Credit: mixmagic / iStock
In 2016, the European Union passed the General Data Protection Regulation, which a handful of researchers have referred to as “the most consequential regulatory development in information policy in a generation.” Focused on data protection, it increases penalties in the case of data breaches and gives consumers far more insight into and control over their online data. That includes any information that can be used to identify an individual — name, email, IP address, and so on — and applies in business-to-business as well as business-to-consumer contexts.
The GDPR affects more than 20 million firms based or operating in the EU and has been emulated in countries around the world. And while it has been hailed as an important step in consumer protection, it has also been a source of concern for companies.
“One of the consequences of privacy regulations is that firms incur costs,” said an assistant professor at MIT Sloan. “We wanted to study how firms respond to this increase in costs, and the GDPR gave us the perfect setting.”
With Dean Li from MIT, Diego J. Jiménez Hernández from the Federal Reserve Bank of Chicago, and Sida Peng from Microsoft, Demirer examined how intensively companies collected and analyzed data before and after GDPR. The researchers found a significant decline on both fronts, which suggests that the GDPR was responsible for a 20% increase in the average cost of data.
This lines up with other surveys that have found compliance with GDPR to be costly, ranging from $1.7 million for small and midsize firms up to $70 million for larger ones, much of this driven by the need to hire more employees and upgrade technology. The GDPR has also resulted in more than 4.5 billion euros ($5 billion) in penalties, including a 1.2 billion euro fine against Meta.
The researchers did not weigh the benefits the GDPR provides to consumers against the costs to firms. But the work suggests that future data regulation could mitigate cost increases by targeting the most sensitive data.
A transatlantic comparison
The explosive growth of cloud computing in recent years provided the tool for studying the GDPR. Historically, firms collected and managed data privately. This atomized landscape made it difficult to observe broad trends within and between firms. By collaborating with one of the world’s largest cloud computing providers, the researchers were given a window into the data usage of thousands of companies at once. This allowed them to look at data collection and use by individual companies over time — from July 2015 to March 2020, in this case. (The GDPR was enacted in 2016 and implemented in 2018.) It also let them separate companies, based on server usage, into those that operate in the U.S. and have no European consumers — a control group not subject to the GDPR — and those that operate in Europe; they excluded multinational companies from their sample.
EU firms decreased data storage by 26% in the two years following the enactment of the GDPR.
Looking at data storage and computation, the researchers found several effects associated with the implementation of the GDPR. Most generally, firms in the EU started to decrease the relative amount of data that they stored: a 13% decline in data storage over one year, and a 26% decline over two years. The researchers also observed a 15% decline in computation among EU companies.
Though this trend is universally visible, the greatest decrease in data storage — 40% — occurred among manufacturing firms. For software firms, the figure was 25%; for nonsoftware service firms, it was 18%. The researchers hypothesize that these discrepancies arise because industries like manufacturing aren’t as reliant on data, and as storage becomes more expensive, they can more readily decrease the storage and use of data.
“Data and computation are inputs in a firm’s production process, so when the price of this input goes up, we would expect to see a decline [in its use],” Demirer said. “These responses are an indicator of increasing costs under the GDPR. The second part of our work was to model these costs.”
Modeling the increased cost of data
Basic economics suggests that companies shift the ratio of inputs used in their production process based on costs. If the input “wages” go up, companies try to reduce labor and figure out other ways to keep their processes running. Working backward from this intuition, Demirer and his colleagues estimated the effect of GDPR on the cost of data based on how usage changed among companies in the EU.
They found that, on average, the cost of data storage increased by roughly 20% in the wake of the GDPR. This burden fell most heavily on the smallest firms in their sample — perhaps a reflection of the fact that larger firms have more resources to comply with the regulation. In the end, the GDPR functions like a 25% tax on these smaller companies, the researchers write.
The costs also fell unevenly across industries, with data-intensive sectors facing the highest costs. The software sector absorbed a 24% increase in data costs, followed by manufacturing and software services, both at 18%.
Toward more finely targeted policy
Demirer was careful to make the point that “every policy has benefits and costs, and our study of the costs of the GDPR for companies has nothing to say about its benefits for consumers.” It could be, he noted, that a complete analysis of the regulation’s costs and benefits overwhelmingly favors its implementation. “But even if we don’t know about the benefits of GDPR, our results could be informative about the design of these kinds of privacy policies,” Demirer said.
For one, regulators should think more carefully about which data is most important from a regulatory perspective. The researchers saw a decline in data storage and use across all industries, but the data held by a regional small-parts manufacturer is different from the data held by a national telecom provider. The GDPR could be revised — and similar regulations could be written — to more finely target the most sensitive information.
And questions of equity arise if small firms are affected more severely than large firms. “One implication from this work is that policymakers may want to provide exemptions, if they can, based on firm size,” Demirer said.
