According to recent Pew surveys, 91 percent of
respondents believe they have lost control over how personal information is
collected and used, and 61 percent would like to do more to protect their
privacy.
In that spirit, the European Union (EU) adopted the
General Data Protection Regulation (GDPR) on April 14, 2016, and made it
enforceable on May 25, 2018. Since then, the GDPR has aimed to protect the
personal data of EU residents by mandating informed consent to data collection;
ensuring user rights to access, correct and erase their personal data;
obligating firms to protect data through a set of principles and safeguards;
and assigning substantial liability risks and penalties to violating firms.
Violators can face stiff fines of as much as four percent of their global
revenues.
According to a new study to be published in the August
edition of the INFORMS journal Marketing
Science, the GDPR, within one year of enforcement, led to a major
reduction in the number of monthly investment deals in EU ventures when
compared to their counterparts in the United States and the rest of the world.
The study, "The Short-Run Effects of the General Data
Protection Regulation on Technology Venture Investment," is authored by
researchers from the Illinois Institute of Technology and the University of
Maryland.
They used investment data from Crunchbase and
VentureXpert, covering more than two years before the enactment of GDPR and
almost a year after the GDPR came into effect (January 2014 - April 2019).
On average, the authors found a 26.1 percent reduction in
the number of monthly venture deals by EU ventures, as compared to those in the
U.S. A comparison between EU ventures and the ventures in the rest of the world
(excluding the U.S.) points to similar findings. Timewise, the negative effects
were larger in the first six months after the GDPR's rollout but some of them
were sustained in the proceeding six months.
"When we break it down by venture types, we find that the
negative effects of the GDPR are greater for consumer-facing or
business-to-consumer (B2C) ventures than for business-facing or
business-to-business (B2B) ventures," said the authors. "The reduction in B2C
deals was already significant after the enactment of GDPR and before its rollout,
while the reduction in B2B deals did not kick in until the GDPR became
enforceable in May 2018. This is understandable as consumer-facing products may
have more exposure to the regulation."
The researchers also analyzed the effects of the
regulation by sorting ventures into "more-data-related" and "less-data-related"
groups, by looking at investments in three funding stages (early, main and
late), and by grouping ventures according to their age at the time of the deal,
from zero to three years old, from three to six years old, from six to nine
years old, and nine years and older.
"We found larger negative effects on more-data-related
ventures," said the authors. "For these ventures, the reduction in the number
of monthly EU venture deals is about 31 percent, relative to their counterparts
in both the U.S. and the rest of the world. This effect only occurred after the
GDPR's rollout. In addition, the negative effect on EU ventures is particularly
pronounced in earlier-stage deals, with a 34 percent reduction relative to the
U.S., and for newer, zero-to-three-year-old ventures, with a 30.3 percent
reduction."
The study offers a few explanations that may drive the
negative effects of the GDPR on venture investment.
"For example, to comply with the GDPR, the cost of data
access, data collection, data liability, and commercialization could all
increase for ventures using EU residents' personal data, especially those that
are consumer-facing and build their core businesses on leveraging data," said
the authors. "Many ventures may also rely on the compliance strategies of
larger platforms to guide their data-related liabilities, which could further
increase their costs of doing business. Another factor is compliance
uncertainty. Because GDPR enforcement in part depends on heuristics and may
differ across enforcement authorities in different EU member states, lack of
clarity about the acceptable forms of compliance and the associated risk of
enforcement may have made some investors reluctant to invest."