GDPR : its real cost to the EU - Data Protection or Economic Destruction?
And how to get around it in 1 easy step
Note : This article is the 4th in a series on over-legislating a a path that more and more nation-states are taking in an attempt to emasculate the disruptions that threaten them.
Here is the first 3 articles in the series :
Among EU regulations, the flagship regulation, the most famous one, the one that has given the European Union its place as the true champion of clunky, poorly done regulations, showing how to irritate the whole world by disfiguring millions of websites and degrading the user experience of billions of people, I've named The GDPR, is a model in itself.
Okay, I'm off to a great start... So let's take a deep breath, and look rationally at the effects of the GDPR on the European economy and innovation, as well as its effects on the original purpose of this regulation: to better protect the data of European residents.
The effects of GDPR on the European economy and innovation
The numerous studies on its effects are surprisingly consistent in pointing the finger at the most deleterious. Here's an overview:
A Commission progress report on the GDPR1 acknowledges that the regulation has not reached its potential due to a lack of controls.
The cost of strict compliance with the GDPR can exceed maximum fines in some industries, giving companies an incentive not to comply2 .
The profit margins of data-intensive companies, such as banks and financial services and communications and information companies, have fallen, on average, by around 1.7% to 3.4% compared with the profit margins of their US counterparts3 .
Another study of 700,000 companies in 61 countries and 34 industrial sectors, meanwhile, shows an 8% decline in profits and a 2% decline in sales for companies affected by the GDPR4 ...
Except for big tech companies like Facebook, Apple and Google, which "have been relatively unaffected by the regulation on the two performance measures" (!).
While "the negative impact on the profits of small technology companies is almost double the average effect on our sample as a whole" (!)
The estimated cost of compliance for the world's 500 largest companies is $7.8 billion5, and 74% of small and medium-sized businesses have spent more than $100,000 on compliance6 .
The GDPR has reduced investment for EU tech companies by 26%7 (!), a phenomenon that particularly affects start-ups, data-related companies targeting individuals (rather than other businesses) and the healthcare and finance sectors.
And has particularly reduced investment from abroad, indicating a genuine reluctance on the part of non-European firms and individuals to have to interact with businesses subject to the GDPR8 .
A research article with the evocative name, "The GDPR and the lost generation of innovative apps" shows that a third of the apps available on the Google Store disappeared following the implementation of the GDPR, and then that the creation of new apps was halved9 (!)
The GDPR disproportionately harms small businesses, barely denting large ones, creating a significant competition-distorting effect10 .
A necessary sacrifice?
In short, it's clear that the cost to society is enormous. Some will accept the figures shared above and say that GDPR is indeed expensive, but that it's a necessary sacrifice to prevent large multinationals from being able to misuse the considerable data they collect for nefarious purposes.
I hear that argument. In fact, I'm the first to highlight tools that enable you to better protect your privacy on the Internet, as we've seen and as we'll see in even greater detail in a future article on computer security.
But it's not because there's a problem that the GDPR is necessarily a good solution: beyond the fact that civil society provides all the necessary tools to guard against untimely tracking and that it's first and foremost a question of education, there are good and bad regulations, and the GDPR shows many symptoms of a clunky, poorly designed regulation that costs society a lot of money, creates a distortion of competition and, what's more, is unfair because it applies differently to companies.
Let's look at three examples to see why.
The balkanization of the Internet
Since the GDPR applies in theory to all sites accessible to European residents, regardless of the physical location of the servers and the companies and individuals managing these sites, it leads to differentiated treatment of people depending on their geographical area of residence.
For example, an American site will have to treat visitors from the European Union differently.
What's more, it's an extraterritorial law which is supposed to apply even if contrary laws exist in the country of the company or individual who owns any website visited by a European resident.
Obviously, for non-EU entities, this remains highly theoretical, because as we've seen on several occasions, it's extremely difficult for states to enforce their laws in places where they can't send officials armed with a gun: remember that the only real laws are those of physics, and that all others are suggestions that must rely on them (ie. the threat of violence) to be respected.
We saw this with the example of VAT on digital products sold to European customers from countries outside the Union, which has been theoretically applicable since 2003 (a long time!), and which the European Union simply doesn't even try to enforce: as I said in the previous articles, I know hundreds of American entrepreneurs who have probably sold several hundred million dollars' worth of products in Europe over the years, without ever paying a single cent in VAT, and without ever having received the slightest hint of a letter or carrier pigeon on the subject from the European tax authorities.
If the European Union has been unable to do anything about VAT, the most lucrative tax and one that is right at the top of the priorities of tax collection agencies, endowed with substantial budgets and resources, how do you think it will be able to act to enforce compliance with the GDPR on entities that have no physical presence on its territory, while data protection agencies have completely anemic budgets?
How will GDPR agencies tackle companies outside the EU?
European data protection agencies say it themselves: 86% say they do not have the budget and human resources needed to carry out their mission in their country11 .
