30 September 2020

VOX: Regulatory export and spillovers: How GDPR affects global markets for data

The EU’s GDPR came into effect in 2018 to tackle issues of privacy and personal data. Looking at over 110,700 websites before and after the introduction of the regulation, this column examines its effect on non-EU-based websites and on other policy domains, such as competition or trade policy.

Both EU-based and non-EU-based websites switched to more privacy-sensitive technologies following GDPR, but only in the short term. The market for web tracking technologies became more concentrated, with Google gaining the most market share among large providers. Privacy regulations can function as nonpecuniary barriers to trade, especially if enacted by a large economic area.

The Internet has torn down national borders in many aspects of our daily life. Electronic communication takes place across the globe, (digital) goods and services are purchased with little regard for their origin, and media audiences are now global rather than local. 

Accordingly, some of the regulatory issues surrounding digital goods and services transcend regional boundaries. Global firms like Google, Amazon, Facebook, and Apple have reached a degree of dominance in some of their activities that competition policy has taken on a global dimension. Similarly, users’ privacy concerns apply to websites outside their geographical region and therefore their legislators’ jurisdiction.

In such a world, regulation is challenging. As international coordination mechanisms have often proven ineffective, individual countries and regions have increasingly enacted legal regimes for the digital world, even if these regimes have spillovers outside their legal territory. This can lead to competition between countries to become a leading global digital rule-maker. 

For example, some observers say that the EU has de facto externalised several of its strict regulatory laws outside its border through a combination of market mechanisms and unilateral regulatory globalisation, introducing the idea of a 'Brussels effect' (Bradford 2012).

In a recent paper (Batikas et al. 2020), we ask two questions in the context of the EU’s recently introduced privacy regulation, the General Data Protection Regulation (GDPR):

• Did the GDPR lead to extraterritorial websites (websites with no EU-based top-level domain) making changes that are in line with stricter privacy requirements?
• Did the GDPR, which tackled issues of privacy and personal data, affect other domains of public and regulatory interest, such as competition or trade policy?

We follow 110,706 websites, of which about 20% cater to audiences in the EU, for a total of 18 months, before and after the introduction of the GDPR. We measure interactions between websites and third parties by the HTTP requests that websites send. We collect information about the identity and location of third parties that a website interacts with, the total number of third-party requests, and the number of third- and first-party cookies and combine these data with demographic information about website audiences. 

Our analyses show that the answer to both questions is that EU privacy regulation did indeed spill over both outside of its territorial limits and of the policy domain it was designed to address.

GDPR: The EU’s state-of-the-art privacy legislation

Designed as the cornerstone of European privacy law, the GDPR became applicable in 2018 and is often considered the most comprehensive, globally leading privacy regime. It establishes common rules on data processing throughout the EU and is directly binding for companies and residents in the EU and beyond, affecting consumers, firms, and countries outside the EU through a variety of mechanisms. 

The European Commission predicted ex ante that the GDPR would decrease costs for businesses by harmonising privacy laws across the EU; decrease overall compliance costs; and increase the attractiveness of EU as a location to do business (European Commission 2012:148–9). 

The GDPR affected websites and web technology providers either located within the EU or addressing European consumers. The regulation also recognised that in data-driven industries, dominance does not manifest through firms’ ability to dictate prices and/or raise entry barriers, but rather through control of vast amounts of personally identifiable information (or privacy-relevant data) that may either be monetised through fine-grained targeting of consumers or reselling the data to third parties for their own targeting and personalisation efforts.

How did the GDPR affect EU and non-EU websites?

In our data, we see a substantial and sudden drop in the number of requested third-party domains just after the enactment of the GDPR (Figure 1A), not only for websites that cater to EU audiences but also for international websites. We estimate that the reduction is -8.1% (EU) and -2.4% (non-EU). 

However, this change in the number of requested third parties is short-lived (Figure 1B). According to our model predictions, only four months after the GDPR, websites with non-EU audiences rebound to the level directly before the GDPR. Websites with an EU audience revert to their initial level after 22 months.

much more at VOX

© VoxEU.org