Financial Consequences of the GDPR

In April 2016, the European Union (EU) passed the General Data Protection Regulation (GDPR). The regulation, implemented in May 2018, establishes the rules for how the personal data of EU residents may be processed. While the key objective was to give individuals more control over their data, it also encourages companies to reduce their reliance on personal data for activities like marketing.

The case of the GDPR highlights a delicate balance facing policymakers around the world. While personal data is a critical factor of production, it is also a contentious subject for policymakers seeking to balance the privacy concerns of their populations against the dynamism of their economies.

Yet, we know very little about the impacts of the GDPR on both companies and innovation. Though some pioneering studies exist, they have been confined to outcomes like online activity, hiding the broader economic impacts of the GDPR, and might even deliver a distorted picture to policymakers concerned with its potential unintended consequences.

In a new study, entitled Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally, Chinchih Chen, Carl Benedikt Frey, and Giorgio Presidente from the Oxford Martin School provide the first systematic assessment of the impacts of the GDPR on the economy as a whole, exploring how companies’ profits and sales were impacted across 61 countries.

The study finds that companies targeting EU markets saw an 8% reduction in profits and a modest 2% decrease in sales. But these negative effects were not spread evenly. The study shows large technology companies did not experience statistically significant negative impacts on either profits or sales as a result of the GDPR.

While we document significant adverse effects of the GDPR on both companies’ profits and sales, the main impact has been through rising compliance costs rather than reduced sales. However, our findings must be interpreted with caution, nor can they necessarily be extrapolated into the future.

The EU hopes to export the GDPR to the rest of the world and several countries have already moved to adopt similar data privacy regulations. Over time, this might level the playing field across countries, putting companies targeting EU residents at less of a disadvantage.