The General Data Protection Regulation (GDPR), the new privacy law for the European Union (EU), went into effect on May 25, 2018. One year later,  there is mounting evidence that the law has not produced its intended outcomes; moreover, the unintended consequences are severe and widespread.  This article documents the challenges associated with the GDPR, including the various ways in which the law has impacted businesses, digital innovation, the labor market, and consumers.

Specifically, the evidence shows that the GDPR:

1. Negatively affects the EU economy and businesses
2. Drains company resources
3. Hurts European tech startups
4. Reduces competition in digital advertising
5. Is too complicated for businesses to implement
6. Fails to increase trust among users
7. Negatively impacts users’ online access
8. Is too complicated for consumers to understand
9. Is not consistently implemented across member states
10. Strains resources of regulators

Below you will find a few highlights. You can also download the full report, with references to all sources (9 pages pdf, direct download).

The GDPR Negatively Affects the EU Economy

• Fifty-five percent of the 539 mergers and acquisitions (M&A) professionals from Europe, Africa, and the Middle East surveyed in July 2018 declared having worked on  transactions that did not go through due to concerns about companies’ compliance with the GDPR  (Merrill Corporation, 2018).
• Three-quarters (74 percent) of respondents to a survey by Bitkom, Germany’s digital trade association, say that  data protection requirements are the main obstacle to the development of new technologies —compared to 63 percent in 2018, and 45 percent in 2017 (Bitkom, 2019).

The GDPR Drains Company Resources

• Over 40 percent of companies, including U.S. firms with a data presence in the EU, had spent $10.1 million (€9 million) in compliance efforts (PriceWaterhouseCoopers, 2017).
•  The Global Fortune 500 is likely to have spent an estimated €7 billion in compliance costs for GDPR  (Forbes, 2018).
• According to an October 2018 survey,  a majority of companies (52 percent) that have appointed a data protection officer say they established one for compliance reasons only, and that the role does not serve a valuable business function  (IAPP and Ernst & Young, 2018).
• Online tools have been created to weaponize the GDPR against companies, such as overloading businesses with GDPR-authorized data requests that must be addressed within 30 days with the stated purpose to “waste their time” (Ship Your Enemies GDPR, 2019).

The GDPR Hurts European Tech Startups

• Between May 2018 and April 2019, the overall venture funding for EU tech firms decreased by $14.1 million (€12.5 million) per month per member state (Jia, Jin, and Wagman, May 2019).
• Between May 2018 and April 2019,  the number of monthly venture deals done with EU tech firms decreased by 26.1 percent and the average amount of money they raised decreased by 33.8 percent  (Jia, Jin, and Wagman, May 2019).
• The decrease in investments for young ventures caused by the  GDPR could result in a yearly loss of up to approximately 30,000 jobs in the EU  (Jia, Jin, and Wagman, January 2019).

The GDPR Reduces Competition in Digital Advertising

• Advertising vendors have lost market reach in the EU, particularly smaller players—who lost between 18 and 31 percent between April and July 2018 (WhoTracks.Me, 2018).
• The number of ad vendors, across all types of websites, has decreased by 3.4 percent in the EU post-GDPR overall, compared to an increase of their U.S. counterparts by 8.3 percent (WhoTracks.Me, 2018).
•  Between May 2018 and July 2018, Google’s tracking code has appeared “on slightly more websites, Facebook’s on 7 percent fewer, while the smallest companies suffered a 32 percent drop” (Wall Street Journal, 2018). 

The GDPR is Too Complicated for Businesses to Implement

• In an October 2018 survey of data protection professionals, more than half  (56 percent) of respondents at organizations subject to the GDPR say their organizations are far from compliance or will never comply  (IAPP and Ernst & Young, 2018).
• In an October 2018 survey of data protection professionals, one in five (19 percent) respondents at organizations subject to the GDPR say full GDPR compliance is impossible (IAPP and Ernst & Young, 2018).
• In an October 2018 survey of data protection professionals, a majority (55 percent) of respondents at organizations subject to the GDPR were concerned about conflicts between the GDPR and other national laws, including 46 percent based in the EU and 68 percent based in the United States (IAPP and Ernst & Young, 2018).

The GDPR Has Failed to Increase Trust

• The GDPR—which the EU has touted as the gold standard for data protection rules—has had  virtually no impact on consumer trust in the digital economy: Six months after it went into effect, consumer trust in the Internet was at its lowest in a decade  (European Commission, 2018).
• The European Commission has found that “at a country level there is no consistent relationship between awareness of GDPR and the level of control respondents feel they have over the personal information they post online” (European Commission, June 2019).

The GDPR Negatively Impacts Users’ Online Access

• Two months after the GDPR went into effect, a third of the largest US news websites had to block access to the EU as they had not yet managed to comply (Nieman Lab, 2018).
• As of March 2019, 1,129 U.S. news websites remain blocked, including Pulitzer prize-winning publishers like the Chicago Tribune (O’Connor, 2019).

The GDPR is Too Complicated for Consumers to Understand

•  Nearly two-thirds of Europeans (63 percent) have never heard of the GDPR (31 percent) or do not know exactly what it is (32 percent)  (European Commission, June 2019).

The GDPR Strains Resources of Regulators

• The UK’s Information Commissioner’s Office (ICO) said its staff and services were overwhelmed by companies “over-reporting” potential data breaches because of concerns over high penalties if they failed to notify the data protection authority (DPA) within the GDPR’s tight 72-hour reporting deadlines (ICO, 2018).

Conclusion

Download the full report (9 pages pdf, direct download, no opt-in).

While the idea behind GDPR was noble, the implementation and the current reality is far from ideal. Instead of serving the people it so far it mainly creates additional hurdles for online users and the businesses, benefiting only the biggest (Facebook and Google).

Nice try, now make it better please. Thank you.

What the Evidence Shows About the Impact of the GDPR After One Year

PS. Oh, and all those pesky additional pop-ups to click! Seems like the online experience is degrading with time, instead of improving. It sometimes takes 5+ clicks to even get to even see the first page! It’s hard to implement a “5 clicks to checkout” rule when you used all of them before even showing a thing to a potential customer.