Firm Responses to the EU’s Data Privacy Requirements

Featured in print Digest

This figure is a scatter plot titled, GDPR and Data Storage by EU Firms. The y-axis is labeled, Change in data storage. It ranges from negative 40 percent to 0 percent, increasing in increments of 10 percent.  The x-axis is labeled "Quarters relative to General Data Protection Regulation" and ranges from -7 to 7. A vertical dotted line is placed at -1, indicating the quarter preceding the implementation of the EU General Data Protection Regulation in May 2018. To the left of the dotted line, the data points hover around -5 percent. To the right of the dotted line at negative 1 quarters, there is a linear-like gradual decline, with the value reaching approximately -35 percent at 7 quarters relative to the General Data Protection Regulation. The note on the figure reads, bars represent 95% confidence intervals.  The source line reads, Source: Researchers’ calculations using cloud computing data.

Data analytics have become a key element of the production of goods and services in industries ranging from manufacturing to finance. New data privacy laws can affect the cost of acquiring, storing, and analyzing data, and ultimately raise production costs for firms. In Data, Privacy Laws and Firm Production: Evidence from the GDPR (NBER Working Paper 32146), Mert DemirerDiego J. Jiménez HernándezDean Li, and Sida Peng study how the European General Data Protection Regulation (GDPR), one of the most influential privacy policies to date, has affected firm decisions about data storage and analysis.

The researchers use data from a global cloud-computing provider to measure firms’ demand for data storage and their use of computational resources before and after the implementation of the GDPR. Their dataset includes monthly information from 2015 to 2021 on storage, computation, the prices firms pay for computing and storage, and the location of the data centers from which firms source the services.

The new privacy requirements affected firms in the European Union (EU) but not those in the United States. The researchers find that the GDPR was associated with a decrease in the rate at which EU firms store and process data relative to their US counterparts. Two years after the GDPR was introduced, EU firms were storing 26 percent less data, on average, than comparable US firms. The level of computation performed by EU firms also declined, by about 15 percent, over these two years, suggesting that regulated firms became less data intensive.

The researchers study how much it costs companies to comply with the GDPR by estimating a production function that includes stored data and computation as key inputs. The two are highly complementary, which means that when the cost of data rises, firms cannot easily switch to using more computational resources to make up for more expensive data resources. The researchers estimate that the GDPR increased the cost of data storage by around 20 percent, with substantial variation both within and across industries. Firms in the software industry, which may be more exposed to the GDPR than those in manufacturing, and smaller firms, which may find compliance more costly, experienced significantly higher cost increases. These increases in firms’ data costs translate into roughly 4 percent increases in information production costs.

— Abigail Hiller

The researchers acknowledge the support of the National Institute on Aging, Grant Number T32- AG000186 and the National Science Foundation Graduate Research Fellowship under Grant No. 214106.