chevron-down Created with Sketch Beta.

The Antitrust Source

The Antitrust Source | June 2021

The Persisting Effects of the EU General Data Protection Regulation on Technology Venture Investment

Jialing Jian, Ginger Zhe Jin, and Liad Wagman

Summary

  • Using venture investment data, Jian Jia, Ginger Zhe Jin, and Liad Wagman empirically estimate the value of venture capture and angel investments in Europe following the GDPR’s passage and find a persisting reduction of investment deals in nascent European technology ventures.
  • The authors examine how the GDPR may have affected investments in European technology ventures through 2020. Their findings indicate a persisting reduction in the number of investment deals in nascent European technology ventures following the implementation of the legislation in comparison to technology ventures in the United States.
The Persisting Effects of the EU General Data Protection Regulation on Technology Venture Investment
Andriy Onufriyenko via Getty Images

Jump to:

Digital markets are an integral part of our economy. Data now broadly comprise both inputs and outputs for numerous products and services, with increasingly large amounts of information about individual users collected, processed, stored, and analyzed.

The COVID-19 pandemic has amplified the importance of data in the modern economy as some activities previously conducted in person are now conducted virtually. Although data-intensive products and services can benefit users, concerns about the collection, flow, and use of personal information have intensified. These concerns, exacerbated by data breaches and related scandals, have led to calls for tighter regulations that require more transparency, control, and some limits on the collection, storage, and processing of users’ data.

One regulation arising from such concerns is the EU General Data Privacy Regulation (GDPR). On May 25, 2018, the European Union began enforcing the GDPR, an omnibus regulation aimed at enhancing privacy protections for EU users. This regulation differs from its predecessors in important ways. For example, the definition of “personal data” has been arguably broadened to cover items ranging from pseudonymized data to advertising identifiers on consumers’ phones. Moreover, the regulation introduced significantly higher penalties for violations. For instance, fines under the GDPR can be up to 4 percent of a firm’s global annual revenue.

Data regulation, however, entails tradeoffs. On the one hand, consumers who value privacy and the ability to more readily exercise control over their data could benefit from enhanced data regulation. On the other hand, these same consumers may also encounter new market conditions that they do not like, such as higher prices or fewer innovations. Indeed, data regulations increase firms’ compliance costs, and existing economic theories also show that compliance costs can disproportionately impact nascent firms and dampen entrepreneurs’ incentives to pursue innovations as new ventures. Because these economic costs can reduce profitability, they may also affect the ability of new, innovative companies to receive funding from investors.

In this article we empirically estimate the effect enhanced data regulation in the GDPR had on the value of venture capital and angel investments in Europe. Using venture investment data, we examine how the regulation may have affected investments in European technology ventures over time, through 2020. Our findings indicate a persisting reduction in the number of investment deals in nascent European technology ventures following the implementation of the legislation in comparison to technology ventures in the United States. As a result, policymakers considering tighter data regulations should weigh these costs against the potential benefits.

The GDPR and Technology Ventures

The GDPR, originally enacted on April 14, 2016, became enforceable on May 25, 2018. The regulation aims to protect data by “design and default,” with both specific and heuristic requirements that firms handle data according to set principles. The GDPR mandates a higher degree of privacy, data management, and data subject (or consumer) control. The regulation requires a lawful basis for all data collection and use, such as performance of a contract, legitimate interest, or informed opt-in consent, and assigns substantial liability risks and penalties for data flow and data processing violations. Under the regulation, firms that process personal information must develop protocols to respond to data requests from individual users (e.g., to delete information a firm has about a user) within a month, appoint a data protection officer to oversee compliance activities, audit internal data processes, and take proactive steps to anonymize and secure personal data and minimize its collection. The regulation requires that users have the right to access, correct, and delete their personal data. Companies found not to be compliant with the GDPR face fines of up to 4 percent of global revenue for any violation.

