What do we know about the impact of the General Data Protection Regulation (GDPR), the European Union law—passed in 2016, implemented in 2018—meant to enhance individuals’ control over their data? GDPR requires organizations to obtain consent for data collection, ensure data portability, and protect user privacy. It also applies to all companies processing EU residents’ data, regardless of the company’s location.
Well, a 2022 National Bureau of Economic Research (NBER) working paper, “GDPR and the Lost Generation of Innovative Apps,” found that GDPR significantly affected the EU app market. New app entries fell 47 percent, with successful new apps dropping 40 percent. App exits surged from 100,000 to 600,000 per quarter post-implementation. These effects seemed to stem from increased compliance costs, regulatory uncertainty, and risk aversion among developers. As many critics had predicted, GDPR favored larger companies with more resources, leading to market consolidation.
From the paper’s conclusion: “Whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation.”
Then there’s a 2021 study, “The Persisting Effects of the EU General Data Protection Regulation on Technology Venture Investment,” that found a persistent decline in the number of venture investment deals for EU technology firms compared to US counterparts. This impact persisted for two and half years after GDPR implementation, though the magnitude of the effect decreased over time.
From the paper:
Our findings indicate a persisting reduction in the number of investment deals in nascent European technology ventures following the implementation of the legislation in comparison to technology ventures in the United States. As a result, policymakers considering tighter data regulations should weigh these costs against the potential benefits.
Both studies show that the GDPR story is a great example of how public policy generates trade-offs, a story that should help inform how American policymakers think about AI regulation. If only their European counterparts had. This from Bloomberg columnist Lionel Laurent:
European startups, rather than spying opportunity in the current US tech world’s wobbles, say they’re struggling with the complexity of the EU AI Act. Its risk-based approach ramps up requirements on data transparency, disclosure and oversight depending on whether the use case is minimal (spam filters), limited (chatbots) or high risk (job recruitment) — with some use cases simply banned. The definitions are extensive, and it may be that far more than the estimated 5%-15% of high-risk systems out there get classified as such, potentially saddling small firms with compliance costs upwards of six figures. Then there’s the extra red tape on general-purpose AI like OpenAI’s ChatGPT, which will require disclosure on training data and respect of copyright law. Clearly a good idea in principle, but there could be unintended consequences from the decision to create an extra sub-category for “systemically risky” high-powered models that could become the norm for all large models within a year. The extra requirements may disincentivize growth and keep small developers operating in a niche market, rather than encourage them to obtain a Brussels seal of approval.
The real kicker here is that Gabriele Mazzini, architect of the EU’s AI Act, told Laurent in an interview that he now worries the law’s reach is too broad and fears the high regulatory bar may discourage European companies due to legal uncertainty. This potentially entrenches big US tech firms with the resources to comply. Mazzini suggests Brussels’ rule-making process has blind spots, including a tendency to over-regulate and a lack of startup experience.
Incredible stuff. A bias toward overregulation and a lack of input from entrepreneurs are missteps American regulators and legislators would be wise to avoid. Europe continues to provide all the examples they should need.
The post GDPR, AI, and Regulatory Humility appeared first on American Enterprise Institute – AEI.