Remember the start-of year predictions on 2018’s potential systemic shocks to the financial markets? Brexit, algorithmic trading, North Korea, cryptocurrencies, climate change and state-sponsored cyber warfare topped the list.
Wall Street is holding up and Summer’s here: none of the above came to materially affect the stock markets. Either all is well, and the rest of 2018 will be a relatively calm year, or analysts have missed the mark entirely and the worst is still to hit us.
Market analyst do have form in entirely missing the mark
In 2006 they failed to spot the impending 2007-2008 credit crisis. Key concerns at the time were high-yield (junk) bonds and private equity, hounded both by regulators and the financial press. Conversely, derivatives were hailed as the perfect credit risk amortizers, spreading and dissipating default risk among those who could afford it most: high-risk investors.
Things turned out differently: spectacularly so.
Before derivative products graduated from esoteric financial know-how to casual dinner conversation topic, before the fog lifted on Collateralised Debt Obligations and it became common knowledge that asset-backed securitization had been resting on subprime borrowing, an entire global economy suffered the long chill of frozen interbank lending.
No analyst had focussed on the critical role of the short-term money markets: the beating pulse of overnight bank-to-bank loans underpinning global financial flows. No finance textbook had a chapter on how banking trust worked: once over-the-counter derivatives injected complexity and lack of transparency in a single entry of a bank’s portfolio, its risk contaminated whole asset classes, whole portfolios and, ultimately, the entire financial ecosystem.
Meet the new subprime asset class: GDPR personal data
Wall Street is poised to make the same mistake again. This time round, however, market analysts are failing to detect the key circulation system underpinning not the debt, but the data markets. Once again, analysts are overlooking the part played in financial stability by the invisible beating pulse of our economy: data flows. Once again, no finance textbook has a chapter on how data trust works.
The new subprime is an off-balance sheet, ill-defined, ill-understood asset class flowing, intangibly, between individuals and businesses, among businesses and among individuals: personal data.
The General Data Protection Regulation, the EU’s new legal framework for personal data, enforceable since May 25th, has radically and irreversibly altered the business asset nature of any type of data set.
As a human rights law, the GDPR’s goal is not to regulate the personal data markets, let alone the whole data markets, but to give individuals rights over data about them held by businesses. Yet, considering it does not as yet offer a workable criterion to demarcate which data points amount to personal data and which ones amount to non-personal data, and considering it casts onto businesses a triad of obligations that reach deep into how their data assets are organised and made available for them and for others in the same business ecosystem to reuse, the GDPR obligations and prohibitions are bound to regulate the personal data markets by stealth.
This obligation triad is made up by the GDPR’s right to erasure, right to portability and the right to restriction of processing. They have kept compliance and legal teams busy for the past two years, but are not yet clearly understood as introducing, respectively, data liquidity risk and data operational risk.
The GDPR’s joint and several liability for businesses and their contractors in verifying data lineage and correct handling of personal data by the other party are not yet widely understood to inject counterparty data risk into every organization. Chief Risk Officers and boardrooms have yet to grasp the interconnected nature of data risk. Company valuations are yet to price in the effects of the GDPR on this most elusive of assets.
Unless clearly understood by all market operators, and unless it is offered the same degree of transparent handling and traceability that all traded financial instruments have, personal data is our next subprime asset, injecting risk into all organizations.
Why is this a matter for financial stability?
The GDPR’s rules demand that personal data be offered up by individuals to businesses for a specific purpose, for a specified timeframe and well-identified beneficiary or category of beneficiaries. Expressed in market terms, if data is a core asset to businesses, consent or contract can offer a legal basis for a primary market in personal data. A primary personal data market is to be understood in its broad sense as any mechanism allowing businesses with a need to deploy personal data (demand) to agree an exchange with individuals offering up their data for a perceived benefit (offer).