The GDPR introduces new compliance costs and risks, including for new technology firms and their investors. First, because the heuristics are still being tested in courts, the regulation creates uncertainty with respect to which data-driven products are compliant, and whether products or services need to be changed. Second, technology firms may rely on the compliance strategies of larger platforms, but many of these platforms only announced how they intended to pursue compliance on or around the GDPR’s implementation date, and some are still revising their policies. As a result, the actual cost of compliance, particularly for smaller firms, may change over time. The regulation is thus associated with uncertainties about the extent to which newer technology ventures can get their products to comply and how much it would cost them to do so. Investors, also, may face new uncertainties, information acquisition hurdles, and due diligence costs pertaining to venture deals in the EU due to the introduction of the GDPR. Moreover, those costs may be particularly pronounced for investors who are not based in the EU and are less familiar and less able to monitor ongoing and shifting aspects of compliance and potential enforcement. Investors also face the risks that the value of their investments may diminish if, for instance, an expansion to the EU is put off due to compliance costs, or a funded firm’s assets are less valuable due to limitations on the collection and processing of data.

Short-Run Effects of the GDPR

In previous research, we have shown that shortly after enforcement of the GDPR began, investments in European technology ventures exhibited noticeable declines relative to their counterparts in the U.S. and in the rest of the world. Specifically, after the GDPR’s rollout, the number of monthly financing deals for EU technology ventures declined by 26.1 percent compared to their U.S. counterparts. A comparison between EU ventures and their counterparts in the rest of the world, not including the U.S., also points to a similarly large negative effect. The negative effects are larger in the 6-month period immediately after the GDPR’s rollout in 2018, but some of them are sustained in 2019. Furthermore, the analysis suggested that such negative effects are more pronounced for younger ventures, consumer-facing ventures, earlier funding rounds, and for technology ventures that are more reliant on data.

On the investor side, we have shown that foreign investors pulled back from investing in EU technology ventures after the GDPR considerably more than non-foreign investors did. Moreover, the results hold independent of whether investors have previously invested in a particular EU venture or not. Overall, our prior studies suggest that, at least in the short-run, GDPR appears to have caused investors—especially more distant ones—to pull back on their investments in EU technology ventures.

This article builds upon that prior research by empirically evaluating whether some of the short-run effects of the GDPR persist 2.5 years later. For this purpose, we use data from Crunchbase and VentureXpert that cover technology-oriented venture deals in the EU, U.S., and the rest of the world taking place from 2014 through the end of 2020. Our focus is on comparing investments in EU and U.S. technology ventures with EU ventures as the treatment group and U.S. ventures as the control. Following the literature, we use a difference-in-differences econometric framework to compare technology venture investment activities in the EU on the one hand, and in the U.S. on the other. Our econometric model includes controls for possible confounding effects, including responses to the COVID-19 pandemic. The COVID-19 pandemic led to significant increases in the amount of time users spend online, and due to those increases, a surge in the amount of data related to both individual users and businesses. The pandemic has also exposed increasing tensions between data protections (for instance, with respect to mobile location data) and data-reliant services (e.g., for contact tracing).

Figure 1 depicts a monthly trend of the average monthly number of deals in the U.S. and the EU. Note that there are no noticeable differential trends between the U.S. and the EU prior to the legislative enactment of the GDPR in 2016. However, following the rollout of the GDPR in May 2018, we observe a larger gap between the monthly number of U.S. and EU ventures. Moreover, while the number of deals in both the U.S. and EU decrease substantially around March 2020 as COVID-19 related lockdowns were implemented, the number of technology venture investments in the U.S. appears to recover more quickly than in the EU.

Figure 1. Monthly # of deals in the EU and U.S.

Figure 1. Monthly # of deals in the EU and U.S.

Persisting Effects of GDPR

The results of our empirical analysis are presented in Table 1. We find evidence that the negative effect from the GDPR on EU technology venture investment persists 2.5 years after the rollout of the GDPR, although the magnitude of the effect is decreasing over time.

