The General Data Protection Regulation (GDPR), the new privacy law for the European Union (EU), went into effect on May 25, 2018. One year later, there is mounting evidence that the law has not produced its intended outcomes; moreover, the unintended consequences are severe and widespread. This article documents the challenges associated with the GDPR, including the various ways in which the law has impacted businesses, digital innovation, the labor market, and consumers.
Specifically, the evidence shows that the GDPR:
- Negatively affects the EU economy and businesses
- Drains company resources
- Hurts European tech startups
- Reduces competition in digital advertising
- Is too complicated for businesses to implement
- Fails to increase trust among users
- Negatively impacts users’ online access
- Is too complicated for consumers to understand
- Is not consistently implemented across member states
- Strains resources of regulators
The GDPR Negatively Affects the EU Economy
- Fifty-five percent of the 539 mergers and acquisitions (M&A) professionals from Europe, Africa, and the Middle East surveyed in July 2018 declared having worked on transactions that did not go through due to concerns about companies’ compliance with the GDPR (Merrill Corporation, 2018).
- Three-quarters (74 percent) of respondents to a survey by Bitkom, Germany’s digital trade association, say that data protection requirements are the main obstacle to the development of new technologies—compared to 63 percent in 2018, and 45 percent in 2017 (Bitkom, 2019).
The GDPR Drains Company Resources
- Over 40 percent of companies, including U.S. firms with a data presence in the EU, had spent $10.1 million (€9 million) in compliance efforts (PriceWaterhouseCoopers, 2017).
- Companies reported spending an average of $1.3 million (€1.2 million) in 2017 on GDPR compliance and were expected to spend an additional $1.8 million (€1.6 million) in 2018 (IAPP and Ernst & Young, 2018).
- The Global Fortune 500 is likely to have spent an estimated €7 billion in compliance costs for GDPR (Forbes, 2018).
- According to an October 2018 survey, a majority of companies (52 percent) that have appointed a data protection officer say they established one for compliance reasons only, and that the role does not serve a valuable business function (IAPP and Ernst & Young, 2018).
- Online tools have been created to weaponize the GDPR against companies, such as overloading businesses with GDPR-authorized data requests that must be addressed within 30 days with the stated purpose to “waste their time” (Ship Your Enemies GDPR, 2019).
The GDPR Hurts European Tech Startups
- Between May 2018 and April 2019, the overall venture funding for EU tech firms decreased by $14.1 million (€12.5 million) per month per member state (Jia, Jin, and Wagman, May 2019).
- Between May 2018 and April 2019, the number of monthly venture deals done with EU tech firms decreased by 26.1 percent and the average amount of money they raised decreased by 33.8 percent (Jia, Jin, and Wagman, May 2019).
- Between May 2018 and April 2019, for young EU ventures (i.e., firms between three and six years old), the number of monthly venture deals decreased by 20.5 percent and the monthly amount invested per member state decreased by $4.4 million (€3.9 million) (Jia, Jin, and Wagman, May 2019).
- Between May 2018 and April 2019, the number of monthly deals for new EU ventures (i.e., three years old or less) decreased by 30.3 percent and the monthly amount invested per member state decreased by $5.2 million (€4.6 million) (Jia, Jin, and Wagman, May 2019).
- For EU ventures whose business activities are “more data-related,” the number of deals decreased by 30.7 percent between May 2018 and April 2019, and the monthly amount invested per member state decreased by $4.3 million (€3.8 million), whereas for “less data-related” firms the number of deals decreased by 15.5 percent, with no significant effect on their total dollar amount per month (Jia, Jin, and Wagman, May 2019).
- Between May 2018 and April 2019, the number of deals decreased by 26.1 percent for the healthcare sector, by 21.3 percent for the financial sector, and by 32.4 percent for the IT sector (Jia, Jin, and Wagman, May 2019).
- Between May 2018 and April 2019, the monthly amount invested per member state decreased by $7.9 million (€7.0 million) for the healthcare sector, by $6.8 million (€6.0 million) for the financial sector, and by $8.2 million (€7.3 million) for the IT sector (Jia, Jin, and Wagman, May 2019).
- The decrease in investments for young ventures caused by the GDPR could result in a yearly loss of up to approximately 30,000 jobs in the EU (Jia, Jin, and Wagman, January 2019).
