Personal data is a key production factor in the modern world. But they are also a contentious issue for policymakers looking to balance citizens’ data privacy concerns with the dynamism of their economies (Acemoglu et al. 2019). In this context, the EU implemented the General Data Protection Regulation (GDPR) in May 2018. The primary objective was to give individuals greater control over their data, making it more difficult and costly for companies their marketing. According to The New York Times, GDPR has made Europe “the world’s leading technology watchdog”. Meanwhile, others have expressed concerns about its impacts on European competitiveness. According to Axel Voss, Member of the European Parliament, “Europe’s obsession with data protection hampers digital innovation”.
Yet, until now, the GDPR has largely been implemented in an empirical vacuum. Although some pioneering studies have examined the impact of privacy regulations on online activities and technology companies (Aridor et al. 2020, Jia et al. 2019), we know next to nothing about the impact of GDPR on the economy as a whole. In particular, the online results are silent on compliance costs and effects on business performance beyond e-commerce. Missing out on the broader impacts of the GDPR could paint a misleading picture for policymakers concerned about its potential unintended consequences.
To fill this empirical void, we examine the impact of GDPR on corporate profits and sales across all sectors of the economy in 61 countries (Chen et al. 2022). In our view, understanding its effects is particularly crucial as the GDPR is rapidly becoming a global model for data privacy regulation. All companies targeting EU consumers must comply, regardless of where they are incorporated, which means companies from Silicon Valley to Shenzhen are potentially affected. Several countries, including Brazil, Canada and South Korea, are already in the process of adopting similar data protection laws. As Vera Jourova, the EU Data Privacy Commissioner, puts it tellingly, “[i]f we can export this [the GDPR] in the world, I will be happy”.
GDPR at a glance
In principle, the GDPR could affect business performance in two ways. First, because businesses must use GDPR-compliant processes and technologies, it creates costs and reduces profits. For example, giving EU residents the right to access, correct, delete, and transfer their personal data requires companies to develop or purchase IT systems that support these requirements. Anecdotal evidence suggests that these costs can be substantial. According to PwC (2018), some companies spend more than €10 million per year on compliance.
Second, the settlement could harm e-commerce and therefore reduce sales. As we all know, GDPR prohibits websites from sharing user data with third parties without the consent of each user. Valid consent must also be affirmative, which makes data collection more expensive and could reduce companies’ ability to extract personal data. But in addition, users may also incur costs when they are asked to give their consent for the use of their data. If so, we would expect to see a reduction in online sales as a result.
Performance and patenting
To measure companies’ exposure to GDPR, we mine international input-output tables and calculate the shares of production sold in EU markets for each 2-digit country and industry. We then build a shift-share instrument making this share interact with a dummy variable taking the value one from 2018.
Based on this approach, we find that the two channels discussed above are quantitatively important, although the cost channel consistently dominates. On average, across our sample, companies targeting EU markets experienced an 8% reduction in profits and a relatively modest 2% decline in sales (Figure 1). This suggests that past studies, which have focused on online results or sales proxies, provide an incomplete picture since companies have mostly been affected by increased compliance costs.
Although it is difficult to obtain systematic data on companies’ IT purchases, we can explore how companies developing digital technologies have responded to GDPR. Indeed, taking a closer look at some recent patent documents, we note that these include applications for technologies such as “a system and method for providing a GDPR compliant hash”. ) in blockchain records”, which guarantees a user’s right to be forgotten. Another example is a “Data Consent Manager”, a computer-implemented method for managing consent to data sharing.
These are not just isolated examples. Overall, we document a marked increase in patents among IT companies in response to GDPR implementation.
Figure 1 Estimated Impact of GDPR Exposure on Business Profits and Sales
To note: The figure presents the average marginal effects of GDPR on profits and log sales. Point estimates are included in 90% confidence intervals.
