Personal data are a key factor of production in the modern world. But they are also a contentious issue for policymakers looking to balance the data privacy concerns of citizens against the dynamism of their economies (Acemoglu et al. 2019). Against this background, the EU implemented the General Data Protection Regulation (GDPR) in May 2018. The prime objective was to give individuals better control over their data, making it more difficult and expensive for firms to commercialise them. According to The New York Times, GDPR has made Europe “the world’s leading tech watchdog”. Meanwhile, others have raised concerns over its impacts on European competitiveness. In the words of Axel Voss, a member of the European Parliament, “Europe’s obsession with data protection is getting in the way of digital innovation”.
Yet, so far, GDPR has largely been implemented in an empirical vacuum. Though some pioneering studies have examined the impact of privacy regulation on online activity and technology ventures (Aridor et al. 2020, Jia et al. 2019), we know close to nothing about how GDPR has impacted the economy as a whole. In particular, online outcomes are silent on compliance costs and effects on firm performance beyond e-commerce. Missing the broader impacts of GDPR could deliver a misleading picture to policymakers concerned with its potential unintended consequences.
To fill this empirical void, we examine the impact of GDPR on firms’ profits and sales across all sectors of the economy in 61 countries (Chen et al. 2022). In our view, understanding its effects is particularly crucial as the GDPR is swiftly becoming a global blueprint for regulating data privacy. All firms that target EU consumers have to comply, regardless of where they are incorporated, meaning that companies from Silicon Valley to Shenzhen are potentially affected by it. Several countries, including Brazil, Canada and South Korea, are already in the process of passing similar data protection laws. As Vera Jourova, the European commissioner in charge of data privacy revealingly puts it, “[i]f we can export this [the GDPR] to the world, I will be happy”.
GDPR at a glance
In principle, GDPR might affect firm performance in two ways. First, because companies must use GDPR-compliant processes and technologies, it creates costs and reduces profits. For example, giving EU residents the right to access, correct, delete, and port their personal data requires companies to either develop or buy IT systems that support these requirements. Anecdotal evidence suggests that these costs can be substantial. According to PwC (2018), some companies spend over €10 million annually on compliance.
Second, the regulation might adversely affect e-commerce and thus lower sales. As we all know, GDPR prohibits websites from sharing user data with third parties without the consent of each user. Valid consent must also be affirmative, which makes data collection more expensive and could reduce companies’ ability to extract personal data. But in addition, users might incur a cost as well when prompted to give consent to use their data. If this is the case, we would expect to see a reduction in online sales as a consequence.
Performance and patenting
To measure companies’ exposure to GDPR, we exploit international input-output tables and compute the shares of output sold to EU markets for each country and 2-digit industry. We then construct a shift-share instrument interacting this share with a dummy variable taking the value one from 2018 onwards.
Based on this approach, we find both channels discussed above to be quantitatively important, though the cost channel consistently dominates. On average, across our full sample, companies targeting EU markets saw an 8% reduction in profits and a relatively modest 2% decrease in sales (Figure 1). This suggests that earlier studies, which have focused on online outcomes or proxies of sales, provide an incomplete picture since companies have primarily been adversely affected through surging compliance costs.
While systematic data on firms’ IT purchases are hard to come by, we can explore how companies developing digital technologies have responded to GDPR. Indeed, taking a closer look at some recent patent documents, we note that these include applications for technologies like a “system and method for providing general data protection regulation (GDPR) compliant hashing in blockchain ledgers”, which guarantees a user’s right to be forgotten. Another example is a ‘Data Consent Manager’, a computer-implemented method for managing consent for sharing data.
These are not just isolated examples. Overall, we document a marked increase in patenting among companies in information technology in response to the implementation of GDPR.
Figure 1 Estimated impact of exposure to the GDPR on firm profits and sales
Note: The figure presents the average marginal effects of GDPR on log profits and log sales. The point estimates are included in 90% confidence intervals.
