GDPR & European Innovation Culture: What the Evidence Shows

Adam Thierer
13 min readFeb 5, 2023

In an earlier essay, I explored “Why the Future of AI Will Not Be Invented in Europe” and argued that, “there is no doubt that European competitiveness is suffering today and that excessive regulation plays a fairly significant role in causing it.” This essay summarizes some of the major academic literature that leads to that conclusion.

Since the mid-1990s, the European Union has been layering on highly restrictive policies governing online data collection and use. The most significant of the E.U.’s recent mandates is the 2018 General Data Protection Regulation (GDPR). This regulation established even more stringent rules related to the protection of personal data, the movement thereof, and limits what organizations can do with data. Data minimization is the major priority of this system, but there are many different types of restrictions and reporting requirements involved in the regulatory scheme. This policy framework also has ramifications for the future of next-generation technologies, especially artificial intelligence and machine learning systems, which rely on high-quality data sets to improve their efficacy.

Whether or not the E.U.’s complicated regulatory regime has actually resulted in truly meaningful privacy protections for European citizens relative to people in other countries remains open to debate. It is very difficult to measure and compare highly subjective values like privacy across countries and cultures. This makes benefit-cost analysis for privacy regulation extremely challenging — especially on the benefits side of the equation.

What is no longer up for debate, however, is the cost side of the equation and the question of what sort of consequences the GDPR has had on business formation, competition, investment, and so on. On these matters, standardized metrics exist and the economic evidence is abundantly clear: the GDPR has been a disaster for Europe.

Summary of Major Studies on Impact of EU Data Regulation

Consider the impact of E.U. data controls on business startups and market structure. GDPR and other regulations greatly limit the flow of data to innovative upstarts who need it most to compete, leaving only the largest companies who can afford to comply to control most of the market. Benjamin Mueller of ITIF notes that it is already the case that just “two of the world’s 30 largest technology firms by market capitalization are from the EU,” and only “5 of the 100 most promising AI startups are based in Europe,” while private funding of AI startups in Europe for 2020 ($4 billion) was dwarfed by US ($36 billion) and China ($25 billion). These issues are even more pressing as the E.U. looks to advance a new AI Act, which would layer on still more regulatory restrictions.

In concrete terms, this has meant that the E.U. came away from the digital revolution with “the complete absence of superstar companies,” argue competition policy experts Nicolas Petit and David Teece. There are no European versions of Microsoft, Google, or Apple, even though Europeans clearly demand the sort of products and services those US-based companies provide. Entrepreneurialism scholar Zoltan Acs asks: “What has been the outcome of E.U. policy in limiting entrepreneurial activity over recent decades?” His conclusion:

It is immediately clear… that the United States and China dominate the platform landscape. Based on the market value of top companies, the United States alone represents 66% of the world’s platform economy with 41 of the top 100 companies. European platform-based companies play a marginal role, with only 3% of market value.

Several recent studies have documented the costs associated with the GDPR and the E.U.’s heavy-handed approach to data flows more generally. Here is a rundown of some of the academic evidence and a summary of the major findings from these studies.

“There is a growing body of economic literature and commentary showing that the costs of implementing the GDPR benefit large online platforms, and that consent-based data collection gives a competitive advantage to firms offering a range of consumer-facing products compared to smaller market actors. This in turn increases concentration in a number of digital markets where access to data is important, by creating barriers to entry or encouraging market exit.” (p. 2–3)

“this paper examines how privacy regulation shaped firm performance in a large sample of companies across 61 countries and 34 industries. Controlling for firm and country-industry-year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and after the enforcement of the GDPR in 2018. We find that enhanced data protection had the unintended consequence of reducing the financial performance of companies targeting European consumers. Across our full sample, firms exposed to the regulation experienced a 8% decline in profits, and a 2% reduction in sales. An exception is large technology companies, which were relatively unaffected by the regulation on both performance measures. Meanwhile, we find the negative impact on profits among small technology companies to be almost double the average effect across our full sample. Following several robustness tests and placebo regressions, we conclude that the GDPR has had significant negative impacts on firm performance in general, and on small companies in particular.” (p. 1)

“We show that websites’ vendor use falls after the European Union’s General Data Protection Regulation (GDPR), but that market concentration also increases among technology vendors that provide support services to websites. We collect panel data on the web technology vendors selected by more than 27,000 top websites internationally. The week after the GDPR’s enforcement, website use of web technology vendors falls by 15% for EU residents. Websites are more likely to drop smaller vendors, which increases the relative concentration of the vendor market by 17%. Increased concentration predominantly arises among vendors that use personal data such as cookies, and from the increased relative shares of Facebook and Google-owned vendors, but not from website consent requests. Though the aggregate changes in vendor use and vendor concentration dissipate by the end of 2018, we find that the GDPR impact persists in the advertising vendor category most scrutinized by regulators. Our findings shed light on potential explanations for the sudden drop and subsequent rebound in vendor usage.” (p. 1)