Small versus large companies
While the results reported above show that the GDPR reduced business performance on average, they do not reveal how different types of businesses were affected. As is known, large companies have more technical and financial resources to comply with regulations (Brill 2011), invest more in lobbying (Bombardini 2008) and may be better placed to obtain consent for the processing of personal data. individual consumers (Goldfarb and Tucker 2011). For example, Facebook reportedly hired some 1,000 engineers, managers and lawyers globally in response to the new regulations. It also doubled its lobbying budget in the EU in 2017 compared to the previous year, when the GDPR was announced. Indeed, according to LobbyFacts.eu, Google, Facebook and Apple now rank among the top five companies that spend on lobbying in the EU, with annual budgets exceeding €3.5 million.
While these are significant costs that could reduce profits, the impact of GDPR on the fortunes of big tech is ambiguous. As the New York Times writes, “It’s unclear if Europe’s tough approach is crimping global tech giants… Amazon, Apple, Google and Facebook continued to grow and add customers. Indeed, by being better able to cope with regulatory burdens, these firms may have increased their market share at the expense of smaller firms (Johnson et al. 2020, Peukert et al. 2020).
Our estimates suggest that BigTechs have fared relatively well in the GDPR era (Figure 2, Panel b). Specifically, we find no significant impact on big tech companies, like Facebook, Apple, and Google, either on earnings or sales. At the same time, among small IT firms, the negative impact on earnings is double the average effect across our entire sample. In other words, the big tech companies have seemingly taken market share from their smaller competitors, offsetting the compliance costs associated with GDPR. Overall, the main GDPR burdens fall on small businesses (Figure 2, panel a).
Figure 2 Estimating the impact of GDPR exposure on company profits and sales: small and large companies and IT companies
To note: The figure presents the average marginal effects of GDPR on profits and log sales. Small businesses have less than 500 employees. IT companies are companies in the NACE Rev. 2 J62 “Computer programming, consultancy and related activities” and J63 “Information service activities. Point estimates are included in 90% confidence intervals.
Our results lead us to conclude that the negative impact of GDPR on performance, both on profits and sales, has been significant for companies operating in the EU. But the main effect has been through increased compliance costs rather than reduced sales. However, these results should be interpreted with caution. First, some of the negative impacts we document could be temporary adjustment costs, meaning that the negative effects of GDPR may lessen in the future. For example, the sharp increase in the number of patents after 2018 likely reflects one-time investments in new GDPR-compliant technologies. Second, if GDPR is widely adopted and becomes a global standard, companies targeting EU residents will be progressively less disadvantaged. Third, we note that our estimates do not take into account the overall effects of regulation on well-being, as the potential benefits for citizens affected by data protection are not taken into account.
Nevertheless, we believe that some changes to the GDPR in its current form would be desirable, given that the regulation has disadvantaged small businesses. Indeed, while European leaders have pledged to reign in the power of bigTech, the GDPR may even have strengthened them by weakening their competitors. Indeed, our findings show that small businesses have been disproportionately affected, both in terms of sales and profits.
Acemoglu, D, A Makhdoumi, A Malekian and A Ozdaglar (2019), “Can we have too much data? », VoxEU.org, 18 November.
Aridor, G, YK Che and T Salz (2020), “The Economic Consequences of Data Privacy Regulation: Empirical Evidence from GDPR”, NBER Working Paper No. 26900.
Bombardini, M (2008), “Company heterogeneity and lobby participation”, Journal of International Economics 75(2): 329-348.
Brill, J (2011), “The intersection of consumer protection and competition in the new world of privacy”, International competition policy 7(1): 6–23.
Chen, C, CB Frey and G Presidente (2022), “Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally”, The Oxford Martin Working Paper Series on Technological and Economic Change No. 2022-1.
Jia, J, GZ Jin and L Wagman (2019), “The short-term effects of GDPR on tech venture capital investment”, VoxEU.org, 7 January.
Goldfarb, A and CE Tucker (2011), “Privacy Regulation and Online Advertising”, management science 57(1): 57–71.
Johnson, G, S Shriver and S Goldberg (2020), “Privacy and Market Concentration: Intended and Unintended Consequences of GDPR”, available at SSRN.
Peukert, C, S Bechtold, M Batikas and T Kretschmer (2020), “European privacy law and global markets for data”, CEPR Discussion Paper n° 14475