Big, personal, depersonalized data: problems of industry regulation

The development of Russia's digital economy faces a contradiction between the need for free big data exchange and increasing control over personal data. The introduction of «Data Economy» national project and new federal laws on personal and depersonalized data has intensified regulatory problems in this sphere. The research aims to identify economic problems in big data field arising from regulatory gaps and new personal information protection norms. The methodological foundation is new institutional theory, particularly O. Williamson's transaction cost economics. The author applies comparative institutional analysis and economic-mathematical modeling methods to assess the effectiveness of penalty sanctions. Differences in the specificity of big data and personal data as resources were established, justifying the need for a differentiated regulatory approach. Structural regulatory alternatives were identified: from complete state control to market mechanisms with intermediate hybrid forms. The main obstacles to big data market development are uncertainty regarding anonymized data status and the absence of reliable depersonalization methods. Modeling showed that introducing turnover-based fines creates excessive burden on small and medium-sized enterprises that previously invested in cybersecurity. Ensuring digital industry development requires mandatory public-private partnership in rulemaking through self-regulatory organizations that account for a high pace of technological changes.

1. Association of Big Data. (2023). Strategy 2024. Retrieved 05/30/2024, https://rubda.ru/deyatelnost/strategiya/

2. Denuo. (2023, August 30). The Supreme Court of the Russian Federation did not recognize email address as personal data. Retrieved 05/30/2024, https://denuo.legal/ru/insights/news/230830/

3. Determination of the Supreme Court of the Russian Federation of July 21, 2023, No. 305- ES23-12160 in case No. A40-139096/2022 (2023, December 26).

4. Federal Law “On Personal Data” of July 27, 2006 No. 152-FZ. (2006, July 27).

5. Federal Law “On Amendments to the Code of Administrative Off enses of the Russian Federation” of November 30, 2024 No. 420-FZ. (2024, November 30).

6. Federal Law “On Amendments to the Federal Law ‘On Personal Data’ and the Federal Law ‘On Conducting an Experiment to Establish Special Regulation in Order to Create the Necessary Conditions for the Development and Implementation of Artifi cial Intelligence Technologies in a Constituent Entity of the Russian Federation — the Federal City of Moscow and Amending Articles 6 and 10 of the Federal Law ‘On Personal Data’” of August 8, 2024 No. 233-FZ. (2024, August 8).

7. GOST R 59925-2021 (2021). National standard of the Russian Federation. Information Technology. Big data. Technical task.

8. GOST R 59925-2021. (2021). National standard of the Russian Federation. Information technology. Big data. Technical specification.

9. InfoWatch. (2023). Leaks of restricted access information in the world, 2022. Retrieved 05/30/2024 https://www.infowatch.ru/analytics/analitika/utechki-informatsiiogranichennogo-dostupa-v-mire-2022-g

10. Interfax. (2023, September 21). RKN receives timely signals about leaks from 80% of personal data operators. Retrieved 05/30/2024, https://www.interfax.ru/russia/921948

11. Kaspersky Lab. (2021). Analytical report “IT Security Economics 2020: Part 2”. Retrieved 05/30/2024, https://www.kaspersky.com/blog/it-security-economics-2020-part-2/

12. Kaspersky Lab. (2023). Analytical report “2022 IT Security Economics Report”. Retrieved 05/30/2024, https://go.kaspersky.com/rs/802-IJN-240/images/IT%20Security%20Economics%202022_report.pdf.

13. Kommersant. (2021, October 22). The database parked with hackers. Retrieved 05/30/2024, https://www.kommersant.ru/doc/5041801

14. Mayer-Schoenberger, W., & Cukier, K. (2017). Big data. A revolution that will change the way we live, work and think. Mann, Ivanov and Ferber.

15. Morosanova, A. A. (2023). Strengthening personal data regulation in Russia: Economic implications and risks. The Manager, 14 (5), 29–46. https://doi.org/10.29141/2218-5003-2023-14-5-3

16. National Research University Higher School of Economics. (2024). Collection “Digital Economy Indicators 2024”. Retrieved 05/30/2024, https://issek.hse.ru/mirror/pubs/share/892389163.pdf

17. Osipov, Yu. M. Yudina, T. N., & Kupchishina, E. V. (2020). “Artifi cial intelligence”, big data as economic institutions of the new technological generation. Moscow University Economic Bulletin. Series 6: Economics, 4, 27-46. https://doi.org/10.38050/01300105202042

18. Petrov, A. (2021, November 14). Are email and IP address personal data? Retrieved 05/30/2024, https://pravo.rg.ru/rubrics/question/38477/

19. RBC. (2023, December 04). How the big data market will develop in Russia. Retrieved 05/30/2024, https://trends.rbc.ru/trends/industry/cmrm/65688df29a7947662df7ba7a

20. Roskomnadzor. (2013). Methodological recommendations for the application of Roskonadzor order No. 996 dated September 05, 2013 “On approval of requirements and methods for anonymization of personal data.”

