The EU implemented the General Data Protection Regulation (GDPR) in May 2018. Last year, 3 years in, we began to see macroeconomic reports from entities such as Deutsche Bank and HSBC that the GDPR was having a negative effect on investment in EU ventures, particularly for foreign investments, younger ventures, and data-reliant firms. This past November at “Slush Finland” (Europe’s mega startup and tech networking event) we learned that there has been a significant reduction in deals and the average dollar amount raised per deal due to GDPR.
The GDPR was largely implemented in an empirical vacuum. Though some pioneering studies have examined the impact of privacy regulation on online activity and technology ventures we knew close to nothing about how GDPR has impacted firm performance until now.
The first major study is from the Oxford Martin School at Oxford University. Their findings show that companies exposed to the new regulation saw an 8% reduction in profits and a 2% decrease in sales. These adverse performance consequences were primarily borne by small and medium-sized enterprises.
In contrast, there is no evidence that any large technology companies, such as Facebook and Google, experienced any reductions in either sales or profits. And it must be remembered that the whole purpose of GDPR – despite the EU Commission propaganda that it was about “data protection” – was to hurt American Big Tech.
The following will summarise those findings (taken from the Executive Summary and the full report) and you’ll find a link to the full report at the end of this post.
BY:
Lina Stahl
Economics Analyst
PROJECT COUNSEL MEDIA
14 March 2022 (Berlin, Germany) – Personal data are a key factor of production in the modern world. But they are also a contentious issue for policymakers looking to balance the data privacy concerns of citizens against the dynamism of their economies. Against this background, the EU implemented the General Data Protection Regulation (GDPR) in May 2018. The prime objective was to give individuals better control over their data, making it more difficult and expensive for firms to commercialise them. According to The New York Times, GDPR has made Europe “the world’s leading tech watchdog”. Meanwhile, others have raised concerns over its impacts on European competitiveness. In the words of Axel Voss, a member of the European Parliament, “Europe’s obsession with data protection is getting in the way of digital innovation”.
Yet, so far, GDPR has largely been implemented in an empirical vacuum. Though some pioneering studies have examined the impact of privacy regulation on online activity and technology ventures, we know close to nothing about how GDPR has impacted the economy as a whole. In particular, online outcomes are silent on compliance costs and effects on firm performance beyond e-commerce. Missing the broader impacts of GDPR could deliver a misleading picture to policymakers concerned with its potential unintended consequences.
To fill this empirical void, Oxford Martin has examined the impact of GDPR on firms’ profits and sales across all sectors of the economy in 61 countries. In its view, understanding its effects is particularly crucial as the GDPR is swiftly becoming a global blueprint for regulating data privacy. All firms that target EU consumers have to comply, regardless of where they are incorporated, meaning that companies from Silicon Valley to Shenzhen are potentially affected by it. Several countries, including Brazil, Canada and South Korea, are already in the process of passing similar data protection laws. As Vera Jourova, the European commissioner in charge of data privacy revealingly puts it, “if we can export this to the world, I will be happy”.
GDPR at a glance
In principle, GDPR might affect firm performance in two ways. First, because companies must use GDPR-compliant processes and technologies, it creates costs and reduces profits. For example, giving EU residents the right to access, correct, delete, and port their personal data requires companies to either develop or buy IT systems that support these requirements. Anecdotal evidence suggests that these costs can be substantial. According to PwC, some companies spend over €10 million annually on compliance.
Second, the regulation might adversely affect e-commerce and thus lower sales. As we all know, GDPR prohibits websites from sharing user data with third parties without the consent of each user. Valid consent must also be affirmative, which makes data collection more expensive and could reduce companies’ ability to extract personal data. But in addition, users might incur a cost as well when prompted to give consent to use their data. If this is the case, we would expect to see a reduction in online sales as a consequence.
Performance and patenting
To measure companies’ exposure to GDPR, Oxford Martin exploited international input-output tables and compute the shares of output sold to EU markets for each country and 2-digit industry. It then constructed a shift-share instrument interacting this share with a dummy variable taking the value one from 2018 onwards.
Based on this approach, they found both channels discussed above to be quantitatively important, though the cost channel consistently dominates. On average, across the full sample, companies targeting EU markets saw an 8% reduction in profits and a relatively modest 2% decrease in sales (see Figure 1 below). This suggests that earlier studies, which have focused on online outcomes or proxies of sales, provide an incomplete picture since companies have primarily been adversely affected through surging compliance costs.