GDPR creates inherent tradeoffs between data protection and other dimensions of welfare, including competition and innovation. While some of these effects were acknowledged when constructing the legal data regime, many were disregarded. Furthermore, the magnitude and breadth of such effects may well constitute an unintended and unheeded welfare-reducing consequence. As this article shows, the GDPR limits competition and increases concentration in data and data-related markets, and potentially strengthens large data controllers. It also further reinforces the already existing barriers to data sharing in the EU, thereby potentially reducing data synergies that might result from combining different datasets controlled by separate entities.” (pp. 3–4)

“Using data on 4.1 million apps at the Google Play Store from 2016 to 2019, we document that GDPR induced the exit of about a third of available apps; and in the quarters following implementation, entry of new apps fell by half. We estimate a structural model of demand and entry in the app market. Comparing long-run equilibria with and without GDPR, we find that GDPR reduces consumer surplus and aggregate app usage by about a third. Whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation.”

“this paper empirically quantifies the effects of the enforcement of the EU’s General Data Protection Regulation (GDPR) on online user behavior over time, analyzing data from 6,286 websites spanning 24 industries during the 10 months before and 18 months after the GDPR’s enforcement in 2018. A panel differences estimator, with a synthetic control group approach, isolates the short- and long-term effects of the GDPR on user behavior. The results show that, on average, the GDPR’s effects on user quantity and usage intensity are negative; e.g., the numbers of total visits to a website decrease by 4.9% and 10% due to GDPR in respectively the short- and long-term. These effects could translate into average revenue losses of $7 million for e-commerce websites and almost $2.5 million for ad-based websites 18 months after GDPR. The GDPR’s effects vary across websites, with some industries even benefiting from it; moreover, more-popular websites suffer less, suggesting that the GDPR increased market concentration.”

“This paper investigates the impact of the General Data Protection Regulation (GDPR for short) on consumers’ online browsing and search behavior using consumer panels from four countries, United Kingdom, Spain, United States, and Brazil. We find that after GDPR, a panelist exposed to GDPR submits 21.6% more search terms to access information and browses 16.3% more pages to access consumer goods and services compared to a non-exposed panelist, indicating higher friction in online search. The implications of increased friction are heterogeneous across firms: Bigger e-commerce firms see an increase in consumer traffic and more online transactions. The increase in the number of transactions at large websites is about 6 times the increase experienced by smaller firms. Overall, the post-GDPR online environment may be less competitive for online retailers and may be more difficult for EU consumers to navigate through.”

“Privacy regulations should increase trust because they provide laws that increase transparency and allow for punishment in cases in which the trustee violates trust. […] We collected survey panel data in Germany around the implementation date and ran a survey experiment with a GDPR information treatment. Our observational and experimental evidence does not support the hypothesis that the GDPR has positively affected trust. This finding and our discussion of the underlying reasons are relevant for the wider research field of trust, privacy, and big data.”

“We follow more than 110,000 websites and their third-party HTTP requests for 12 months before and 6 months after the GDPR became effective and show that websites substantially reduced their interactions with web technology providers. Importantly, this also holds for websites not legally bound by the GDPR. These changes are especially pronounced among less popular websites and regarding the collection of personal data. We document an increase in market concentration in web technology services after the introduction of the GDPR: Although all firms suffer losses, the largest vendor — Google — loses relatively less and significantly increases market share in important markets such as advertising and analytics. Our findings contribute to the discussion on how regulating privacy, artificial intelligence and other areas of data governance relate to data minimization, regulatory competition, and market structure.”

William Rinehart of the Center for Growth and Opportunity has compiled and summarized many additional studies that document the costs associated with restrictions on data, including many state privacy laws imposed in the United States.

“The Biggest Loser”: Innovation Culture Gone Wrong

Taken together, this evidence makes it clear that, “Well-meaning privacy laws can have the unintended consequence of penalizing smaller companies within technology markets.” It can also have broader geopolitical ramifications for continental competitive advantage and engagement between countries. Some have argued that the United Kingdom’s so-called “Brexit” from the EU can be viewed as not only an effort to reclaim its sovereignty but more specifically “to escape its crippling regulatory structure.” The E.U.’s approach to emerging technology regulation likely had some bearing on this. Acs argues that Britain’s move was logical, “because E.U. regulations were holding back the U.K.’s strong DPE (digital platform economy).” “If the United Kingdom was to realize its economic potential,” he says, “it had to extricate itself from the European Union,” due to the growing “dysfunctional E.U. bureaucracy.”

