The GDPR Will Not Boost Usage of Digital Services

Conventional wisdom in policy circles is that strong data protections will increase trust in digital services, which will lead to more people using those services. Andrus Ansip, the Vice President for the European Commission’s Digital Single Market, spoke for many policymakers when he wrote that without data protection rules, “there will be no trust. Without trust, people will not use digital services.” This rationale served as a key justification for enacting the General Data Protection Regulation (GDPR). Unfortunately, it was based on a faulty assumption. The truth is that most policies designed to increase digital trust will likely harm the digital economy and leave consumers worse off.

That is the main conclusion of a new report from the Information Technology and Innovation Foundation (ITIF). It analyzes 2018 survey data across 21 countries with varying levels of data protection regulation, including many in Europe, and finds that while a reasonable baseline of data protections can promote trust and spur adoption of digital services, there is no evidence that continuing to strengthen regulation beyond baseline levels will build additional trust or encourage further adoption. In fact, heavier regulation can have the opposite effect by diminishing innovation.

This dynamic is evident in the varying rates of Internet usage among residents of countries strong data protections compared to those in countries with moderate or limited regulation. For example, Europeans had similar levels of trust in the Internet with moderately regulated countries, such as Nigeria and South Africa. Moreover, consumer trust in Europe has remained flat from 2009 to 2017 despite the government strengthening its privacy rules during that time with various changes, such as updates to the ePrivacy Directive and establishing the Right to be Forgotten. The findings are clear: strong data protections do not immediately lead to increased digital trust. One explanation for this is likely that European policymakers have been sending the message that the Internet is so fraught with risks and dangers that only extremely restrictive regulation can protect them from serious harm.

Not only do Europe’s stricter rules not boost trust, they do not boost technology usage, either. ITIF’s study analyzes usage rates for three different technology applications—Internet access, social media, and online shopping—before and after the implementation of a European privacy law. In all three categories, the United States showed greater increases in usage than the European Union in the same periods, despite the fact that the EU has more stringent privacy regulation.

But even if stronger regulations do not deliver on the promise of increasing trust or usage, some European policymakers may not see any downsides to enacting them anyway. What’s the harm? The answer is that the costs outweigh the benefits. More stringent standards raise compliance costs for companies that provide online services, which ultimately raises the costs of digital services for consumers, leaving them with less money to spend on other things.

These costs can add up quickly. For example, a 2014 ITIF report estimated that the European Union’s ePrivacy Directive to regulate browser cookies cost European businesses roughly €1.8 billion annually. Strict regulations can also reduce advertising revenue. One study of European regulations that limited how advertisers can collect and use consumer information for targeted advertising found that these rules reduced the effectiveness of online ads by 65 percent—leading to a massive reduction in revenue. These higher costs and lower revenues mean companies will have less money to invest establishing new services or improving existing ones. The GDPR will only accelerate these negative effects.

The lesson for EU policymakers is clear: do not get seduced by the idea that stringent privacy regulation is a shortcut for digital growth. Enacting even stricter data protection rules, such as the pending ePrivacy Regulation, will come with costs that will hurt not only the EU digital ecosystem but also EU digital consumers. In short, it is time to end the spurious claims that stronger privacy regulation is pro-innovation and pro-consumer. It is not.