Drinking from the Firehose #123: 🙈 Unintended consequences. 🙈


A year into the implementation of Europe's General Data Protection Regulation (GDPR), we are just beginning to see the effects it has on consumers and firms.

According to one review in Slate, "early numbers for the GDPR make clear that the policy has been a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data."

The term "breach notification" refers to GDPR's requirement for organizations to notify the victims of a breach within 72 hours of discovery. Previously, various European countries held different reporting standards. GDPR also expanded the definition of personal data to be more comprehensive, including certain mobile device identifiers, biometric data, etc. The combination of these factors caused breach notifications to explode to over 89,000 in the last year. There's a lot more data out there on who is getting breached and in what capacity. That's good news. Sunlight is the best disinfectant.

To Slate's latter point, however, the punitive aspects of GDPR have largely fallen flat. In theory, violators can be fined up to 4% of global revenues. For Google, the amount would be a whopping $5.5 billion! Yet in the current reporting period, only €55 million in fines have been levied against violators, 90% of which is a single fine to Google itself. Despite more visibility into violations, few firms are paying a meaningful price.

In addition, the cost of compliance with GDPR is significant. A PwC survey of 200 companies with greater than 500 employees found that 68% planned to spend $1-10 million to meet regulatory requirements. The study concluded that the total cost of compliance with GDPR would exceed $150 billion. That doesn't include the time spent by consumers clicking on all those little "OK" boxes across the internet! A societal cost of $150 billion compared to fines collection of €55 million would put GDPR's economics far into the red in its first year.

Then there are the unintended consequences of GDPR. Alec Stapp on his Truth on the Market blog listed a few. Many stem from hackers exploiting features of GDPR itself to steal more data. For example, GDPR requires users to have a "right of access" to their data. If a hacker steals your credentials, GDPR ensures that he can request, and often get access to, your complete data file with a given service. It effectively makes the consequences of a breach worse. GDPR's "right to be forgotten" is also a panacea for bad actors. Scam artists have issued takedown requests on articles that revealed their past scams, removing the ability for consumers to Google these individuals and learn the truth.

The biggest unintended consequence of GDPR, however, is the clear benefit it has granted its most dominant adversaries -- Google and Facebook. Ad network data suggests that Google and Facebook have seen a relatively small drop in traffic after GDPR started regulating their respective data tracking services. Numerous smaller ad exchanges have seen ad volumes drop by 20-40%. With their scale, Google and Facebook can solve GDPR compliance by spending money and hiring humans. Small companies lack the resources to modify their services adequately and hence retreat from the market. The result is that Google and Facebook have likely increased their market share in Europe's online advertising market.

I'll close by stating the obvious: getting consumer data privacy right across multiple countries is very hard! The intent is good, but the implementation is poor. If we're going to start punishing tech companies for their transgressions, we should think through potential unintended consequences. We should give the law not just teeth, but also the ability to bite down hard when necessary.

GDPR After One Year: Costs and Unintended Consequences

GDPR is officially one year old. How have the first 12 months gone? As you can see from the mix of data and anecdotes below, it appears that compliance costs have been astronomical; individual “data rights” have led to unintended consequences; “privacy protection” seems to have undermined market competition; and there have been large unseen — but not unmeasurable! — costs in foregone startup investment. So, all-in-all, about what we expected.



Financial repression.

20% of the Global Government Bond Index is estimated to be negative yield by end of 2019. I've often wondered who buys this seemingly worthless paper. Daniel Lacalle opined on this question on Hedgeye this week.

In summary, those who purchase negative yield bonds believe that the stock market and other risky securities will collapse in value, and that a -1% yield is better than losing 20-30% of value in other asset classes. While yields on these bonds are negative, they expect the value of these relatively safe securities to rise in the upcoming downturn, offsetting the coupon loss.

Daniel also makes the broader point that artificially low, maybe negative, interest rates create a state of financial repression. In this state, individuals and firms are incentivized to spend and consume more, but do not for fear of an imminent financial collapse. The result is a combination of economically unsound investments for some, and money under mattresses for others. Scary stuff.


Baby mode.

Snapchat continues to bring innovation to the social media landscape. Lately, its "masculine," "feminine," and "baby" face filters have gone viral. Snapchat's product philosophy differs from that of its competitor Instagram. With its feed-based format, Instagram is performative. You want to present the best version of yourself on IG. Snapchat, instead, is a place where it's OK to experiment and explore different identities:

"Snapchat’s filters are less concerned with making you look good. They want to show you a part of yourself that you might not have ever considered, whether that’s what you’d look like as a different gender, or as a baby, or standing next to an anthropomorphic meat tube. Snapchat’s filters are deliberately off-putting and a bit bewildering. They don’t show you what you’d be like if you looked better or cooler, they show you what you’d look like if you were substantively different (or the laws of nature were different, in the case of the hot dog). It’s this design philosophy – this willingness to be weird and unsettle users – that gives it a leg up over Instagram, which has little in the way of an identity when it comes to filters."


Head shot (video).

At this point, I think I share a neural network video each week, but the progress in this field of technology is simply astounding. A new paper shows how even a single image can be used to produce a face model that can be controlled by another human. The authors created a demo that animates the faces of famous paintings (Mona Lisa) and portraits (Albert Einstein) to stunning results.


Multi-colored X-rays (video).

Once upon a time, all photos were in black & white. Over time, color film was developed to capture the whole gamut of visible light. Recently, scientists have begun to push X-rays down a similar path of development.

Today, all X-ray images are greyscale. That's because commercial X-ray emitters operate on a single wavelength. Greyscale is proportional to the absorption of this single wavelength into the body's tissues. If you had multiple wavelengths (i.e. "colors") of X-rays and a detector capable of distinguishing between them, you could image different tissue types in the same machine -- all with high fidelity.


Out of tune (video).

Music theory geeks are going to love this video. YouTuber Paul David breaks down why John Frusciante of the Red Hot Chili Peppers plays the main lick of "Scar Tissue" intentionally out of tune. And I bet you never noticed!