The number of privacy-related fines is enormous and growing. But what is the right price to deter poor behavior, and what prices might have the unintended consequence of making transgressions more acceptable? In a world where British Airways is fined 1.5 percent of turn-over for £183 Million, Equifax is fined $700 Million and Facebook is fined an astonishing $5 Billion, it would seem that the hammer is being brought down on the private sector for transgressions. However, Facebook’s value increased as a result of it’s fine. What exactly is happening here?
There are several examples around, but John List and Uri Greezy examine a fascinating case study in with daycare centers in their book The Why Axis. In Haifa, Israel, parents were arriving late to pick up their children, leading to overtime issues and staff problems. To rein this in, a fine was introduced to deter parents from turning up late. The result was a dramatic increase in tardy parents, completely the opposite of what was sought. The fine had effectively replaced the social awkwardness and embarrassment of being bad parents with an acceptable price tag that was relatively easy to pay. It had put a small number on tardiness and excused what had previously been a social stigma. It became acceptable to be tardy because of the fine.
British Airways paying a fine that is 1.5 percent of turn-over isn’t easy. It cuts into profit enormously and affects earnings per share in a dramatic way that hurts shareholders. Keep in mind too that GDPR, which is more than a year old, can still drive fines higher. However, the stigma of a privacy breach is potentially worse than 1.5 percent.
In the case of Facebook, it was more like one third of revenues, and their entire business model was tarnished and in question as a result of potentially offensive, stigmatized and unregulated privacy practices. Prior to the fines, Facebook’s shareholders had no idea how the company might have to dramatically overhaul its practices, from R&D re-factoring to deregulation. In a world where value is based on future potential, the threat of unknown risk looms large in the imagination and damages share price.
And yet, the value of the company increased. The unknown became known. The shame, the uncertainty, the transgression became a weregild and a known quantity. Facebook has effectively been told to continue operations. This is the biggest fine handed out in the history of the FTC, but rather than forcing transformation, the company absorbs it, announces some programs to save face and moves on.
What price does shame have? At what point is a fine not crippling, but enough to change the arithmetic and make privacy reform and progress real? Data is a privilege, not a right. The price of transgression and the consequences will only keep getting worse until real reform is seen.