While systematic data on firms’ IT purchases are hard to come by, they explored how companies developing digital technologies have responded to GDPR. Indeed, taking a closer look at some recent patent documents, they noted that these include applications for technologies like a “system and method for providing general data protection regulation (GDPR) compliant hashing in blockchain ledgers”, which guarantees a user’s right to be forgotten. Another example is a ‘Data Consent Manager’, a computer-implemented method for managing consent for sharing data.
These are not just isolated examples. Overall, they document a marked increase in patenting among companies in information technology in response to the implementation of GDPR.
Figure 1 – Estimated impact of exposure to the GDPR on firm profits and sales
Note: The figure presents the average marginal effects of GDPR on log profits and log sales. The point estimates are included in 90% confidence intervals.
Small versus large companies
While the results reported above show that GDPR has reduced firm performance on average, they do not reveal how different types of firms have been affected. As is well-known, large companies have more technical and financial resources to comply with regulations, invest more in lobbying, and might be better placed to obtain consent for personal data processing from individual consumers. For example, Facebook has reportedly hired some 1,000 engineers, managers, and lawyers globally in response to the new regulation. It also doubled its EU lobbying budget in 2017 on the previous year, when GDPR was announced. Indeed, according to LobbyFacts.eu, Google, Facebook and Apple now rank among the five biggest corporate spenders on lobbying in the EU, with annual budgets in excess of €3.5 million.
While these are significant costs that might reduce profits, the impact of the GDPR on the fortunes of big tech is ambiguous. As The New York Times writes, “Whether Europe’s tough approach is actually crimping the global tech giants is unclear… Amazon, Apple, Google and Facebook have continued to grow and add customers”. Indeed, by being better able to cope with the burdens of the regulation, these companies may have increased their market share at the expense of smaller companies.
The Oxford Martin estimates suggest that BigTechs have fared relatively well in the age of GDPR (see Figure 2, Panel b below). Specifically, they found no significant impacts on large tech companies, like Facebook, Apple and Google, on either profits or sales. At the same time, among small companies in information technology, the negative profit impact is double the average effect across our full sample. Large technology companies, in other words, have seemingly taken market share from their smaller competitors, offsetting the compliance costs associated with GDPR. Overall, the main burdens of GDPR have fallen on smaller companies (see Figure 2, Panel a below).
Figure 2 – Estimated impact of exposure to the GDPR on firm profits and sales: Small vs large and IT firms
Note: The figure presents the average marginal effects of the GDPR on log profits and log sales. Small firms have less than 500 employees. IT firms are firms in NACE Rev. 2 industries J62 “Computer programming, consultancy and related activities” and J63 “Information service activities. The point estimates are included in 90% confidence intervals.
Conclusions
The Oxford Martin findings leads them to conclude that the adverse performance impact of GDPR on both profits and sales have been significant for companies operating in the EU. But the main effect has occurred through rising compliance costs rather than reduced sales. That said, these results must be interpreted with caution:
• First, some of the adverse impacts they document might be temporary adjustment costs, meaning that the negative effects of GDPR might taper off in the future. For example, the marked increase in patenting after 2018 probably reflects one-off investments in new GDPR-compliant technologies.
• Second, if GDPR is widely adopted and becomes a global standard, companies targeting EU residents will gradually become less disadvantaged.
• Third, they note that their estimates do not capture the aggregate welfare effects of the regulation since potential benefits to citizens concerned with data protection are unaccounted for.
Nonetheless, they believe that some modifications to GDPR in its current form would be desirable, taking into account that the regulation has put smaller companies at a disadvantage. This explains the shift we have reported over the last year – both the EU Commission and the EU Parliament have expressed a need for a GDPR rewrite.
Indeed, while European leaders have pledged to reign in the power of bigTech, GDPR might even have strengthened them by weakening their competitors. Indeed, the Oxford Martin findings show that smaller companies have been disproportionally adversely impacted, both in terms of sales and profits.
For a link to the full Oxford Martin report click here.
POSTSCRIPT
More intriguing is a forthcoming study on market data structure. Both EU-based and non-EU-based websites have switched to more privacy-sensitive technologies following GDPR, but it seems to be only a short term. The market for web tracking technologies has become more concentrated, with Google gaining the most market share among large providers. Privacy regulations are functioning as nonpecuniary barriers to trade.
This brings up the elephant in the room we have been writing about for 2+ years: advertising and data will retreat/have retreated inside silos (Amazon, Apple, Facebook, Google, TikTok, etc.) where nothing is passed around or shared. Taken to its logical conclusion, most of these privacy regulations will simply not apply. So regulators really need to figure out just what the problem is they are trying to solve and/or regulate.
For a detailed 2-part analysis on these issues from our boss click here.