November 14, 2018
Europe’s Privacy Rules Are Having Unintended Consequences
Europe may succeed in redirecting innovation from data plundering into other areas. If so, that will be a good thing.
In the short time since it was introduced in May, Europe’s internet privacy regulations have apparently dampened venture investment in European startups. Those who have argued the General Data Protection Regulation favors big industry incumbents such as Google and Facebook will enjoy a “told you so” moment — but, all things considered, it’ll be undeserved.
In a working paper published this week, Jian Jia and Liad Wagman of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland show that, relative to their U.S. counterparts, European technology firms have been receiving less venture funding since the GDPR’s rollout. There’s been a 17.6 percent reduction in weekly venture deals in the EU, and the amount raised in an average deal dropped 39.6 percent. Most of the damage was to newer startups, created less than three years ago.
The researchers used data from Crunchbase, which tracks technology businesses and investments in them, published between July 2017 and September 2018. Before May 2018, the venture deal trends in the EU and the U.S. closely follow each other. Then they diverge as EU investment, especially in earlier-stage ventures, suffers a negative shock. “Those nascent firms that most critically depend on angel investment as well as those firms that are in the process of making the transition from angel investment to venture capital are particularly susceptible to a negative effect from GDPR,” the researchers wrote, predicting that the privacy regulations will result in thousands of lost technology jobs in Europe.
These results appear to fit a line of reasoning that large internet companies pushed before the GDPR took effect: that the new regulation would, contrary to EU officials’ expectations, end up hurting smaller firms rather than the Googles and Facebooks of this world. “A lot of times regulation by definition puts in place rules that a company that is larger, that has resources like ours, can easily comply with but that might be more difficult for a smaller startup,” Facebook Chief Executive Officer Mark Zuckerberg told U.S. Congress.
Coupled with early data that GDPR reinforced the hold of the Google-Facebook duopoly on the digital advertising market, the results of the venture capital study might convince regulators elsewhere, who are considering GDPR-like measures, that privacy regulation is both ineffective and bad for innovation. Google and Facebook have largely pretended to comply with GDPR, but they have the legal firepower to protect their clients from claims that their data-based ad campaigns violate privacy. Smaller companies don’t, so their risks are bigger.
The regulators would be wise not to jump to conclusions, though. GDPR appears to have hurt the giants, too, despite their questionable compliance.
The EU is notoriously slow both at legislating and at enforcing its rules. But the GDPR envisages fines of up to 4 percent global revenue for noncompliance, and if the giants’ risky window-dressing eventually catches up to them, the damage to their top line could be higher in the future.
With the GDPR, Europe has become a more challenging environment for companies big and small whose advertising model depends on trading in their users’ data. Jia, Wagman and Zhe Jin didn’t break down their data by business model, but if companies in the data extraction business receive less funding, Europe as whole and European consumers in particular probably won’t be any worse off.
There’s also the question of data quality; Jia, Wagman and Zhe Jin cautioned in their paper that their dataset was not complete. And indeed, according to Pitchbook, a multinational firm that tracks public and private equity investment, while venture activity in Europe dropped somewhat in the third quarter and is likely to be relatively flat for the year as a whole, the share of capital received by software companies is higher than ever before, which would suggest tech innovation isn’t exactly being stifled.
The GDPR, of course, is a work in progress. Its ultimate effectiveness will depend on how it’s enforced and on whether it’ll succeed in forcing businesses to implement privacy by design rather than as an unwanted afterthought. The new rules are likely, however, to be already affecting the direction of innovation in Europe: Funding, and thus creative energy, is being redirected away from data plundering and into other fields. That differentiation may help the EU’s competitiveness in the long run.