CNIL asesses GDPR impact
As General Data Protection Regulation (GDPR) passed 5 years mark being in force, the CNIL – the French data protection authority (DPA) – asessed the economic impact of GDPR on businesses and individuals in Europe, highlighting the costs, benefits, methodological challenges, and lessons for regulators.
The economic impact of the GDPR on businesses and individuals in Europe has been a topic of interest five years after its introduction. While many studies have focused on the costs for firms, the benefits for businesses and individuals have not been fully explored. Harmonizing personal data protection rules under the GDPR has created a space for data to flow freely, influencing the digital economy’s reliance on personal data for development.
Investing in GDPR compliance is often seen as a cost for businesses, but it can also be viewed as an investment with economic benefits. The regulation aims to limit market failures by providing better information for more rational choices and enabling transactions that would not be possible without protection. Studies show varied impacts on different business models, with some activities being more affected than others.
Measuring the specific effects of GDPR poses methodological challenges as it is complex to isolate its impacts from other economic factors. While many studies have focused on less regulated sectors, a comprehensive macroeconomic approach is yet to be undertaken due to modeling difficulties. Despite the focus on costs, there are potential benefits of GDPR compliance for companies in terms of reputation, IT security, and operational savings.
Furthermore, GDPR implementation has led to welfare gains for consumers by granting them greater control over their data and reducing risks associated with data sharing. While these benefits may not be easily measurable in the market, a comparison between impacts on firms and individuals is crucial to determine the regulation’s overall societal benefit. Lessons from economic studies suggest the importance of tailored regulatory advice, treating privacy as a public good, and addressing the regulatory challenges posed by large economic actors.
