Regulation has made EU firms less data-hungry
GDPR has cut storage and processing
Regulation changes demand for data, says a report by the US-based National Bureau of Economic Research (NBER).
The non-profit research organisation - which is mostly government-funded - says the EU's GDPR has led firms in the region to both store and process less data.
The GDPR affects more than 20 million firms across the EU, making it one of the world's largest and most influential pieces of privacy legislation - although more than 150 countries have since enacted their own similar laws.
Although beneficial for citizens, complying with these laws can be expensive and time-consuming for organisations - not only in terms of extra data protection, but also extra penalties in case of breaches and giving consumers more information about how firms are tracking their behaviour.
In a paper titled 'Data, Privacy Laws and Firm Production: Evidence from the GDPR', the NBER estimates the cost of GDPR compliance to range from $1.7 million for SMEs to $70 million for large enterprises.
Using data from an unnamed cloud firm - identified as 'one of the largest global cloud computing providers' - over the 2015-2021 period, NBER compared data and computation use between similar EU and US organisations post-GDPR. They found that EU firms store, on average, 26% less data compared to their US counterparts, two years after GDPR came into force. Computation use also dropped, down 15% compared to US companies, implying that firms became less data-intensive after the GDPR. These effects were similar across industries, and slightly more pronounced (around 5%) in countries with stricter regulatory enforcement.
NBER's analysis suggests that the GDPR made data storage 20% more costly for firms, on average, and more so for those in data-intensive industries. Software companies saw the largest average increase (24%), followed by manufacturing and services (both 18%). Both firm size and pre-GDPR compute productivity affected the cost increase; large companies with a higher reliance on compute, rather than data, saw smaller increases.
Information production has also grown more expensive post-GDPR due to the rising cost of storage, although the effect is less pronounced:
"We find that the GDPR resulted in a 4% increase in the cost of producing information, a significantly smaller impact than the increase in the cost of data. This is primarily because data is significantly cheaper than computation and therefore accounts for only a small share of the information cost.
"In other words, the GDPR targets the less costly IT input, which limits its impact on the cost of information."
The results are similar when excluding multi-cloud firms - suggesting the results are not driven by EU organisations migrating towards other cloud providers - and when looking only at start-ups, which tend to use cloud computing as their only IT. That suggests that substitution towards traditional IT is "not a large concern."
The authors hold back from making a judgement on whether the increased privacy from GDPR is worth the cost.
"Further evidence is needed to fully understand the benefits of these laws and how they compare with any potential harm to firms," they write.