Data regulation, however, entails tradeoffs. On the one hand, consumers who value privacy and the ability to more readily exercise control over their data could benefit from enhanced data regulation. On the other hand, these same consumers may also encounter new market conditions that they do not like, such as higher prices or fewer innovations. Indeed, data regulations increase firms’ compliance costs, and existing economic theories also show that compliance costs can disproportionately impact nascent firms and dampen entrepreneurs’ incentives to pursue innovations as new ventures. Because these economic costs can reduce profitability, they may also affect the ability of new, innovative companies to receive funding from investors.
In this article we empirically estimate the effect enhanced data regulation in the GDPR had on the value of venture capital and angel investments in Europe. Using venture investment data, we examine how the regulation may have affected investments in European technology ventures over time, through 2020. Our findings indicate a persisting reduction in the number of investment deals in nascent European technology ventures following the implementation of the legislation in comparison to technology ventures in the United States. As a result, policymakers considering tighter data regulations should weigh these costs against the potential benefits.
The GDPR and Technology Ventures
The GDPR, originally enacted on April 14, 2016, became enforceable on May 25, 2018. The regulation aims to protect data by “design and default,” with both specific and heuristic requirements that firms handle data according to set principles. The GDPR mandates a higher degree of privacy, data management, and data subject (or consumer) control. The regulation requires a lawful basis for all data collection and use, such as performance of a contract, legitimate interest, or informed opt-in consent, and assigns substantial liability risks and penalties for data flow and data processing violations. Under the regulation, firms that process personal information must develop protocols to respond to data requests from individual users (e.g., to delete information a firm has about a user) within a month, appoint a data protection officer to oversee compliance activities, audit internal data processes, and take proactive steps to anonymize and secure personal data and minimize its collection. The regulation requires that users have the right to access, correct, and delete their personal data. Companies found not to be compliant with the GDPR face fines of up to 4 percent of global revenue for any violation.
The GDPR introduces new compliance costs and risks, including for new technology firms and their investors. First, because the heuristics are still being tested in courts, the regulation creates uncertainty with respect to which data-driven products are compliant, and whether products or services need to be changed. Second, technology firms may rely on the compliance strategies of larger platforms, but many of these platforms only announced how they intended to pursue compliance on or around the GDPR’s implementation date, and some are still revising their policies. As a result, the actual cost of compliance, particularly for smaller firms, may change over time. The regulation is thus associated with uncertainties about the extent to which newer technology ventures can get their products to comply and how much it would cost them to do so. Investors, also, may face new uncertainties, information acquisition hurdles, and due diligence costs pertaining to venture deals in the EU due to the introduction of the GDPR. Moreover, those costs may be particularly pronounced for investors who are not based in the EU and are less familiar and less able to monitor ongoing and shifting aspects of compliance and potential enforcement. Investors also face the risks that the value of their investments may diminish if, for instance, an expansion to the EU is put off due to compliance costs, or a funded firm’s assets are less valuable due to limitations on the collection and processing of data.
Short-Run Effects of the GDPR
In previous research, we have shown that shortly after enforcement of the GDPR began, investments in European technology ventures exhibited noticeable declines relative to their counterparts in the U.S. and in the rest of the world. Specifically, after the GDPR’s rollout, the number of monthly financing deals for EU technology ventures declined by 26.1 percent compared to their U.S. counterparts. A comparison between EU ventures and their counterparts in the rest of the world, not including the U.S., also points to a similarly large negative effect. The negative effects are larger in the 6-month period immediately after the GDPR’s rollout in 2018, but some of them are sustained in 2019. Furthermore, the analysis suggested that such negative effects are more pronounced for younger ventures, consumer-facing ventures, earlier funding rounds, and for technology ventures that are more reliant on data.
On the investor side, we have shown that foreign investors pulled back from investing in EU technology ventures after the GDPR considerably more than non-foreign investors did. Moreover, the results hold independent of whether investors have previously invested in a particular EU venture or not. Overall, our prior studies suggest that, at least in the short-run, GDPR appears to have caused investors—especially more distant ones—to pull back on their investments in EU technology ventures.
This article builds upon that prior research by empirically evaluating whether some of the short-run effects of the GDPR persist 2.5 years later. For this purpose, we use data from Crunchbase and VentureXpert that cover technology-oriented venture deals in the EU, U.S., and the rest of the world taking place from 2014 through the end of 2020. Our focus is on comparing investments in EU and U.S. technology ventures with EU ventures as the treatment group and U.S. ventures as the control. Following the literature, we use a difference-in-differences econometric framework to compare technology venture investment activities in the EU on the one hand, and in the U.S. on the other. Our econometric model includes controls for possible confounding effects, including responses to the COVID-19 pandemic. The COVID-19 pandemic led to significant increases in the amount of time users spend online, and due to those increases, a surge in the amount of data related to both individual users and businesses. The pandemic has also exposed increasing tensions between data protections (for instance, with respect to mobile location data) and data-reliant services (e.g., for contact tracing).
Figure 1 depicts a monthly trend of the average monthly number of deals in the U.S. and the EU. Note that there are no noticeable differential trends between the U.S. and the EU prior to the legislative enactment of the GDPR in 2016. However, following the rollout of the GDPR in May 2018, we observe a larger gap between the monthly number of U.S. and EU ventures. Moreover, while the number of deals in both the U.S. and EU decrease substantially around March 2020 as COVID-19 related lockdowns were implemented, the number of technology venture investments in the U.S. appears to recover more quickly than in the EU.