You probably noticed earlier this year how your email inbox suddenly started filling up with increasingly desperate pleas to resubscribe to every email list you were ever added to, and how some websites were suddenly closed off to Europeans. The reason? The EU’s General Data Protection Regulation (GDPR), which went live in May, was the most ambitious legislative attempt yet to regulate the way personal data is stored on the web. From May onwards, firms had to be very careful about what information they collected on people, how they contacted them – and if they didn’t comply with the new rules they faced potentially massive fines.
There was a problem of sorts to be tackled. Data was being stored without anyone knowing what it might be, or how it was being used. Whether anyone suffered from that is open to debate – after all, if you have too much spam you can just ignore it, and there were already laws in place to deal with hackers or online fraud. But the EU went ahead and put in place the toughest regime in the world for controlling data and clamping down on the way it is used.
Impact of GDPR
Six months later, that certainly seems to have had an impact. The trouble is, it is not what was expected, nor is it for the better. A study published this month by the National Bureau of Economic Research, by Jian Jia and Liad Wagman of the Illinois Institute of Technology, looked at venture-capital investment in Europe and the US before and after the new rules came into force. It treated each funding round for a new tech company as a separate deal, and crunched the numbers for thousands of companies. The results? It found a 17% reduction in the number of deals done in Europe after the new rules came into force. And a drop of almost 40% in the amount of money those firms managed to raise. That is a big fall.
Of course, six months is a short time period. It remains to be seen what the longer-term impact will be. But the chances are, it will be even worse. After all, plenty of deals will already have been in the pipeline when the legislation was introduced. No-one will have wanted to call them off. And the impact may well have been even greater on the micro-companies just starting up who would have been raising venture capital in a couple of years’ time.
Squashing the start-ups
The likes of Facebook and Amazon can cope with the new rules. The regulations might be a bother, and the companies might have to abandon some products and services. But on the whole, the tech giants have the resources to build in extra privacy and the money to pay for the lawyers to make sure they are complying with the rules. They will sail on much as before.
But GDPR is squashing the start-ups, and given time some of those could have grown into competitors to the American giants. Sweden has a few major internet successes, such as Spotify. London is carving out a place as a global technology hub, especially in areas such as finance, food and fashion. But it is shocking how few European competitors there are. Germany and France, two G7 nations, both of which were among the leaders of the first and second waves of industrial innovation, have yet to create a single technology competitor of any real significance. Every single start-up that didn’t get past its first year, or failed to raise any investment because it didn’t have the resources to comply with the EU’s cumbersome rules is one more missed opportunity to create a contender.
Sure, we have slightly more privacy. But we also have fewer jobs, and a lot less wealth being created. That is a bad trade. The fix is simple. The EU should recognise that it is has created a mess of rules that are actively destroying the industries of the future. And the UK, as it completes the messy process of leaving the EU, should sweep away its privacy rules and replace them with something far simpler and cheaper to comply with so that it becomes a hub for the Continent’s entrepreneurs. Europe needs to compete with the USA and China in new technologies. And it can only do that with less regulation – not yet more.