In the early days of the internet, a commonly-heard mantra was “information wants to be free.” To many, this meant no charges should be imposed for either the use of data and information or their transmission via embryonic internet service provider networks. The latter led to the now-ubiquitous unmetered data plans in which the marginal price paid for another megabyte of data transferred actually is zero.  

Zero marginal cost pricing for information goods reflects their economic characteristics: non-rivalry (one person’s use does not devalue the item for subsequent users), non-excludability (it is costly to put up barriers to stop others from accessing and using it), and infinite expansibility (multiple copies can be made for next to no cost). Maximum societal benefit occurs when all possible uses can be made of an information good. However, unless there are some restrictions on copying and multiple uses of an information good being sold at a positive price, recovering costs of creation or collection becomes impossible. As a result, not enough information goods will be created. Institutional tools such as patenting, copyright, and licensing place limits on copying, distribution, and use to enable the recovery of these legitimate costs, thereby restoring creation incentives.  

Appropriately calibrated, these tools enable both cost recovery and (some) welfare-enhancing, zero-cost copying and sharing. In optimal cases, these tools foster innovative uses to increase welfare further. Copyright, for example, allows derivative works (from the penciled moustache on a photograph to genuinely impressive artistic extensions) and fair use, which means a limited number of copies can be made for personal use and it allows a copy of a book to be shared amongst a certain number of people.

What does this mean for personal data collected by physical and digital entities about the individuals they engage with? Everything we do creates information. As the costs of capturing and storing this information have fallen exponentially over time, ever more is collected and stored. Digital entities can recover the costs by using the information as inputs into innovative new monetized products, and services.

The EU’s General Data Protection Regulation (GDPR), however, lets the person to whom the data relate constrain collector use for only the purposes for which they were collected for as long as they are held. On the one hand, this has led to creative descriptions of those purposes to allow some limited derivative use (e.g., data collected by an insurance company can be pooled with data from other insured individuals to form better risk estimates and pricing of insurance premiums for the data subject).  However, data use for completely new or different purposes, such as combining with data collected from other sources to create a completely different product, is prohibited without the express permission for the new use being sought from the person to whom it relates. The data subject has an inalienable right to veto such use of their personal data.

GDPR thus explicitly constrains the use of data, contrary to their inherent economic characteristics. There is no “fair use.” Because it is not possible to anticipate what potential uses the data could be put to, consent for novel uses cannot be sought ex ante. Ex post, when the new use becomes apparent, it is costly and maybe impossible to obtain explicit consent for the new use, because contact with the data subject may have been lost. And even if the individual can be found, permission may not be granted because of the veto right. Creating a new good is not prohibited if at least some data subjects give consent, but the more individuals whose data are excluded, the less valuable the new good becomes relative to the counterfactual of full inclusion. The public good is harmed by the exertion of a private right.

The consequences of the GDPR veto may not be minor. Consider the use of stored data to train a new AI application. The application needs to be trained on data samples reflecting the entire population to which it relates. Yet, if the available data are biased sample, because a proportion of subjects have not given permission, the resulting AI will be biased and not suitable for population-wide deployment. Not only will there be inefficiently low creation of information goods, but AI tools created from incomplete data will be knowingly imperfect.

Careful thought needs to be given to the economic consequences of rights for individuals to exercise vetoes over future uses of data collected about them, when exercising those rights compromises the collective good. Privacy may be a human right, but so too is access to welfare-enhancing AI applications. A better balance must be struck than in GDPR.

Learn more: Making Australia the Safest Place on Earth to Date? | Disconnecting Australian Children from Social Media | Australia Disconnects (Again) | AI Regulation Increases Certainty—but for Whom?