Global digital networks with padlocks over Europe
VoxEU Column EU policies International trade

The trade effects of EU adequacy decisions

Policymakers need to balance societal demands to protect data privacy against potential adverse effects on productivity, innovation, and trade. This column analyses the trade impact of the European Commission’s determinations that data protection regulation in a partner country is equivalent to that of the EU, permitting personal data to flow freely to and from the EU. It finds that such decisions increase digital trade by 6% to 14%, with a suggestive club effect for ‘adequate’ countries. The results are mainly driven by the two adequacy decisions granted to the US, revealing the importance of transatlantic mutual recognition for digital trade.

Digital trade is a fast-growing part of the world economy, accounting for 12% to 22% of world trade, depending on the definition of digital goods and services. Growth rates of digital-based services associated with cross-border data flows over online networks have been outpacing all other types of trade (WTO 2023). Such trade is subject to regulations, including requirements pertaining to the protection of personal data crossing borders.

In a previous Vox column, two of us found that the EU’s approach to personal data protection impacts digital trade in different directions (Ferracane and van der Marel 2021). Stronger rights for data subjects at the domestic level are positively associated with digital trade because of increased trust in the digital economy and lower regulatory heterogeneity. On the other hand, the conditional model applied to transfer data across borders did not show any clear impact on trade. One potential explanation is that, while the EU model applies costly conditions for the transfers of data, these conditions do not apply to trading partners that implement ‘adequate’ protection to personal data. 1

The EU can determine whether a third country offers an adequate level of data protection. A positive evaluation requires that countries have a data protection regime ‘essentially equivalent’ to the European one. Between 2000 and 2021, the EU granted adequacy to 15 states or territories. The two decisions pertaining to the US represented an exception as adequacy was granted only to those companies that certify to comply to certain privacy principles and associated requirements. If adequacy is granted, personal data can flow freely from the EU (and Norway, Lichtenstein, and Iceland) to the adequate country, akin to intra-EU data flows. Absent an adequacy decision, companies that want to process data outside the EU are required to rely on (often expensive) mechanisms such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs), or exceptionally on derogations for instances when consent is obtained from data subjects for every cross-border transfer of personal data.

In our recent paper (Ferracane et al. 2023) we use a structural gravity model to assess the trade effects of EU adequacy decisions and show how they affect digital trade between the EU and third countries. Our empirical model applies a three-way fixed effects approach and controls for all other possible digital-relevant bilateral covariates, including preferential trade agreements (PTAs) and other enforceable data flow arrangements. As a robustness check we also select all PTAs with data privacy provisions within a digital trade chapter as a control variable instead of our broader preferential trade agreement variable. In addition to the demanding set of fixed effects, we capture potential trend effects that are specific to a country-pair reflecting other digital integration factors, such as increasing bilateral cross-border data flows. These effects control for any higher-than-average change in the trend of bilateral digital trade during the sample period relative to countries without adequacy.

We construct four alternative measures of digital trade given there is no generally accepted definition. The first is the category of ‘Information industries’ in the OECD Trade in Value-Added (TiVA) database, which covers information and communications technology (ICT) goods plus core digital services: IT and information, publishing, and telecom services. We then progressively expand on this by adding business and professional services, financial services, restaurants, accommodation, health, and education services.

We motivate the inclusion of sectors based on three different procedures. The first builds on a proxy for digital intensity used by Ferracane and van der Marel (2021) that measures the ratio of sectoral software expenditures to labour costs using US Census and US Bureau of Labor Statistics data. The second is based on the list of companies that registered under the Privacy Shield Framework maintained by the US Department of Commerce. We compute sectoral shares using information on the primary sector of activity of each firm and compare the sectoral shares of covered companies to all US firms using the US Census, giving an indication of the relative importance of Privacy Shield (and thus cross-border data flows) for each services sector. The third source of information is the OECD-WTO-IMF Handbook on Measuring Digital Trade (OECD-WTO-IMF 2020) which distinguishes between digitally ordered and digitally delivered products and the associated sector of activity. We use the latter category to broaden the scope of the digital sectors considered in the analysis. Altogether, our four definitions range from a narrow to a very broad set of digital goods and services.

