The economic impact of GDPR, 5 years on
Five years after the GDPR came into force, the economic literature has examined its economic impact on firms. Most of these studies focused on costs and insufficiently captured the benefits for businesses and the welfare gains for individuals.
Studying the economic impact of the General Data Protection Regulation (GDPR) in Europe since 2018 might seem like a dispensable exercise : isn't the purpose of this regulation to protect the fundamental rights of Europeans? Isn’t compliance mandatory for firms anyway? Hasn't the GDPR become an international benchmark, inspiring many countries?
By harmonizing personal data protection rules in Europe, the GDPR has created a space where data can flow freely. The digital economy relies heavily on the use of personal data and as such cannot develop without the trust of citizens, which is ensured by a high level of data protection. The GDPR therefore has significant economic implications for France and its businesses.
After 5 years of GDPR implementation, economists have tried to shed light on its impact, particularly for firms, mainly through empirical work estimating the impact of the regulation on growth, innovation and competition.
An investment in compliance, a nuanced impact
The economic literature often highlights the costs of implementing the GDPR for businesses. These costs are real and inevitable: they represent a collective European preference that shall be assumed, especially since all firms are on the same footing. Actually, this cost corresponds to an investment in compliance, which has economic benefits.
When reading these studies, one should avoid a simplistic approach as personal data is a very specific economic object: it is rarely traded commercially, it is not free to produce, but it can be copied at virtually no cost. In the absence of regulation, data can give rise to information asymmetries between the service and the user, with the latter having only a fragmented view of how their data is used. The well-being of the individuals can be affected by "negative externalities" (which occur when an activity generates unintended negative consequences for other economic actors - for example, the resale of data may lead to a flow of unwanted advertising).
As a result, some of the benefits of GDPR may be to limit “market failures” by providing better information and enabling more rational choices (e.g. reducing the disutility caused by advertising solicitations or profiling) and to enable economic transactions that would not be possible without protection (e.g. voluntary participation in a health study).
Furthermore, the impact of GDPR on companies is nuanced: studies report positive or negative impacts depending on the nature of the business model considered. While some activities are more affected (such as canvassing or the resale of customer data, for example), others are facilitated by the increase in customer trust.
Methodological difficulties
Economic impact studies are inspired by the experimental approach and use data to measure the impact of a policy in an objective manner. As such, they rely on the possibility to compare companies subject to GDPR with a counterfactual "control" group not subject to it, all other things being equal.
In this attempt, it is complicated, from a methodological point of view, to isolate the specific effects of GDPR. Indeed, the economic context or the strategy of actors can spillover on the control groups and it is quite difficult to find a credible counterfactual for the European Union. Only by accumulating converging scientific evidence can one convincingly asses the main effects or the regulation.
Similarly, many studies have focused on less regulated sectors, where the impact of the GDPR would be stronger (e-commerce, online advertising, marketing), but the results for these sectors cannot be generalized to the economy as a whole. However, a more general, macroeconomic approach has not been undertaken at this stage, given the difficulties of modelling data protection issues.
Considering the benefits for firms and individuals
The results of the studies are interesting, but their scope is incomplete: they deal only marginally with the benefits of compliance for companies, because the latter are more difficult to observe. However, with a qualitative approach, we find that there are returns on investment from GDPR compliance in terms of reputation in the eyes of customers and partners, IT security, knowledge of the data available within a company, operational savings, etc. It would be interesting for economists to try to quantify these gains in order to carry out a more complete cost-benefit analysis of GDPR.
Similarly, the implementation of GDPR has led to significant gains in welfare for consumers, who now have greater control over their data and are better able to measure the risks associated with sharing them. They are more vigilant, less subject to fraudulent use of their data or irritants like abusive canvassing, which causes economic harm.
However, these benefits are not directly observable in a market and are therefore difficult to measure. Only a quantified comparison between the impact on firms and the impact on individuals will make it possible to confirm (or refute) whether this regulation has brought a net benefit to the welfare of society as a whole.
Lessons for the regulator
Although the economic studies carried out so far have mainly focused on the costs of GDPR, and as one awaits further studies dealing with its benefits more in detail, there are nevertheless a number of lessons to be learned for the CNIL. First, they confirm the relevance of the regulator's advice strategy, which consists of providing companies with tools tailored to their needs, thereby reducing compliance costs, as well as providing legal certainty through reference frameworks, advice and best practice guidance.
Second, these studies show that privacy should be considered as a public good. Its protection does not arise spontaneously from the operations on the market or from individual behavior, but has a "libertarian paternalism" dimension (i.e. organizing conditions in which people are encouraged to behave in a way that protects them). The regulator's action in facilitating individual choices contributes to a high level of data protection. This, in turn, benefits all actors in the digital markets, by creating a framework of trust that is essential for their development (see, for example, the development of French Tech since 2017).
Finally, these studies show that GDPR, in relative terms, tends to favor large economic actors which have more resources to allocate to compliance, but are nevertheless audited more regularly. The regulator must actively combat this trend by adopting a demanding stance towards large actors, and even more so towards very large actors, in proportion to the risks they pose and the resources they have at their disposal. Thus, as stated in the joint declaration between CNIL and Autorité de la concurrence (December 2023), CNIL already undertakes, and will increasingly assume, an asymmetric dimension to its regulatory action on digital markets, combined with a full understanding of business models, for the benefit of individuals and the protection of their fundamental rights.