The GDPR Reduces Competition in Digital Advertising
- Advertising vendors have lost market reach in the EU, particularly smaller players—who lost between 18 and 31 percent between April and July 2018 (WhoTracks.Me, 2018).
- The number of ad vendors, across all types of websites, has decreased by 3.4 percent in the EU post-GDPR overall, compared to an increase of their U.S. counterparts by 8.3 percent (WhoTracks.Me, 2018).
- Between May 2018 and July 2018, Google’s tracking code has appeared “on slightly more websites, Facebook’s on 7 percent fewer, while the smallest companies suffered a 32 percent drop” (Wall Street Journal, 2018).
The GDPR is Too Complicated for Businesses to Implement
- In an October 2018 survey of data protection professionals, more than half (56 percent) of respondents at organizations subject to the GDPR say their organizations are far from compliance or will never comply (IAPP and Ernst & Young, 2018).
- In an October 2018 survey of data protection professionals, one in five (19 percent) respondents at organizations subject to the GDPR say full GDPR compliance is impossible (IAPP and Ernst & Young, 2018).
- In an October 2018 survey of data protection professionals, one-third (32 percent) of respondents at organizations subject to the GDPR either had not established a lead supervisory authority—the main data protection authority an organization deals with when established in the EU—or did not know whether their companies had established one (IAPP and Ernst & Young, October 2018).
- In September 2018, the UK’s ICO disclosed that of the 500 calls per week it receives from companies reporting data breaches, one-third do not meet its reporting threshold (ICO, 2018).
- In an October 2018 survey of data protection professionals, a majority (55 percent) of respondents at organizations subject to the GDPR were concerned about conflicts between the GDPR and other national laws, including 46 percent based in the EU and 68 percent based in the United States (IAPP and Ernst & Young, 2018).
The GDPR Has Failed to Increase Trust
- The GDPR—which the EU has touted as the gold standard for data protection rules—has had virtually no impact on consumer trust in the digital economy: Six months after it went into effect, consumer trust in the Internet was at its lowest in a decade (European Commission, 2018).
- Four out of five (81 percent) Europeans who provide personal information online feel they have no control or partial control over this information (European Commission, June 2019).
- Compared to 2015, there are now nine European countries where Internet users are less likely to feel they have at least some control over their personal information, five where they are more likely to feel they have partial control, and the remainder have had no change (European Commission, June 2019).
- The European Commission has found that “at a country level there is no consistent relationship between awareness of GDPR and the level of control respondents feel they have over the personal information they post online” (European Commission, June 2019).
The GDPR Negatively Impacts Users’ Online Access
- Two months after the GDPR went into effect, a third of the largest US news websites had to block access to the EU as they had not yet managed to comply (Nieman Lab, 2018).
- As of March 2019, 1,129 U.S. news websites remain blocked, including Pulitzer prize-winning publishers like the Chicago Tribune (O’Connor, 2019).
- Companies have interrupted some of their online services in the EU because of concerns over complying with the GDPR; these include Czech platform Seznam, which had to shut down its student social network, and online gaming company Gravity Interactive, which blocked European users from accessing its games and services (CNN Business, 2018).
- In August 2018, one of Finland’s highest courts ruled that the GDPR’s “right to be forgotten” could give a convicted murderer the right to have publicly-available information about his crime removed from Google search listings, superseding the country’s and the EU’s own laws protecting freedom of speech and the right to access information (Center for Data Innovation, 2018).
The GDPR is Too Complicated for Consumers to Understand
- Nearly two-thirds of Europeans (63 percent) have never heard of the GDPR (31 percent) or do not know exactly what it is (32 percent) (European Commission, June 2019).
- In Estonia, a country with high digital literacy, 71 percent of the population has never heard of the GDPR or does not know exactly what it is (European Commission, June 2019).
- A majority of Spaniards (57 percent), Romanians (52 percent), and Hungarians (52 percent) do not know about the existence of a data protection authority, and for those aware, a majority of Dutch (57 percent) and Swedish (54 percent) respondents would not know whom to turn to with privacy complaints (European Commission, June 2019).
- In France, Italy, and Belgium, respectively, 55 percent, 50 percent, and 47 percent of the population surveyed has never heard of the GDPR (European Commission, June 2019).
The GDPR Is Not Consistently Implemented Across Member States
- As of May 2019, Greece, Portugal, and Slovenia still had not fully adopted national legislation to comply with the GDPR (European Commission, May 2019).
