A New Study Lays Bare the Cost of the GDPR to Europe’s Economy: Will the AI Act Repeat History? – Center for Data Innovation

The most surefire way to preclude any serious debate around EU technology policy is to point to the economic costs regulations create. Take the recent push of Europe’s privacy lobby to ban personalized ads, a spectacular policy own goal that would deprive European businesses of about €16B in revenue. Unable to rebut this empirical finding, activists instead turned to what is now their standard response: ad hominem attacks and bad faith reasoning, foregoing serious discussion in favor of allegations of “cynical lobbying” or “SME-washing.” Last year a report explaining how the EU’s impact assessment of the AI Act is seriously flawed and massively underestimates the cost of the regulation was met with a similar response: critics penned elaborate responses to explain why the common-sense notion that complex compliance laws raise the cost of doing business is actually false. It is one thing if advocates argue that the moral imperative for a certain regulation is so overwhelming that the costs are justified—but instead, they ignore the costs and attempt to delegitimize those who raise them.

Those pushing for greater regulation have had success with this playbook. The General Data Protection Regulation (GDPR) is the EU’s flagship technology law. The European Commission flaunts it as an enormous success story, and the GDPR now forms the philosophical and architectural blueprint for most of the EU’s technology regulation efforts. When the Commission released the GDPR draft, it was accompanied by an impact assessment that claimed the law would end up saving the European economy €2.3B annually. While the GDPR did benefit the European economy by harmonizing the previously fragmented data protection laws across member states, a simpler and less onerous EU-wide privacy could have provided the harmonization benefits without imposing massive compliance and other regulatory costs. Yet some still make completely evidence-free claims that the GDPR “has been an economic boon, not only to Big Tech but to startups and the digital economies of many European member states.”

A newly published paper by three Oxford University economists makes plain the sheer scale of the economic damage the GDPR wrought on Europe’s businesses. The first systematic review of the costs GDPR imposes on businesses reveals shocking findings. On the whole, European businesses exposed to the law saw their profits shrink by an average of 8.1 percent. The main burden falls on SMEs, which experienced an average decline in profits of 8.5 percent. In the IT sector, profits of small firms fell by 12.5 percent on average. Large firms, too, are affected, with profits declining by 7.9 percent on average. Curiously, large firms in the IT sector saw the smallest decline in profits, of “only” 4.6 percent. Specifically, the authors find “no significant impacts on large tech companies, like Facebook, Apple and Google, on either profits or sales,” putting to bed the myth that U.S. technology firms are the enemy of regulation because it hits their bottom lines. If anything, it hits their competitors. As other studies have shown, bureaucratically complex laws like GDPR build barriers to entry into the digital economy, and thus end up concentrating the market share of large incumbents.

In light of the damning finding that EU tech regulations willfully shred the digital potential of European businesses, it is frightening that the Commission continues to peddle the myth that the GDPR and other such laws give “businesses opportunities to make the most of the digital revolution.” In the IT sector, in particular, the hit to SME profits is twice as big as in other industries. This doesn’t bode well for the impact of the AI Act, which is similarly poised to impose many new obligations on European firms.

Just like today with the AI Act, analysts at the time the GDPR was drafted pointed out that the Commission’s regulatory impact assessment suffered from serious defects. Then, as now, the regulatory impact assessment failed to adequately consider the law’s cost because it failed to take its full scope into account. In fact, the UK’s Justice Ministry published its own impact assessment in 2012, after the European Commission released its initial proposal for the GDPR, and found the EU overestimated the benefits of a harmonized data protection law across the single market, whilst at the same time failing to include key compliance costs that the GDPR would create and under-estimating the law’s administrative burden. In a sad case of history repeating itself, a technical analysis of the AIA’s scope and cost impact found, once more, that “co-legislators need to re-calculate certification costs,” because the impact assessment does not account for factors like external consulting costs as well as internal compliance and audit costs.

The point is not to deny the need for regulation, but to have an objective and empirically based conversation around how to reduce the costs of such laws. Serious proposals to reform the GDPR exist, and a number of policymakers hope to reduce  the costs the AI Act will impose on businesses. The EU needs a strong and vibrant digital economy if it is to succeed in the highly competitive global economy. Already there are worrying signs that the EU is falling behind in the AI race. Parroting the policy shibboleth that regulation will, far from costing the EU economy billions, give European businesses a leg-up, is a dangerous case of burying one’s head in the sand and ignoring all the evidence to the contrary. As such, it’s time for EU policymakers to stop paying attention to activists who ignore costs and the impact of regulations on EU competitiveness, and instead focus more on objective analysis.