The GDPR effect: How data privacy regulation shaped firm performance globally

Paper by Carl Benedikt Frey and Giorgio Presidente:  “…To measure companies’ exposure to GDPR, we exploit international input-output tables and compute the shares of output sold to EU markets for each country and 2-digit industry. We then construct a shift-share instrument interacting this share with a dummy variable taking the value one from 2018 onwards.

Based on this approach, we find both channels discussed above to be quantitatively important, though the cost channel consistently dominates. On average, across our full sample, companies targeting EU markets saw an 8% reduction in profits and a relatively modest 2% decrease in sales (Figure 1). This suggests that earlier studies, which have focused on online outcomes or proxies of sales, provide an incomplete picture since companies have primarily been adversely affected through surging compliance costs. 

While systematic data on firms’ IT purchases are hard to come by, we can explore how companies developing digital technologies have responded to GDPR. Indeed, taking a closer look at some recent patent documents, we note that these include applications for technologies like a “system and method for providing general data protection regulation (GDPR) compliant hashing in blockchain ledgers”, which guarantees a user’s right to be forgotten. Another example is a ‘Data Consent Manager’, a computer-implemented method for managing consent for sharing data….

While the results reported above show that GDPR has reduced firm performance on average, they do not reveal how different types of firms have been affected. As is well-known, large companies have more technical and financial resources to comply with regulations (Brill 2011), invest more in lobbying (Bombardini 2008), and might be better placed to obtain consent for personal data processing from individual consumers (Goldfarb and Tucker 2011). For example, Facebook has reportedly hired some 1,000 engineers, managers, and lawyers globally in response to the new regulation. It also doubled its EU lobbying budget in 2017 on the previous year, when GDPR was announced. Indeed, according to, Google, Facebook and Apple now rank among the five biggest corporate spenders on lobbying in the EU, with annual budgets in excess of €3.5 million.

While these are significant costs that might reduce profits, the impact of the GDPR on the fortunes of big tech is ambiguous. As The New York Times writes, “Whether Europe’s tough approach is actually crimping the global tech giants is unclear… Amazon, Apple, Google and Facebook have continued to grow and add customers”. Indeed, by being better able to cope with the burdens of the regulation, these companies may have increased their market share at the expense of smaller companies (Johnson et al. 2020, Peukert et al. 2020). …(More)”.