Can Europe turn things around? Most market watchers do not believe that the E.U. will be willing to change its regulatory course in such a way that the continent would suddenly become more open to data-driven innovation. As part of a Spring 2022 journal symposium, The International Economy asked 11 experts from Europe and the U.S. to consider where the European Union currently stood in “the global tech race.” The responses were nearly unanimous and bluntly summarized in the symposium’s title: “The Biggest Loser.” Several respondents observed how “Europe is considered to be lagging behind in the global tech race,” and “is unlikely to become a global hub of innovation.” “The future will not be invented in Europe,” another respondent concluded. Europe’s risk-averse culture and preference for meticulously detailed and highly precautionary regulatory regimes were repeatedly cited as factors.

Europe has become the biggest loser on the digital technology front not because of their people but because of their policy. Europe is filled with some of the most important advanced education and engineering programs in the world, and countless brilliant minds there could be leading world-leading digital technology companies that could rival the U.S., China, and the rest of the world. But Europe’s current “innovation culture” simply will not allow it.

Innovation culture refers to “the various social and political attitudes and pronouncements towards innovation, technology, and entrepreneurial activities that, taken together, influence the innovative capacity of a culture or nation.” A positive innovation culture depends upon a dynamic, open economy that encourages new entry, entrepreneurialism, continuous investment, and the free movement of goods, ideas, and talent.

At this point in time, it is clear that — at least for data-driven sectors — the E.U. has created the equivalent of an anti-innovation culture, and the GDPR has clearly played a major rule in that outcome. This regulatory regime has also had devastating consequences for venture capital formation and investment more generally in Europe. “Public policy and attitudes explain the relative technological decline and lack of economic dynamism,” Petit and Teece argue, and it has resulted in, “weak venture capital markets, fragmented research capabilities, low worker mobility and frustrated entrepreneurs.”

Industrial Policy Won’t Save Europe

While the E.U. is aggressively regulating data-driven sectors, it is simultaneously trying to use industrial policy programs to advance new technological capabilities and innovations. European policymakers would obviously like to avoid a repeat of the past quarter century and the lack of digital technology competition and innovation they witnessed.

But past European industrial policy efforts on the digital technology front have largely failed, as Connor Haaland and I documented earlier. Zoltan Acs notes that, despite many state efforts to promote digital innovation across the continent in recent decades, the E.U.’s regulatory policies have resulted in the opposite. “The European Union protected traditional industries and hoped that existing firms would introduce new technologies. This was a policy designed to fail,” he argues. A major recent book, Questioning the Entrepreneurial State: Status-quo, Pitfalls, and the Need for Credible Innovation Policy (Springer, 2022), offers additional evidence of the failure of European industrial policy efforts. No amount of industrial policy planning and spending is going to be able to overcome a negative innovation culture that suffocates entrepreneurialism and investment out of the gates.

These findings have lessons for policymakers in the United States, too, especially with President Biden and even many Republicans now calling for heavy-handed top-down regulation of digital technology companies. Basically, “President Biden Wants America to Become Europe on Tech Regulation,” I argued in a recent R Street Institute blog post. In a letter to the Wall Street Journal, I responded to recent opeds by both President Biden and former Trump Administration Attorney General William Barr in which they both advocated regulations that would take us down the disastrous path that the European Union has already charted.

“The only thing Europe exports now on the digital-technology front is regulation,” I noted in my response, and that makes it all the more mind-boggling that Biden and Barr want to go down that same path. “Overregulation by EU bureaucrats led Europe’s best entrepreneurs and investors to flee to the U.S. or elsewhere in search of the freedom to innovate.” This is the wrong innovation culture for the United States if we hope to be a leader in the Computational Revolution that is unfolding — and match expanding efforts by the Chinese to top us at it.

In closing, policymakers should never lose sight of the most fundamental lesson of innovation policy, which can be stated quite simply: You only get as much innovation as you allow to begin with. If the public policy defaults are all set to be maximally restrictive and limit entrepreneurialism and experimentation by design, then it should be no surprise when the country or continent fails to generate meaningful innovation, investment, new companies, and global competitive advantage. The European model is no model for America.

Additional reading:

--

--

Adam Thierer

Analyst covering the intersection of emerging tech & public policy. Specializes in innovation & tech governance. https://www.rstreet.org/people/adam-thierer