The truth is that the GDPR creates discrimination, between 1) companies in the European Union, obliged to comply, 2) naive companies outside the European Union, who will undertake to comply with a regulation that isn't even their country's, at a very significant cost, and 3) companies outside the European Union, which will either ignore the information altogether, or realize that they have a 99.999 999 999 % chance of falling through the cracks, and make the rational choice of sending the European Union packing and not complying.
Because let's face it, in the overwhelming majority of cases, the rational choice of a Brazilian company selling in Portugal, an American company selling throughout Europe (using the universal nature of English), an African or Quebec company selling in France, Belgium and Switzerland, etc..., will be to not comply with the GDPR, or indeed any European or extraterritorial law, while respecting local laws - provided again that they have no physical presence in the European Union (including bank accounts).
Many European Internet regulations are also extraterritorial, and suffer from the same difficulty of application.
Of course, in this case, states always apply the 11th principle and tackle bottlenecks, as they did in 2024, by requiring payment processors to automatically share sales information about EU residents with tax authorities, in order to identify unpaid VAT.
But what bottleneck is there in the case of the millions of companies outside the European Union that don't comply with the GDPR and never will?
The creation of competition between countries for the least to enforce this regulation
Look at the number of civil servants working in the various European data protection agencies12 :
As you can see, the capacity of these agencies varies enormously, although these figures must of course be related to their population size.
Only Germany comes out on top, with over 1,000 civil servants working on this subject, even though its agency is one of those that complains of not having enough resources.
France's and Italy's populations are respectively around 81% and 71% of Germany's, yet their data protection agencies employ 22% and 12% of Germany's staff!
Do you think this will affect the efficiency of French and Italian agencies compared with the German agency?
Smart entrepreneurs can easily do this kind of analysis to find the European country with the worst possible data protection agency, and choose to locate their business there for that reason.
Worse still, a company from outside the European Union wishing to achieve "paper compliance" could deliberately choose this territory as its official contact country.
And that's exactly what companies do! In the age of the Internet, regulations such as these create multiple "holes in Swiss cheese" that all entrepreneurs and lawyers know how to exploit, and they're happy to do so.
The formula for paper compliance
Some countries specialize in "paper compliance", fighting to offer the best ratio between all the stamped documents needed to show any regulator or government agency that you're following the regulations, and the minimum of bureaucracy, field checks and verification that you really are.
In other words:
PCS = Paper Compliance Score (out of 10, the higher the better), NACV = Number of Actual Checks & Verifications (out of 10), ODSSR = Official Documents Super Stamped and Recognized (out of 10). It's a joke of course, but many companies more or less make this calculation! :)
The aim of many companies is to maximize their PCS, by choosing the country that offers the best ratio. It's all about having the best possible reputation (to increase the ODSSR score) while having as few controls as possible.
These countries are easy to spot as soon as you take an interest13 , although of course their governments and lawyers would vigorously defend themselves in public if asked... part of the strategy to maximize ODSSR !
So Germany, with its emphasis on controls and sanctions, is above all warning intelligent entrepreneurs not to set up their data-management businesses on German soil!
An easy way around the GDPR
Shortly after the "effective" implementation of the GDPR in France14 , a few sites found a simple and formidable trick to get around it: offer either to accept advertising cookies, or to pay a low price, usually 2 euros per month, to be able to consult the site without cookies.
They justified the measure by pointing out that they needed the additional advertising revenue enabled by cookies, and that removing them would represent a loss of earnings and mean having to work for free.
It's a very fair argument... and a very clever one: whatever the law or regulation, if its strict application forces you to work for free for others, it can't work. Otherwise, it would be slavery15 .
But forcing sites to give access to their content without any compensation would clearly be tantamount to forcing them to work for free.
The companies in question, often media groups, were already relying on a 2020 French Conseil d'Etat decision preventing the CNIL (French data regulator) from prohibiting the offer of payment in order to be able to refuse cookies16 . In 2023, the European Court of Justice confirmed the impossibility of prohibiting this practice17 .
Conclusion? To easily get around the GDPR, propose as the only alternative to depositing advertising cookies the payment of a small fee, even a very modest one: human nature being what it is, more than 98% of people will accept cookies, and those who pay will earn you more than if they had accepted cookies. Q.E.D.
The GDPR is therefore pointless, apart from annoying millions of companies who have to release budgets to implement these stupid solutions, and annoying hundreds of millions of people with stupid choices on every site they visit, while costing Europe hundreds of millions of euros in GDP every year and a huge image deficit.
Just think of all the thousands of people who have worked for years to come up with such cumbersome, costly... and so easily circumvented regulations.
Well done, regulators, on this achievement ! You have clearly demonstrated that the European Union will be able to withstand all the disruptions that attack it, thanks to your marvelous efforts.
In the end
I'm not saying that GDPR brings absolutely no added value.
Given the choice, I prefer a European Union with its GDPR to China with its tech companies forced to share the data of over a billion citizens with the government.
