Christian Peukert, Stefan Bechtold, Michail Batikas, Tobias Kretschmer30 September 2020
The Internet has torn down national borders in many aspects of our daily life. Electronic communication takes place across the globe, (digital) goods and services are purchased with little regard for their origin, and media audiences are now global rather than local.
Accordingly, some of the regulatory issues surrounding digital goods and services transcend regional boundaries. Global firms like Google, Amazon, Facebook, and Apple have reached a degree of dominance in some of their activities that competition policy has taken on a global dimension. Similarly, users’ privacy concerns apply to websites outside their geographical region and therefore their legislators’ jurisdiction.
In such a world, regulation is challenging. As international coordination mechanisms have often proven ineffective, individual countries and regions have increasingly enacted legal regimes for the digital world, even if these regimes have spillovers outside their legal territory. This can lead to competition between countries to become a leading global digital rule-maker.
For example, some observers say that the EU has de facto externalised several of its strict regulatory laws outside its border through a combination of market mechanisms and unilateral regulatory globalisation, introducing the idea of a ‘Brussels effect’ (Bradford 2012).
In a recent paper (Batikas et al. 2020), we ask two questions in the context of the EU’s recently introduced privacy regulation, the General Data Protection Regulation (GDPR):
Did the GDPR lead to extraterritorial websites (websites with no EU-based top-level domain) making changes that are in line with stricter privacy requirements?
Did the GDPR, which tackled issues of privacy and personal data, affect other domains of public and regulatory interest, such as competition or trade policy?
We follow 110,706 websites, of which about 20% cater to audiences in the EU, for a total of 18 months, before and after the introduction of the GDPR. We measure interactions between websites and third parties by the HTTP requests that websites send. We collect information about the identity and location of third parties that a website interacts with, the total number of third-party requests, and the number of third- and first-party cookies and combine these data with demographic information about website audiences.
Our analyses show that the answer to both questions is that EU privacy regulation did indeed spill over both outside of its territorial limits and of the policy domain it was designed to address.
GDPR: The EU’s state-of-the-art privacy legislation
Designed as the cornerstone of European privacy law, the GDPR became applicable in 2018 and is often considered the most comprehensive, globally leading privacy regime. It establishes common rules on data processing throughout the EU and is directly binding for companies and residents in the EU and beyond, affecting consumers, firms, and countries outside the EU through a variety of mechanisms.
The European Commission predicted ex ante that the GDPR would decrease costs for businesses by harmonising privacy laws across the EU; decrease overall compliance costs; and increase the attractiveness of EU as a location to do business (European Commission 2012:148–9).
The GDPR affected websites and web technology providers either located within the EU or addressing European consumers. The regulation also recognised that in data-driven industries, dominance does not manifest through firms’ ability to dictate prices and/or raise entry barriers, but rather through control of vast amounts of personally identifiable information (or privacy-relevant data) that may either be monetised through fine-grained targeting of consumers or reselling the data to third parties for their own targeting and personalisation efforts.
How did the GDPR affect EU and non-EU websites?
In our data, we see a substantial and sudden drop in the number of requested third-party domains just after the enactment of the GDPR (Figure 1A), not only for websites that cater to EU audiences but also for international websites. We estimate that the reduction is -8.1% (EU) and -2.4% (non-EU).
However, this change in the number of requested third parties is short-lived (Figure 1B). According to our model predictions, only four months after the GDPR, websites with non-EU audiences rebound to the level directly before the GDPR. Websites with an EU audience revert to their initial level after 22 months.
Figure 1 Requested third-party domains
Notes: Panel (A) shows the average log number of third-party domains to which website hosts with(out) EU country-specific top-level domains send requests. Vertical line indicates the implementation of the GDPR on 25 May 2018. Panel (B) plots predictions based on regression models that allow for different trends across EU/non-EU websites and before/after the GDPR, respectively. Normalised to the month before the introduction of the GDPR and in percent. Dashed lines indicate counterfactual trends.
The location of third-party services also matters. Especially websites catering to EU audiences shift their interactions from third-party services outside the EU to those within – but less so for services that operate in countries with adequate privacy protection (according to the Commission).
The web technology industry also reacts to the GDPR with more transparency: data on the stated privacy policies of web technology vendors show that more firms disclose whether they collect and/or share personal data with others, and conditional on disclosure, firms are more likely to state that they collect and share personal data. This suggests broad compliance.
Most external data requests include cookies collecting personal data. While cookies are technically comparable across their suppliers, their use case differs. Cookies by the website itself (first-party cookies) are typically used for website optimisation and personalisation, while the information gathered by externally supplied cookies (third-party cookies) is frequently resold to other websites and/or firms using personal data for their business model.
We observe a sharp decrease in third-party cookies directly after the GDPR comes into force (Figure 2A). The opposite holds for first-party cookies, which usually do not involve sharing information with others. We estimate that the number of third parties that send cookies changes by -12.8% (EU) and -5.5% (non-EU). We find an increase in the number of first-party cookies for EU-targeted websites of 1.7% and for non-EU-targeted ones of 2.5%.
Figure 2 Third-party and first-party cookies
Notes: Panel (A) shows the average log number of third-party domains that respond with a cookie, and number first-party requests (same domain as website) that respond with a cookie. Vertical line indicates the implementation of the GDPR on 25 May 2018. Panels (B) and (C) plot predictions based on regression models that allow for different trends across EU/non-EU websites and before/after the GDPR, respectively. Normalised to the month before the introduction of the GDPR and in percent. Dashed lines indicate counterfactual trends.