The GDPR Strains Resources of Regulators
- The UK’s Information Commissioner’s Office (ICO) said its staff and services were overwhelmed by companies “over-reporting” potential data breaches because of concerns over high penalties if they failed to notify the data protection authority (DPA) within the GDPR’s tight 72-hour reporting deadlines (ICO, 2018).
- A spokesman of CNIL, the French DPA, declared that “the resources of the CNIL are insufficient” to enforce the GDPR (Wall Street Journal, 2019).
Bitkom, “Annual Survey: Bitkom draws mixed conclusion regarding GDPR implementation” (May 16, 2019), https://www.bitkom.org/Presse/Presseinformation/Bitkom-zieht-gemischte-Jahresbilanz-zur-DS-GVO.
Center for Data Innovation, “The EU’s Right to Be Forgotten Is Now Being Used to Protect Murderers” (September 21, 2018), https://www.datainnovation.org/2018/09/the-eus-right-to-be-forgotten-is-now-being-used-to-protect-murderers/.
CNN Business, “These companies are getting killed by GDPR” (May 11, 2018), https://money.cnn.com/2018/05/11/technology/gdpr-tech-companies-losers/index.html.
European Commission, “Special Eurobarometer 487a, The General Data Protection Regulation” (June 2019), http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222.
European Commission, “GDPR in Numbers” (May 2019), https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_0.pdf.
European Commission, “Trust in the Internet” (November 2018), http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/Chart/getChart/themeKy/18/groupKy/93.
Forbes, “The GDPR Racket: Who’s Making Money From This $9bn Business Shakedown” (May 2, 2018), https://www.forbes.com/sites/oliversmith/2018/05/02/the-gdpr-racket-whos-making-money-from-this-9bn-business-shakedown/#38765ac234a2.
IAPP and Ernst & Young, “Annual Governance Report 2018” (IAPP and Ernst & Young, 2018), https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/.
Information Commissioner’s Office, “CBI Cyber Security: Business Insight Conference. ICO Deputy Commissioner (Operations) James Dipple-Johnstone – speech to the CBI Cyber Security: Business Insight Conference” (ICO, September 12, 2018), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/cbi-cyber-security-business-insight-conference/.
Jian Jia, Ginger Zhe Jin, and Liad Wagman, “The Short-Run Effects of GDPR on Technology Venture Investment” (May 31, 2019), http://dx.doi.org/10.2139/ssrn.3278912.
Jian Jia, Ginger Zhe Jin, and Liad Wagman, “The short-run effects of GDPR on technology venture investment” (VOX CEPR Policy Portal, January 7, 2019), https://voxeu.org/article/short-run-effects-gdpr-technology-venture-investment.
Merrill Corporation, “GDPR Burdens Hinder M&A Transactions in the EMEA Region, According to Merrill Corporation Survey” (Merrill Corporation, November 13, 2018), https://www.merrillcorp.com/us/en/company/news/press-releases/gdpr-burdens-hinder-m-a-transactions-in-the-emea-region.html.
NiemanLab, “More than 1,000 U.S. news sites are still unavailable in Europe, two months after GDPR took effect” (August 7, 2018), https://www.niemanlab.org/2018/08/more-than-1000-u-s-news-sites-are-still-unavailable-in-europe-two-months-after-gdpr-took-effect/.
Joseph O’Connor, “Websites not available in the European Union after GDPR” (March 20, 2019), https://data.verifiedjoseph.com/dataset/websites-not-available-eu-gdpr.
PriceWaterhouseCoopers, “Pulse Survey: GDPR budgets top $10 million for 40% of surveyed companies” (December 9, 2017), https://www.pwc.com/us/en/services/consulting/library/general-data-protection-regulation-gdpr-budgets.html.
Ship Your Enemies GDPR, “Ship Your Enemies GDPR,” (n.d.) https://shipyourenemiesgdpr.com/.
Wall Street Journal, “European Privacy Regulators Find Their Workload Expands Along With Authority” (April 12, 2019), https://www.wsj.com/articles/european-privacy-regulators-find-their-workload-expands-along-with-authority-11555061402.
Wall Street Journal, “Beware the Big Tech Backlash” (December 19, 2018), https://www.wsj.com/articles/beware-the-big-tech-backlash-11545227197.
WhoTracks.Me, “GDPR – What happened?” (September 3, 2018), https://whotracks.me/blog/gdpr-what-happened.html.