The regulation of Big Tech, the internet, and digital markets in general is a realm of transatlantic diversion. The last decade has seen the European Union (EU) press ahead with its General Data Protection Regulation (GDPR) – which brought about strict laws on data handling – and enact the Digital Markets Act, which designated some forms and platforms as ‘gatekeepers’ and subjected them to tougher regulation. Meanwhile, the UK’s Online Safety Act, which came into force this year, has imposed age-verification checks on many websites. Meanwhile, the United States has generally regulated the sector with a lighter touch.
While competing regulatory set-ups in different markets cause more than a few headaches for firms attempting to operate globally, they at least often provide useful case studies for economists and policymakers looking to see which approach works best.
This week, the Clark Center’s European Experts Panel reviewed some of the evidence. There is little doubt that, when it comes to issues around data and privacy, there is a strong case for government action of some kind. The panel was first asked whether “the potential for consumer privacy to be compromised by digital platforms’ use of personal data is sufficient to justify regulations that assign consumers some kind of default control rights over their data?” Weighted by confidence, 96% of respondents either strongly agreed or agreed with the proposition.
Interestingly enough, the US Experts Panel was asked the same question this summer. In that case, 80% of respondents either strongly agreed or agreed. There is then at least a strong consensus that data privacy concerns are a valid issue and that assigning rights to consumers over control of their data would be a useful exercise. As Jan Pieter Krahnen of Goethe University Frankfurt put it, “Data, as we have learned, are a new type of asset. The terms of use, permission and withdrawal, need well-defined rules. Compliance should be observable and enforceable, similar to real or financial assets”.
None of which should be taken to mean that the actual policy package put in place by the EU, in terms of data privacy, is necessarily the correct one. The European Panel was next asked about GPDR and specifically, whether “To date, EU efforts to regulate use of personal data – primarily the General Data Protection Regulation, GDPR – have been largely ineffective at protecting consumers?”.
The answers here were much more divided, with essentially a three-way split amongst panellists. Weighted by confidence, 5% of respondents strongly agreed, 29% agreed, 37% were uncertain, and 29% disagreed.
Jan Pieter Krahnen, who believes that GDPR has indeed protected consumers, argued that “the energy with which some tech companies lobby against these European data protection standards tells us that they have ‘bite’. Are they perfect? Probably not. So there is room for improvement”.
On the other hand, Julia Cage of Sciences Po, made the case that the regulation may have inadvertently strengthened the hand of larger firms: “EU efforts to regulate the use of personal data are essential and go in the right direction. But unfortunately they have been mostly ineffective. E.g. while the GDPR has acted as an effective regulation for small players, it de facto benefited large social media and platforms”.
Christian Leuz of Chicago Booth, who – like a narrow plurality of respondents – was uncertain, pointed to a NBER working paper from 2022 which summarised the economic literature on GDPR. As he noted, “Evidence for GDPR’s effect on consumers is mixed, though there is some evidence for improvements in consumer privacy (e.g., fewer post-GDPR data collection). However, consumers might have also missed out on new innovations”.
His wider point, that GDPR may have impacted European consumers negatively via the effects of missing out on new innovations, was further examined in the final question. This time, the panel was asked whether, “to date, EU efforts to regulate use of personal data – primarily GDPR – have imposed substantial costs on European businesses, slowing innovation and growth”?
This time around, 8% of respondents – as ever, weighted by confidence – strongly agreed and 36% agreed. Just 3% of respondents strongly disagreed, and 18% disagreed. The remaining 34% were uncertain. While far from clear-cut, the panel leaned towards GDPR imposing costs on European firms and slowing innovation and growth.
Luis Garicano of the LSE pointed to a Substack post of his, in which he argued that:
So, how does GDPR measure up? It has definitely spread privacy norms around the world. That’s the intended Brussels Effect. But there’s also an unintended Brussels Effect: GDPR appears to be making it harder to start and scale EU tech firms, and for firms to store data and to process information.
Other respondents acknowledged that GDPR has almost certainly imposed costs on businesses operating in Europe, but questioned the link to slowing innovation.
Taken together, the three questions suggest that the European panel believes (like their US counterparts) that there is a very strong case for regulations that assign consumers default control over their data. But when it comes to the specifics of GDPR, the panel is uncertain whether or not the regulatory framework has been effective at protecting consumers, but leans towards the notion that it has imposed costs on firms and slowed innovation and growth.
Of course, few would argue that regulations around data privacy are cost-free for firms. The real question is whether the benefits to consumers outweigh those costs, and, as in so many empirical questions, is one where the answer requires more evidence to be gathered.