We find that the EU adequacy decisions positively affect digital trade between the EU and third countries. This positive trade effect is bounded by one country, namely, the US. The two specific types of adequacy decisions the US received by the EU were both repealed by the European Court of Justice (ECJ). Currently, no adequacy decision exists between the two trading partners, even though a political agreement has been found. Our findings suggest that the lack of an EU-US adequacy decision entails foregone trade gains. In our empirical gravity model, we estimate that a potential transatlantic data deal could enhance digital trade up to 16%. Aside from ICT sectors, such an agreement would benefit other data-intensive sectors, ranging from business services to media entertainment and finance to travel, as well as education and health.

Beyond the two transatlantic partners, other adequacy-receiving countries appear to have benefitted indirectly from the two decisions granted to the US. This is because their digital exports to the US market started to grow as soon as a transatlantic data deal was put in place – a result we call a ‘club effect’. This may reflect the fact that global supply chains in both digital goods and services are spread across many countries. If US firms outsource their data-based activities to third countries with an adequacy determination, the trade cost of doing so is lower as no additional safeguards are required. Insofar as this is the case, our results suggest that the two previous adequacy decisions agreed between the EU and the US had an impact on the composition of digital trade within supply chains: about 7% of digital value-added trade shifted toward the network of countries with adequacy, away from being previously sourced from countries without adequacy (or from the domestic market).

The relationship between adequacy and digital trade might be country specific, with any positive association driven in part by the characteristics of the country considered and those it trades with. To consider such potential country-specificity, we use a synthetic control approach. In the case of Argentina, which was granted adequacy by the EU in 2003, we use other Spanish-speaking countries in our sample to simulate Argentina's digital trade performance had the country not obtained an adequacy decision. While digital trade shows an upward trend for both Argentina and its synthetic control group, we find that the adequacy decision had a significant positive impact on Argentina's digital trade with other countries that also have adequacy status, particularly the US. This outcome corroborates our gravity findings.

Earlier this year, the European Parliament recommended rejecting the European Commission’s proposal for a new adequacy agreement with the US. The Parliament’s Committee on Civil Liberties, Justice and Home Affairs deemed the level of protection in the new EU–US Data Privacy Framework to fall short of equivalence. If EU member countries fail to approve a transatlantic adequacy agreement later this year it is likely to come at a significant cost. Such costs may go beyond the estimates we obtain in our study. The recent record-breaking €1.2 billion fine imposed on Meta Platforms Ireland Inc. puts into question the use of standard contractual clauses (SCCs), the default option for firms located in jurisdictions where there is no adequacy arrangement with the EU. 

Yet another rejection of transatlantic data adequacy in conjunction with uncertainty regarding whether standard contractual clauses can be used by individual companies as a substitute may induce either an exit from the EU market or a switch to facilities that process personal data within the EU. Both outcomes can be expected to be associated with higher costs, with the latter more likely to be feasible for large companies than small and medium enterprises (SMEs), as suggested by the findings in Johnson et al. (2023) that implementation of the GDPR resulted in an increase in the relative concentration of the website vendor market, with the effect persisting over time in the advertising vendor category most scrutinised by regulators.

References

Ferracane, M and E van der Marel (2021), “Regulating personal data: Linking different models to digital services trade”, VoxEU.org, 30 May.

Ferracane, M, B Hoekman, E van der Marel and F Santi (2023), “Digital Trade, Data Protection and EU Adequacy Decisions”, EUI RSC Working Paper 2023/37.

Frey, C B and G Presidente (2022), “The GDPR effect: How data privacy regulation shaped firm performance globally”, VoxEU.org, 10 March.

Johnson, G, S Shriver and S Goldberg (2023), “Privacy and market concentration: intended and unintended consequences of the GDPR”, Management Science.

Meltzer, J and A Mattoo (2018), “Resolving the conflict between privacy and digital trade”, VoxEU.org, 23 May.

OECD-WTO-IMF (2020), Handbook on Measuring Digital Trade: Version 1, OECD-WTO-IMF.

WTO (2023), “Global Trade Outlook and Statistics”, Geneva: WTO.

Footnotes

  1. Meltzer and Mattoo (2018) discuss the EU model of personal data protection; Frey and Presidente (2022) assess the effects of this model on firm performance.

744 Reads