21. Sadovnikov, D. (2021, November 05) Depersonalization of personal data in Russia and Europe: when does data cease to be personal? Zakon.ru. Retrieved 05/30/2024, https://zakon.ru/blog/2021/11/5/obezlichivanie_personalnyh_dannyh_v_rossii_i_v_evrope_kogda_dannye_perestayut_byt_personalnymi

22. Savelyev, A. I. (2015). Problems of applying legislation on personal data in the era of Big Data. Right. Journal of the Higher School of Economics, 1, 43–66.

23. Shastitko, A. E., Kurdin, A. A., & Filippova, I. N. (2023). Meso-institutions for digital ecosystems. Voprosy Ekonomiki, 2, 61-82. https://doi.org/10.32609/0042-8736-2023-2-61-82

24. TASS. (2019, November 21). Leaks of confidential information: why there are more and more of them and how to deal with them. Retrieved 05/30/2024, https://tass.ru/opinions/7164059

25. Vedomosti. (2021, July 15). The first national standard in the field of big data has been approved in Russia. Retrieved 05/30/2024, https://www.vedomosti.ru/technology/articles/2021/07/15/878242-utverzhden-pervii-standart-v-oblasti-bolshih-dannih

26. Williamson, O. (1996). Economic institutions of capitalism: Firms, markets, “relational” contracting. St. Petersburg: Lenizdat; CEV Press.

27. Becker, G. (1986). Crime and Punishment: An Economic Approach. Journal of Political Economy, 76 (2), 169–217. https://doi.org/10.1086/259394

28. Blind, K., Niebel, C., & Rammer, C. (2022). The impact of the EU General Data Protection Regulation on innovation in fi rms. ZEW Discussion Papers, 22-047. https://doi.org/10.2139/ssrn.4257740

29. Chen, C., Frey, C. B., & Presidente, G. (2022). Privacy Regulation and Firm Performance: Estimating the GDPR Eff ect Globally. The Oxford Martin Working Paper Series on Technological and Economic Change. Working Paper No. 2022-1.

30. Competition Policy International. (2021). CPI Antitrust Chronicle February 2020. Retrieved 30.05.2024, https://www.competitionpolicyinternational.com/wp-content/uploads/2020/02/CPI-Modrall.pdf

31. Geradin, D., Karanikioti, T., & Katsifis, D. (2021). GDPR Myopia: how a well-intended regulation ended up favouring large online platforms — the case of ad tech. European Competition Journal, 17(1), 47-92. https://doi.org/10.1080/17441056.2020.1848059

32. IBM Security. (2023). Cost of a Data Breach Report. Retrieved 30.05.2024, https://www.ibm.com/reports/data-breach

33. InfoWatch. (2023). Утечки информации ограниченного доступа в мире, 2022 г. Retrieved 30.05.2024, https://www.infowatch.ru/analytics/analitika/utechkiinformatsii-ogranichennogo-dostupa-v-mire-2022-g

34. Jia, J., Zhe, J., & Wagman. L. (2019). The Short-Run Eff ects of GDPR on Technology Venture Investment. NBER Working Papers 25248, National Bureau of Economic Research, Inc. https://doi.org/10.2139/ssrn.3278912

35. Koski, H., & Valma ri, N. (2020). Short-term Impacts of the GDPR on Firm Performance. ETLA Working Papers. 77. The Research Institute of the Finnish Economy.

36. Lambrecht, A., & Tucker, C. (2015). Can Big Data Protect a Firm from Competition. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2705530

37. Marthews, A., & Tucker, C. (2019). Privacy policy and competition. Brookings report. Brookings Economic Studies, 1–27.

38. Ohm, P. (2010). Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. UCLA Law Review, 57, 1701-1776.

39. Peukert, C., Bechtold, S., Batikas, M., & Kretschmer, T. (2022). Regulatory Spillovers and Data Governance: Evidence from the GDPR. Marketing Science, 41(4), 318-340. https://doi.org/10.1287/mksc.2021.1339