Your proposed solution gives companies zero incentive to minimize data collected, and even incentivizes them to make fulfilling such a request as convoluted and expensive as possible.
What people online love to call "common sense solutions" are usually not solutions a all.
> Your proposed solution gives companies zero incentive to minimize data collected
The expense of producing the data isn't supposed to be an incentive to minimize data collected, that is what the other sections are for. For large companies it wouldn't be regardless because they could automate the process.
> and even incentivizes them to make fulfilling such a request as convoluted and expensive as possible.
A company charging outrageous prices would obviously invite investigative scrutiny.
45 C.F.R. § 164.524 (c)(4) requires medical providers to make our records available to you upon request, for a reasonable fee to reflect their cost of preparing it.
“Fees. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:
(i) Labor for copying the protected health information requested by the individual, whether in paper or electronic form;
(ii) Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;
(iii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
(iv) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(iii) of this section.”
Despite this language, actual costs for getting medical records varies widely. “Fees range very widely, from $2-55 for short records of 15 pages to $15-585 for long ones of 500 pages. Times also range widely, from 1–30 days (or longer for off-site records)” from a survey study on the topic.
No one has been investigated on this that I have ever heard of.
> Despite this language, actual costs for getting medical records varies widely. “Fees range very widely, from $2-55 for short records of 15 pages to $15-585 for long ones of 500 pages. Times also range widely, from 1–30 days (or longer for off-site records)” from a survey study on the topic.
All of those numbers are in line with the actual costs of producing information like that. The problem scenario is the one where the company claims everything costs a zillion dollars just so they don't have to provide the information at all, which the rules appear to be successfully preventing from happening.
> Since meaningful use regulation has strong-armed almost all providers in the country into EMRs, it costs absolute pennies to provide those documents.
The reproduction cost is not the dominant factor in processing costs. Someone has to review the information, e.g. to make sure the file actually belongs to the requesting party and some clerical error doesn't cause them to receive someone else's records, the information may be in multiple independent systems, the request may be for a subset of the information which then has to be separated out, etc.
Not all of that happens all of the time, which is why it costs $2 sometimes and $500 other times.
> And for most people, 500$ for a medical record is effectively zillions.
What’s sad isn’t how far off you are in your conception of what the process looks like; what’s sad is that what you’re describing sounds like an entirely reasonable security effort, and it’s disappointing that it has almost no reflection in reality.
The problem is we don't all agree about what "outrageous prices" are, and courts are unlikely to conclude that anything that matches standard industry practices is "outrageous".
The cost of complying with the GDPR nightmare letter, for the average large company that's not designed around the ability to comply with it, is likely to involve multiple engineers for several months digging out the data - if not a large internal redesign to make it even possible to dig out the data. It is not outrageous that the cost of doing that work is objectively going to be hundreds of thousands of dollars. And end users aren't going to pay for that.
So the question is whether we think that it's worth it to society to cause companies to figure it out anyway, or not. If we don't, we don't need a law at all; we just let companies carry on as they are now. If we do, then we should give incentives to design your company right from the start, to minimize data collected, etc.
The nightmare letter is specifically designed as an instrument of malice to maximize processing costs. If it does what it was intended to do and that generates a large processing fee, the system is working as intended.
If the cost of preparing for compliance is reasonable then amortizing it over each request should not produce unreasonable costs per user. If the costs are unreasonable to begin with then that is the root of the problem which is what needs to be corrected independent of who pays.
> A company charging outrageous prices would obviously invite investigative scrutiny.
Outrageous? No, just the mere cost that really happens.
Say, the data can only be accessed by the CEO personally. For privacy reasons, okay? Very reasonable, and totally in the spirit of the GDPR.
It can only be accessed in a very secure server location in Norway. Also commendable.
Our CEO needs to travel (first-class air travel) to Norway. He stays in a first-class hotel. Oh, and his time as value, too. So let's say three days business trip, that adds 1 percent of his salary to the bill.
Of course, this is an hypothetical, not-really-serious exaggeration. But it demonstrates the effect that would certainly happen on a much smaller scale.
> Say, the data can only be accessed by the CEO personally. For privacy reasons, okay? Very reasonable, and totally in the spirit of the GDPR.
Then the company has the same costs in making any use of the data, at which point they might as well not even collect it.
> Of course, this is an hypothetical, not-really-serious exaggeration. But it demonstrates the effect that would certainly happen on a much smaller scale.
But the scale makes all the difference. If they literally require the CEO to fly to Norway an stay in a hotel then it would add millions of dollars to the cost, but it's also manifestly unreasonable.
They can easily add some nominally unnecessary bureaucracy to the process that adds a few percent to the cost and get away with it, but that isn't really going to deter a lot of people.
The more they try to get away with, the more likely they make it that the regulators will crawl inside them and lay eggs. It's a losing trade off just so you can spite your own customers.
What people online love to call "common sense solutions" are usually not solutions a all.