Small versus large companies
While the results reported above show that GDPR has reduced firm performance on average, they do not reveal how different types of firms have been affected. As is well-known, large companies have more technical and financial resources to comply with regulations (Brill 2011), invest more in lobbying (Bombardini 2008), and might be better placed to obtain consent for personal data processing from individual consumers (Goldfarb and Tucker 2011). For example, Facebook has reportedly hired some 1,000 engineers, managers, and lawyers globally in response to the new regulation. It also doubled its EU lobbying budget in 2017 on the previous year, when GDPR was announced. Indeed, according to LobbyFacts.eu, Google, Facebook and Apple now rank among the five biggest corporate spenders on lobbying in the EU, with annual budgets in excess of €3.5 million.
While these are significant costs that might reduce profits, the impact of the GDPR on the fortunes of big tech is ambiguous. As The New York Times writes, “Whether Europe’s tough approach is actually crimping the global tech giants is unclear... Amazon, Apple, Google and Facebook have continued to grow and add customers”. Indeed, by being better able to cope with the burdens of the regulation, these companies may have increased their market share at the expense of smaller companies (Johnson et al. 2020, Peukert et al. 2020).
Our estimates suggest that BigTechs have fared relatively well in the age of GDPR (Figure 2, Panel b). Specifically, we find no significant impacts on large tech companies, like Facebook, Apple and Google, on either profits or sales. At the same time, among small companies in information technology, the negative profit impact is double the average effect across our full sample. Large technology companies, in other words, have seemingly taken market share from their smaller competitors, offsetting the compliance costs associated with GDPR. Overall, the main burdens of GDPR have fallen on smaller companies (Figure 2, Panel a).
Figure 2 Estimated impact of exposure to the GDPR on firm profits and sales: Small vs large and IT firms
Note: The figure presents the average marginal effects of the GDPR on log profits and log sales. Small firms have less than 500 employees. IT firms are firms in NACE Rev. 2 industries J62 “Computer programming, consultancy and related activities” and J63 “Information service activities. The point estimates are included in 90% confidence intervals.
Our findings lead us to conclude that the adverse performance impact of GDPR on both profits and sales have been significant for companies operating in the EU. But the main effect has occurred through rising compliance costs rather than reduced sales. That said, these results must be interpreted with caution. First, some of the adverse impacts we document might be temporary adjustment costs, meaning that the negative effects of GDPR might taper off in the future. For example, the marked increase in patenting after 2018 probably reflects one-off investments in new GDPR-compliant technologies. Second, if GDPR is widely adopted and becomes a global standard, companies targeting EU residents will gradually become less disadvantaged. Third, we note that our estimates do not capture the aggregate welfare effects of the regulation since potential benefits to citizens concerned with data protection are unaccounted for.
Nonetheless, we believe that some modifications to GDPR in its current form would be desirable, taking into account that the regulation has put smaller companies at a disadvantage. Indeed, while European leaders have pledged to reign in the power of bigTech, GDPR might even have strengthened them by weakening their competitors. Indeed, our findings show that smaller companies have been disproportionally adversely impacted, both in terms of sales and profits.
Acemoglu, D, A Makhdoumi, A Malekian and A Ozdaglar (2019), “Can we have too much data?”, VoxEU.org, November 18.
Aridor, G, Y K Che and T Salz (2020), “The economic consequences of data privacy regulation: Empirical evidence from GDPR”, NBER Working Paper No.26900.
Bombardini, M (2008), “Firm heterogeneity and lobby participation”, Journal of International Economics 75(2): 329-348.
Brill, J (2011), “The intersection of consumer protection and competition in the new world of privacy”, Competition Policy International 7(1): 6–23.
Chen, C, C B Frey and G Presidente (2022), “Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally” ,The Oxford Martin Working Paper Series on Technological and Economic Change No. 2022-1.
Jia, J, G Z Jin and L Wagman (2019), “The short-run effects of GDPR on technology venture investment”, VoxEU.org, January 7.
Goldfarb, A and C E Tucker (2011), “Privacy regulation and online advertising”, Management Science 57(1): 57–71.
Johnson, G, S Shriver and S Goldberg (2020), “Privacy & market concentration: Intended & unintended consequences of the GDPR”, available at SSRN.
Peukert, C, S Bechtold, M Batikas and T Kretschmer (2020), “European privacy law and global markets for data”, CEPR Discussion Paper No. 14475