But right now, for lovers of freedom (including economic freedom), China represents the equivalent of the plague, cholera and cancer combined. Next to it, the GDPR would be diabetes... So would I rather suffer from diabetes than the plague, cholera and cancer?
Certainly. But while I'm at it, I'd rather be healthy and disease-free.
The examples we have seen in this section seem to me very representative of the European Union's regulatory efforts in the technology sector, and of the fate of any country that tries to emulate them:
These regulations are often well-intentioned
But the road to hell is paved with good intentions, as countless examples throughout history have shown.
Just because you've identified a problem doesn't mean that the solution you've come up with will necessarily solve it: if you'd gone to a 17th-century doctor with flu symptoms, he'd have prescribed bloodletting and honey for your cough... which would have done nothing to cure the disease, only to alleviate (if you were lucky) your symptoms, or (which wasn't uncommon!) aggravate your ailment.
These regulations are heavy and costly, not only directly, but also indirectly, by slowing economic growth, often draining tenths of a percentage, or even whole percentages of GDP. And it all adds up: 10 heavy regulations that reduce growth by 0.1% reduce it from 3% to 2%, for example, which is considerable and translates into hundreds of billions of euros/dollars less tax revenue in the long run.
Everyone's poorer for it, except competing countries with lighter regulations, which don't hesitate to take advantage.
They are often either an empty gesture, as in the examples of the European Union's relentless efforts against Microsoft, or are easily circumvented.
They are a great source of jokes at the expense of regulators :)
And this can lead to a bad reputation that harms investment and therefore the economy. You only have to scroll a little on X/Twitter to see that the European Union suffers from an absolutely terrible reputation among American entrepreneurs and venture capitalists, such that many wouldn't touch it with a 10-feet pole. What impact does this have on the European economy? Certainly not a positive one.
The European Union has amply demonstrated its ability to shoot itself in the foot with its regulations, and I predict that the two major technological regulations that have been put in place while I've been writing this book & Substack, the Digital Markets Act and the Artificial Intelligence Act, will have the same kind of effects: little added value, a lot of red tape, a huge direct and indirect cost, and a direct contribution to the decline of European innovation and its economy.
I want to make it clear that my point is not to say that the EU necessarily has more regulations in all areas than the US, or that it necessarily has worse regulations. I did, after all, start this series with a long quote from Arnold Schwarzenegger describing the heavy-handedness of regulations in California, a subject on which he has a great deal of practical experience.
I focused on the EU because of its proven backwardness in the field of digital technologies - a subject of paramount importance to the Internet's disruption of nation-states - and the EU's reputation for trying to make up for that backwardness through regulation.
And if the results the EU has with the GDPR and its other regulations on new technologies are representative of the results other countries will have, this does not bode well for their ability to make the disruptions that threaten them, and which we saw in detail in the series on the subject, disappear through regulations.
Coming soon
In the next article, we'll see cases where regulation brings value - because my aim is not to “regulation bash”, but to look at things rationally.
Stay tuned ! In the meantime, feel free to follow Disruptive Horizons on Twitter, and join the tribe of Intelligent Rebels by subscribing to the newsletter :
And here are the first 3 articles of this series :
2019
"Johnson et al., 2022c; Lefrere et al., 2022; Skiera et al., 2022" [put exact refs.
Heli Koski, "Short-term Impacts of the GDPR on Firm Performance," 2020.
"Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally", University of Oxford, 2022
Chinchih Chen, "The International Association of Privacy Professionals", 2017
"The Short-Run Effects of GDPR on Technology Venture Investment," Jian Jia, 2020.
Jian Jia, "GDPR and the Localness of Venture Investment," 2020.
Rebecca Janßen, "GDPR and the Lost Generation of Innovative Apps," 2022.
Christian Peukert, "Regulatory Spillovers and Data Governance: Evidence from the GDPR", 2022.
"Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities", page 6, European Data Protection Board, 2021. Only Austria, Hungary, Lithuania and Cyprus report having sufficient resources.
Ditto. See footnote 11
In the European Union, for example, Cyprus and Malta specialize in this business (more for VSEs and SMEs) and Ireland (as well as Luxembourg to a lesser extent) for large companies. Ireland also offers its services to have the highest possible PCS score for the GDPR, even if the EU is putting pressure on it to really enforce this regulation, at least with large companies
France's data control agency, CNIL, has had to concede a tolerance period of several years given companies' total lack of preparation on the subject, and has indicated that the GDPR will be applied in earnest on April 1st, 2021, almost three years after it came into force in May 2018! Marc Rees, "Cookie walls et autres tracking walls : légal, pas légal ?", Next INpact, 2021
Bankers, take a lesson from us: you don't have to work for the state for free, undergoing KYC and AML. We'll talk more about this in Part 2.
Decision no. 434684 of June 19, 2020.
Bruno Deffains, "La « bataille des Cookies » : comment concilier protection des données et impératifs économiques ?", Le Club des Juristes, 2023