EU technology firms, relative to their U.S. counterparts, experienced an average decline of 21.51 percent in their number of venture investment deals. After implementing two additional methods to control for the relative impact of the COVID-19 pandemic, we find that the negative effect on EU technology venture investment associated with the GDPR’s rollout persists, suggesting similar decreases of 24.44 percent and 25.07 percent in the number of deals in our two additional specifications. Moreover, while the negative effects are larger in the 15-month period immediately after the GDPR’s rollout, at least a portion persists in the proceeding 15 months, including after implementing some controls for COVID-19.

Table 1. GDPR Impact on Aggregate Level # of Deals

  Regression Specification
  1 2 3 4 5
  EU vs US EU vs US EU vs US EU vs US EU vs US
GDPR Enact -0.036 -0.258 -0.282 -0.356 -0.214
  (0.284) (0.231) (0.217) (0.741) (0.311)
EU * GDPR Enact 0.045 0.128 0.054 -0.341 -0.121
  (0.041) (0.211) (0.227) (0.277) (0.167)
GDPR_Rollout -0.284 -0.396 -0.478 -0.218 -0.331
  (0.261) (0.274) (0.335) (0.365) (0.474)
EU * GDPR_Rollout -0.221*** -0.225*** -0.297**    
  (0.077) (0.057) (0.213)    
EU * COVID_Indicator   -0.062***      
    (0.027)      
EU * GDPR_Rollout-period1       -0.399**  
        (0.189)  
EU * GDPR_Rollout-period2       -0.105**  
        (0.042)  
Marginal Effect (GDPR Rollout) -21.51%*** -24.44%*** -25.07%***    
Marginal Effect (06.2018 – 08.2019)       -34.77%** -32.43%**
Marginal Effect (09.2019 – 12.2020)       -7.32%** -11.07%**
Specification Poisson Poisson Poisson Poisson Poisson
COVID Control No No Yes No Yes
Macroeconomic variables Yes Yes Yes Yes Yes
State FE Yes Yes Yes Yes Yes
Week FE Yes Yes Yes Yes Yes
Observations 25,200 25,200 25,200 25,200 25,200
Note: The macroeconomic variables include unemployment rate, CPI, interest rate, median income, and GDP per capita for each Member State in which a venture is located. ***, **, and * indicate significance at the 1%, 5%, and 10% levels.

It is possible that not all types of ventures receiving investments were affected similarly. We examine heterogeneous effects for ventures along different dimensions: (1) by a venture’s likely propensity to utilize data; (2) by whether ventures are consumer or business facing; (3) by industry sector (health care, financial, and IT); (4) by venture age (0-3 and 3-6 years old); and (5) by funding stages (early-stage funding, such as seed funding, and main-stage funding, such as series A and series B funding).

Table 2 indicates that ventures whose products and services tend to be more reliant on data also tend to exhibit larger negative effects after the rollout of the GDPR, with reductions of about 38 percent in the monthly number of EU venture deals relative to their U.S. counterparts. We also find that consumer-facing (B2C) ventures incur larger declines than business-facing (B2B) ventures. This difference between B2C and B2B ventures is potentially because consumer-facing products have more exposure to the regulation—particularly to its requirements concerning individual users. A larger negative effect also applies to ventures in the IT industry, to newer (i.e., 0-3 years old) ventures, and to ventures raising earlier (seed) funding.

Notably, our estimations suggest that the gap between U.S. and EU venture investment deals shrinks more in some categories after the initial 15-months of the GDPR’s rollout—specifically, ventures that fall under the health care or IT categories (as compared to financial), as well as more mature ventures (3-6 years old ventures and/or ventures raising main as opposed to early funding rounds). One potential reason of such a relative change is that investors may tend to invest in both healthcare-related and in more mature ventures during the COVID-19 pandemic.

Table 2. GDPR Impact on # of Deals Across Different Subgroups
(EU vs US)

Regression Specification
  1 2 3 4 5 6 7 8 9 10 11
 

More Data

Related

Less Data

Related

B2C B2B Healthcare Financial IT

New Firm

(0-3 y.o.)

Young Firm

(3-6 y.o.)

