Unintended Consequences: GDPR Edition

By James Pethokoukis of AEI.

"The purpose of the EU’s General Data Protection Regulation—which went into effect in May 2018—is to protect personal online data in a unified way across the region. It sharply limits what companies can do with user data without explicit consent and lets people request their online data. You’ve surely seen the permission screens or “consent interfaces” as you’ve clicked from site to site.

But that’s not all the GDPR does. Of course not. It’s a sweeping privacy rule that covers a huge and diverse economic sector. There are inevitably going to be unintended consequences. And we continue to find more and more of them, which should be a caution flag for American policymakers eager to replicate GDPR-like internet regulation here in the US.

In the new NBER working paper “GDPR and the Lost Generation of Innovative Apps” (Rebecca Janßen, Reinhold Kesler, Michael E. Kummer, and Joel Waldfogel), researchers find the following after analyzing data on some 4 million apps at the Google Play Store from 2016 to 2019:

We document that GDPR induced the exit of about a third of available apps; and in the quarters following implementation, entry of new apps fell by half. We estimate a structural model of demand and entry in the app market. Comparing long-run equilibria with and without GDPR, we find that GDPR reduces consumer surplus and aggregate app usage by about a third. Whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation.

Specifically: About a third of existing apps exited the market in the year after GDPR’s implementation, while the rate of app entry fell by nearly half. The results also sync with other research finding that the “implementation of GDPR had an immediate, pronounced, and negative effect on investment.”

Of course, as the researchers add, none of this necessarily means GDPR was a mistake: “A full evaluation of GDPR requires a tallying of the potential beneficial effects on privacy, along with its various unintended consequences such as increases in market concentration, undermining revenue models for content production, and – here – reducing beneficial innovation.” Yet one wonders: If EU lawmakers had been aware of such consequences before GDPR was adopted, would their next steps have been different? One might like to think so."