "[w]hatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation."

The ADPPA appears to make some effort to reduce compliance costs by focusing on data minimization rather than on the more onerous consent-based system found in the GDPR. However, with few exceptions, small businesses would still be required to comply with most of the provisions in the ADPPA—potentially silencing, for example, half of the approximately 2000 biotech startups currently operating outside of Boston alone. 

So, are we prepared to forgo innovation? To some degree, we must. Any regulatory scheme will have attendant costs, and there is no dispute that one is needed. Hopefully, those with the next great idea will find a way to get their product to market either with the assistance of venture capital or by some other means. However, it is likely (because they are already doing it) that many small businesses will try to fly under the radar until they can afford to comply or an enforcement action is brought against them. 

Given this reality and the need for more innovation, lawmakers should consider additional ways to reduce compliance costs for small to medium-sized businesses before implementing any new data privacy and protection law. Behemoths like Apple and Google can easily absorb those costs and will continue to grow and innovate. However, the same cannot be said for many other businesses. The failure to properly address this issue and reach the right balance could negatively impact not only consumers' privacy but also their needs and well-being.