The reduction in third-party cookies is about 2-7 times larger in percentage terms (4-15 times larger in absolute terms) than the increase in first-party cookies. These changes seem persistent (Figures 2B, C).
How did the GDPR affect market structure?
In addition to our results on website compliance with the GDPR, we also see strong evidence that the market for web technologies becomes more concentrated after the GDPR. Google sticks out as the clear winner, both regarding EU and non-EU websites (Figure 3). Market shares of all other firms remain unchanged or decrease substantially. We find that Google gains most in the analytics market (7.2%) and the advertising market (5.4%), two markets in which they had been strongest before the GDPR with market shares of 25.8% and 38.4%, respectively.
Figure 3 Ten firms with the largest change in average market
Notes: Time period is six months before and after the implementation of the GDPR on 25 May 2018. Market shares defined as the number of website-hosts with (non-) EU-country-specific top-level domains (EU TLDs) that send requests to any of a firm’s domains divided by the number of website-hosts with (non-) EU TLDs that send requests to third parties.
These results indicate a perhaps unintended effect of the GDPR: compliance with increased privacy and data security in the EU has favoured a US-based tech giant providing many of the privacy-sensitive web tracking technologies used by websites.
Making sense of it all: Dynamic compliance risk
Several headline findings stand out. First, the GDPR was largely successful in that EU-based websites changed their strategies to more privacy-sensitive technologies. Second, even non-EU-based websites changed modes of operation with the GDPR, but to a lesser extent. Both of these results are short-lived as the sudden shift towards more privacy-conscious technologies is followed by a trend back to their increased use. Third, the market for web tracking technologies became more concentrated, with Google as the largest provider gaining market share, especially in the applications they already had a dominant presence in. How can we explain these patterns?
The GDPR has created considerable legal uncertainty. Combined with a broader territorial application, a risk of joint responsibilities between data controllers and processors, a drastic increase in possible sanctions, and a more effective organisation of European data protection authorities, this uncertainty translates into a drastic increase in compliance risks. In such an environment, websites may choose to reduce their legal exposure and to interpret legal provisions in a cautious way.
The best way to reduce exposure to compliance risks is to reduce the use of (non-EU) web technology providers and to shift from third-party to first-party cookies. Further, a website may choose large web technology providers over small ones because the former have more resources to weather legal challenges created by the GDPR. Complying with the GDPR is costly, and these costs are subject to economies of scale (Gal and Aviv 2019).
This concentration in markets for web technologies is consistent with the notion of compliance risks and economies of scale. GDPR implemented and enforced the consent requirement for websites on a large scale, which disproportionately benefits larger technology providers, such as Google, that offer a broader range of services and can address regulatory requirements quicker and more effectively (Campbell et al. 2015). Hence, the increased concentration in web technology markets may have been an unintended but unavoidable consequence of the GDPR.
It is striking that the number of requested third-party trackers rebounds to pre-GDPR levels. This is again in line with a compliance-risk interpretation. Over time legal uncertainty has decreased as new policy guidelines (e.g. by the European Data Protection Board) were released. Websites may have learned to adapt by interpreting such guidelines, seeking legal counsel, and observing competitors – meaning that they became increasingly comfortable using third-party providers again.
Privacy law spills over into antitrust and trade policy
Our results raise the question of how privacy law and antitrust policy are related. While they have traditionally been distinct, it seems increasingly difficult to conceptualise antitrust and privacy law as distinct areas of the law with different goals, remedies, and enforcement mechanisms.
On the one hand, network effects, lack of competition on terms of service and privacy policies, as well as the limited effectiveness of user consent in privacy law (Acquisti and Grossklags 2005) may let firms increase their dominant position by violating privacy laws. On the other hand, laws aimed at increasing privacy protection may simultaneously decrease competition in related technology markets. In a world where processing personal data, analysing user profiles, and predicting consumer behaviour are cornerstones of highly concentrated Internet markets, designing privacy laws that do not have immediate implications for antitrust policy (or vice versa) is nearly impossible.
We find that even websites catering to a non-EU audience reduce their use of third-party web technology providers after the GDPR and that websites increasingly rely on web technology providers in the EU. This is consistent with the broad territorial application of the GDPR. Under general principles of international public law, the EU cannot regulate the processing of personal data that takes place outside of and is not related to the EU. Yet, the EU has expanded the de facto territorial reach of European privacy laws well beyond the geographical boundaries of the EU.
First, the GDPR has adopted an extensive interpretation of territorial applicability, binding websites and web technology providers regardless of their location as long as they cater to people located in the EU. Second, as complying with the GDPR is costly, some global technology companies have decided to apply the GDPR to all their consumers worldwide, even though the GDPR does not require them to do so. These companies save costs by not offering two versions of their products and services (EU and non-EU).1
This suggests that European Commission regulations are indeed exported to firms outside their immediate territory and as such affect trade opportunities and ultimately flows. Put simply, privacy regulations, much like national quality standards, can function as nonpecuniary barriers to trade, especially if enacted by a large economic area like the EU.
Acquisti, A, and J Grossklags (2005), “Privacy and rationality in individual decision making”, IEEE Security & Privacy 3: 26–33.
Bradford, A (2012), “The Brussels Effect”, Northwestern University Law Review 107(1): 1–68.
Campbell, J, A Goldfarb and C Tucker (2015), “Privacy regulation and market structure”, Journal of Economics & Management Strategy 24: 47–73.
European Commission (2012), “Impact assessment accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”, SEC(2012) 72 final.
Gal, M S, and O Aviv (2019), “The competitive effects of the GDPR”, working paper.