On 25 May 2018, the EU’s sweeping new data law went into effect. The General Data Protection Regulation (GDPR) is comprised of 99 articles that outline how EU businesses – and many global firms that service EU citizens – must enforce a higher degree of consumer privacy or face steep penalties.
The concerns that drove these regulations are real, and the goals they pursue are admirable. At a time when data security is a significant public concern, some have celebrated GDPR as "the most important change in data privacy regulation in 20 years.” In the US, after multiple high-profile data breaches at some of America’s most prominent companies, some believe the solution is to simply import GDPR.
However, data regulation entails tradeoffs, even within the consumer population (Acquisti et al. 2016). On the one hand, individuals may value their privacy, the security of their personal information, and the ability to more readily exercise control over their data. As GDPR strengthens consumer rights regarding their personally identifiable information, it could benefit those who prefer better data protection. On the other hand, restricting firms' access to data can result in outcomes that consumers do not like, such as higher prices (Taylor and Wagman 2014) or fewer innovations. To the extent that GDPR increases the cost of compliance, existing economic theories also show that compliance costs can disproportionately impact nascent firms (Campbell et al. 2015) and reduce new venture formation (Krasteva et al. 2015).
In a recent paper, we empirically investigate whether GDPR has had an impact on technology venture investment and, thus, potentially on innovation and job creation, in the several months following its rollout (Jia et al. 2018). To do so, we use data on venture deals in the EU and US taking place in between July 2017 and October 2018 from Crunchbase – a platform for tracking technology-venture related funding and other activities. Following Bertrand et al. (2004), we use a difference-in-differences framework that compares the differences of the pre- and post-GDPR periods in the EU and US. This statistical methodology allows us to control for various macroeconomic factors, seasonality, and to empirically quantify the effect of GDPR on venture deals at both the aggregate level and at the deal level. Put simply, the observed effects were immediate, pronounced, and negative.
EU technology firms, on average, experienced double-digit percentage declines in venture funding relative to their US counterparts after GDPR went into effect. At our aggregate unit of observation, EU venture funding decreased by $3.38 million at the mean of $23.18 million raised per week per state per crude technology category.1 This reduction takes place in both the intensive margin (the average dollar amount raised per round of funding, which decreased 39%) and the extensive margin (the number of deals, which incurred a 17% average drop).
GDPR’s effect is particularly pronounced for young (0–3 year old) EU ventures, where an average reduction of 19% in the number of deals is observed. From the US Census data, we know business startups contribute substantially to gross and net job creation (Haltiwanger et al. 2013). If GDPR leads to fewer new ventures and less capital per venture, there could be fewer jobs as a result. Our back-of-the-envelope calculation suggests that the investment reduction for young ventures could translate into a yearly loss between 3,604 to 29,819 jobs in the EU, corresponding to 4.09% to 11.20% of jobs created by 0–3 year old ventures in our sample.
The main ‘shock’ with GDPR was not that it was coming – we knew that for years. What we didn’t know was how large firms would implement the GDPR guidelines for the small businesses operating on their platforms. Their policies, revealed only days before the GDPR effective date,2 could explain why GDPR’s rollout appears to have had a considerable impact on small technology ventures.
Of course, there are caveats to these findings. First of all, GDPR has only been in effect in the EU for a short time, and the effects we’ve observed may be temporary, with investors potentially taking a wait-and-see approach. More importantly, the analysis does not constitute a complete cost-benefit analysis. We do not quantify any benefits that may arise to individual consumers as they obtain more control over their data as a result of GDPR. Nor do we interpret the results as a welfare loss. An investment reduction in technology ventures could even be beneficial if firms that are potentially harmful from a societal perspective do not come to fruition. Similarly, data regulation like GDPR could encourage new types of innovation further down the road.
Also, since our sample focuses on a comparison between the EU and US, we do not capture the short-run or long-run effects outside these two areas. To the extent that capital flows freely across continents, our results may overestimate the effect of GDPR if the reduced investment in the EU translates to additional support for US ventures, or underestimate it if the reduced investment reflects a reluctance to invest anywhere. Furthermore, we do not single out the UK or Brexit from the rest of the EU, because the UK is a member state and is bound by GDPR in our sample period. That being said, we control for any fixed characteristics of EU member states in all our specifications. We also include linear time trends for the EU and US separately in our robustness checks, and we tested whether the effects we detect kick in any time before May 2018 – presumably, if the expectation of Brexit were the driving factor for average venture investment in the EU as a whole, we would have noticed the effects in prior months, and we did not. We are therefore confident that Brexit is not driving our results.
As similar policies and legislations roll out in other states and countries, would we expect to see similar consequences? It is difficult to generalise the results outside our statistical framework. Every jurisdiction has its own considerations and may thus adopt different approaches and enforcement plans. The proposed regulations we have seen emerging in North America are quite different from GDPR. For instance, the proposed monetary penalties are different, smaller ventures with less than a billion dollars in revenue are potentially exempted, and some legislation, such as the California Consumer Privacy Act of 2018, are primarily centred around an opt-out rather than opt-in approach. While the difference between opt-out and opt-in seems subtle, it has to do with the default. Under opt-in, the default is that data cannot be used; under opt-out, the default is that data is used unless a user chooses to change that. This subtle variation can have major implications for firms (Kim and Wagman 2015).
Taking these considerations into account, one thing is still clear – we live in a world where data is exploding at an exponential rate, where we create upwards of 2.5 quintillion bytes of data each day. Our economy relies on this data to drive innovation. When it comes to adopting new policies about data restrictions, the sweeping scope of GDPR is very different from a sectoral approach that differentiates industries or firm types. A comparison of these two approaches is something worth studying, and it is certainly worth considering a dynamic policy approach that embraces nuance, that is evaluated in specific markets, and that balances data usability and competition with data security and data concentration.
Acquisti, A, C Taylor and L Wagman (2016), “The economics of privacy," Journal of Economic Literature 54(2): 442–492.
Bertrand, M, E Duflo and S Mullainathan (2004), “How much should we trust differences-in-differences estimates?" Quarterly Journal of Economics 119(1): 249–275.
Campbell, J, A Goldfarb and C Tucker (2015), “Privacy regulation and market structure," Journal of Economics & Management Strategy 24(1): 47–73.
Haltiwanger, J, R S Jarmin and J Miranda (2013), “Who creates jobs? Small versus large versus young," Review of Economics and Statistics 95(2): 347–361.
Kim, J H and L Wagman (2015), “Screening incentives and privacy protection in financial markets: A theoretical and empirical analysis,” RAND Journal of Economics 46(1): 1–22.
Krasteva, S, P Sharma and L Wagman (2015), “The 80/20 rule: Corporate support for innovation by employees,” International Journal of Industrial Organization 38(1): 32–43.
Jia, J, G Z Jin and L Wagman (2018), “The short-run effects of GDPR on technology venture investment,” NBER, Working Paper 25248.
Taylor, C and L Wagman (2014), “Consumer privacy in oligopolistic markets: Winners, losers, and welfare,” International Journal of Industrial Organization 34(1): 80–84.
 We consider two such categories, one that groups healthcare and finance ventures, and the other that groups all other ventures.
 Apple reportedly removed apps that share location data on 9 May 2018, and updated its privacy terms on 23 May 2018. Facebook announced on 10 May 2018 that “Businesses may want to implement code that creates a banner and requires affirmative consent”, and that “each company is responsible for ensuring their own compliance". Shopify updated its app permissions for merchants and developers on 24 May 2018. Google released new consent requirements to developers on 24 May 2018. All of these occurred shortly before GDPR took effect on 25 May 2018.