Yet, because of the GDPR prohibitions to re-purpose the data thus collected, because of the absolute bar to utilizing such data past an agreed time frame and because of the heavy restrictions on any onward-transfer of such data, there will never be a deep and liquid personal data secondary market.
In other words: personal data may behave as an asset, and a bespoke one at that, but it will never behave as a commodity. To continue treating personal data as a commodity, as a fungible asset, after May 25th, is to take on virtually unlimited liability.
Three reasons why misunderstanding the new nature of data harms the financial markets
One reason is that where we have no secondary markets, price discovery is tricky: we do not really know how to price correctly personal data-rich listed companies.
A second reason is that, although enforceable since May 25th, the GDPR has not yet unleashed its fabulous fines: none have yet found their way onto businesses’ balance sheet. As a result, while we could, in principle, price cybersecurity risk on the basis of known discounts in acquisition prices (first to come to mind is the discount Verizon obtained in the Yahoo! sale price after Yahoo!’s cybersecurity breach emerged) we could not yet use a similar fines-based pricing for GDPR-style data risk.
The U.K. data protection regulator, the Information Commissioner’s Office, is doing a thorough job of investigating the relationship between Cambridge Analytica and Facebook. Elizabeth Denham, the current U.K. privacy commissioner, is commanding the world’s respect in doggedly tracing how personal data harvested through an online personality test originally devised in a Cambridge University Lab, later deployed by a consultancy for commercial gain, finally ended up in elaborate voter profiling and micro-targeting in key marginal states in the US presidential election of 2016. Yet, even she will eventually only be able to fine the parties the capped amounts allowed by the GDPR’s predecessor, given that the events investigated took place before May 25th.
A third reason is that a business’ data assets could evaporate overnight if the GDPR rights of erasure and portability are exercised by consumers in targeted and organised ways to punish specific businesses.
Tech dare games
As if pricing opacity and data liquidity risks were not enough to feed a potential systemic risk, even two months after its enforcement date, data-intensive multinationals still seem appear to be playing GDPR compliance games of chicken with EU regulators and confidence games with their own business ecosystem.
The collective Silicon Valley unspoken belief seems to be that users will click “I agree” to anything they are asked, simply because the benefits of free services are too great not to trade some privacy in return. Why change a business model that works? The great data barter between consumers and digital businesses is clear.
Just like the large systemically important banks and other financial institutions in 2008, key technology players know they are serving a public infrastructure role: if they are put out of business by the EU regulators’ fines, the global digital economy, including the EU’s small and medium players, will be crippled. They know they are systemically important and are playing a thinly veiled “I-dare-you-to-take-me-down” game.
Some, in Silicon Valley, seem to be firmly convinced they are too big to fail.
There is a global and systemic lack of visibility of the end-to-end personal data value chain.
Small and medium enterprises have no viable technical means to comply with the GDPR.
Key technology players are not changing their data business model. Most have been slow in producing tools for others in their ecosystem to achieve GDPR compliance. Small and medium businesses relying on key IT infrastructure are left with no choice but paying lip service to their GDPR obligations, without any operational ability to execute on these.
The reasons all of the above can trigger financial instability is that no business can genuinely operate independently of any other in the personal data space. If personal data obtained from third parties has not been sourced in a GDPR compliant manner, a business is taking on data counterparty risk. If personal data is handled in a manner that does not permit individuals to exercise their rights over it, a business is taking on operational risk. If personal data is subject to multiple data portability or data erasure requests, a business is facing data liquidity risk.
There is a global and systemic lack of visibility of the end-to-end personal data value chain. Lawyerly obfuscation of privacy policies and crafty catch-all terms and conditions are not helping businesses grapple with the new nature of data as an asset class.
When the first GDPR fines strike, the global equity markets will see 2007-2008 systemic trust issues replay and personal data may well be the next subprime.
It's not too late to avert a new subprime crisis. Activist investors: are you asking the right questions? Institutional investors: are you betting on the wrong data business models? Silicon Valley: how far are we from data lineage and traceability in Big Data?