Early Stage Main Stage

Marginal Effect

(Enactment)

- - -4.21%** - - - - - - - -

Marginal Effect

(06.2018

– 08.2019)

-37.85%*** -15.55%* -32.66%** -13.05%** -35.71%** -18.69%** -47.88%** -37.81%*** -32.76%** -41.69%*** -26.33%**

Marginal Effect

(09.2019

– 12.2020)

-24.33%*** -13.45%* -25.25%*** -12.65%* -15.05%*** -16.11%** -28.05%** -28.05%** -18.66%** -35.33%** -10.05%**
COVID Control Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Note: The impact of the enactment of GDPR is insignificant for all subgroups except for B2C ventures; hence, we do not report their marginal effects in the table. ***, **, and * indicate significance at the 1%, 5%, and 10% levels.

Conclusion

Our findings suggest both short-run and longer-lasting negative effects of the GDPR on investments in EU technology ventures, with the effects having larger magnitudes in the initial 15 months after the rollout of the GDPR, but persisting in the subsequent 15 months, inhibiting investment in EU technology ventures 2.5 years after the GDPR’s rollout. One possible reason for this is that investors may have been delaying or altogether dropping potential funding to ventures that they believe may not meet GDPR compliance, possibly due to challenges in achieving compliance. Another possible reason is that certain business models for technology ventures have become less valuable in the EU. Investors may also be cognizant of potential changes in the regulatory environment pertaining to digital markets in the EU in light of a number of recent proposals.

Combined with our prior research, these findings further suggest that policymakers considering regulatory policies similar to the GDPR may benefit from assessing the potential effects on both ventures and investors. Our findings offer some possible lessons: First, nascent technology firms appear to be particularly susceptible to a rise in risks, uncertainties, and compliance costs of data regulation. Second, firms that are more reliant on data, are consumer-facing, or tend to attract more foreign investment appear particularly susceptible, especially when they are raising their earlier funding rounds. Third, some of the negative effects appear to persist beyond the short run, suggesting that at least some of the reasons for the effects go beyond a short-term lack of familiarity with the regulation accompanied by a wait-and-see approach. Fourth, there is the potential for a disproportional effect on foreign investment.

This latter effect means a country that relies more on foreign investment may suffer larger decreases in venture capital in the technology space upon implementing stricter data protections. By contrast, another country that tends to export larger amounts of investment may benefit from the perspective of retaining more venture capital for its own domestic firms once the other country adopts more stringent data policies. In that respect, our findings suggest that a Prisoner’s Dilemma situation may emerge, where, under some objectives, each country may unilaterally have a dominant strategy to implement lax data policies in its home market, even if a more stringent set of data policies across the world may be welfare enhancing if all countries could commit to these policies.

There are caveats to our findings. First, our analysis does not constitute a complete cost-benefit analysis. We do not quantify any benefits that may arise to individual consumers as they obtain more control over their data as a result of the GDPR. Nor do we interpret the results as a welfare loss. Furthermore, it is important to emphasize that our dataset is not a complete universe of venture funding, but rather a partial snapshot of primarily venture capital and angel investments in technology ventures. As such, our results must be taken with a bit of caution, given that the effects we observe may be incomplete. Third, while we control for some aspects of the COVID-19 pandemic and related lockdowns, we cannot completely rule out other effects from COVID-19 on the global economy.

One may argue that the recently implemented 2020 California Consumer Privacy Act (CCPA) could also contribute a smaller gap in venture investments between the U.S. and EU after 2020. These data regulations, however, are different. For example, CCPA is primarily centered around an opt-out rather than opt-in approach, and although the distinction may seem subtle, it is associated with a different default setting for collecting data about users, which can have significant implications for markets.

Despite the aforementioned caveats, one thing is clear: we live in a world where data generation is increasing at an exponential rate—a rate that has been further amplified by the COVID-19 pandemic. A significant number of technology ventures rely on such data to operate, and, consequently, restricting the flow of data that newer ventures can access may impact their ability to attract investments.

    Authors