Five years after the RGPD came into force, the economic literature has looked at its economic impact on businesses. Most of these studies focus on the costs without sufficiently measuring the benefits for businesses and the welfare gains for individuals.

It may seem a superfluous exercise to study the economic impact of the implementation of the General Data Protection Regulation (GDPR) in Europe since 2018: isn’t the purpose of this regulation to protect the fundamental rights of Europeans? Don’t businesses have to comply with this text in any case? Hasn’t the RGPD also become a global standard, inspiring many countries?

By harmonising the rules on personal data protection in Europe, the GDPR has created an area of free data circulation. The digital economy, which is largely based on the use of personal data, cannot develop without the confidence of citizens, guaranteed by a high level of data protection. Implementing the RGPD therefore has major economic implications for France and its businesses.

After 5 years of application of the RGPD, the economic literature has taken up this subject in order to shed light on its impact, particularly for businesses, mainly on the basis of empirical work devoted to the link between these regulations and growth, innovation and competition.

An investment in compliance, a nuanced impact

The economic literature often emphasises the initial and recurring costs to businesses of implementing the RGPD. These costs are real and unavoidable: they correspond to a collective European preference that should be assumed, all the more so as all companies are in the same boat. In reality, this cost is an investment in compliance, with economic benefits.

When reading these studies, we must above all guard against a simplistic approach, because personal data is a very specific economic object: it is rarely traded commercially, it is not free to produce, but it can be copied at virtually no cost. In the absence of regulation, it can give rise to asymmetries of information between the service and the user, with the latter having only a fragmented view of how their data is used. The well-being of the individuals concerned may be affected by “negative externalities” (which occur when an activity generates unintended negative consequences for other economic players – for example, the resale of data may lead to a flow of unwanted solicitations).

As a result, one of the virtues of the GDPR may be that, by providing better information and greater rationality in choices, it will close “market loopholes” (reducing the nuisance caused by advertising solicitations or profiling, for example) and make possible economic transactions that would not be possible in the absence of protection (such as voluntary participation in a health study).

Furthermore, the effects of the implementation of the GDPR on French companies are nuanced: studies report impacts in both directions, depending on the economic activity and the nature of the business model considered. While some operations are more regulated (such as canvassing or the resale of customer data, for example), others are facilitated by the increase in customer confidence.

Methodological difficulties

Economic impact studies follow an experimental approach, based on measured data, in an attempt to establish an objective approach. This presupposes the ability to compare, for example, companies subject to the GDPR and a “control” group not subject to the GDPR, “all other things being equal”.

Despite these approaches, from a methodological point of view it is complicated to isolate the specific effect of the RGPD in relation to the economic context and the varied behaviours of the players. It is with the accumulation of studies, if they are convergent, that the major trends will emerge.

Similarly, while many of the studies concern traditionally poorly regulated sectors, where the impact of the RGPD is greatest (e-commerce, online advertising, marketing), the results for these sectors cannot be generalised to the economy as a whole. However, a more general, macroeconomic approach has not been carried out at this stage due to the difficulties inherent in modelling personal data issues.

Taking into account the benefits for businesses and individuals

The results of the studies are interesting, but their scope is incomplete: they deal only marginally with the benefits of compliance for businesses, which are less easy to observe. However, from a qualitative point of view, there is a return on investment from RGPD compliance, in terms of reputation in the eyes of customers and partners, IT security, knowledge of the “data” available within a company or operational savings, for example. It would be useful for economists to attempt to objectify these gains in order to carry out a genuine cost/benefit analysis.

Similarly, the implementation of the RGPD has led to significant gains in well-being for consumers, who now have greater control over their data and are better able to assess the risks of disseminating it. More vigilant, they are less prone to fraudulent use of their data or irritants such as abusive canvassing, which cause economic damage.

However, these gains are not directly observable on a market and are therefore difficult to measure. Only a quantified comparison between the effect on businesses and the effect on individuals will make it possible to confirm (or refute) whether this regulation has brought a net benefit to society as a whole.

Lessons for the regulator

Although the economic studies carried out to date have focused mainly on the costs incurred by the implementation of the RGPD, and we await a new stage in which the benefits are analysed in detail, there are nevertheless a number of lessons to be learned for the CNIL. Firstly, they validate the relevance of the regulator’s support approach, which consists of providing companies with tools tailored to their needs, thereby reducing the cost of compliance, as well as providing legal certainty through reference frameworks, advice or best practice guides.

Secondly, these studies show that privacy should be considered as a public good. Its protection does not arise spontaneously from the operation of markets or even from individual behaviour, but has a “libertarian paternalism” dimension (i.e. organising conditions in which people are encouraged to behave in a way that protects them). The regulator’s action facilitates individual choices that help to establish a high level of data protection. This, in turn, benefits all players in the digital markets, by creating a framework of trust that is essential to their development (development of French Tech since 2017, for example).

Finally, these studies show that the RGPD is proportionally more favourable to large economic players, who have more resources to devote to compliance, but who are nevertheless more regularly audited. The regulator must actively offset this trend by adopting a demanding policy towards large players, and even more so with very large players, in proportion to the risks they pose and the resources at their disposal. Thus, as stated in the joint CNIL-Competition Authority declaration of December 2023, the CNIL is already taking on, and will take on even more in the future, an asymmetrical dimension to its regulatory action on digital markets, combined with a full understanding of business models, for the benefit of individuals and the protection of their fundamental rights.

https://www.cnil.fr/fr/limpact-economique-du-rgpd-5-ans-apres