Studying the economic impact of the implementation of the General Data Protection Regulation (GDPR) since 2018, a superfluous exercise? Not for the CNIL, even if it highlights the methodological difficulties of such an exercise.
In addition, the French regulator notes that the studies published to date “focus on costs without sufficiently measuring the benefits for companies and the well-being gains for people.”
GDPR to address market flaws
The costs of compliance are perhaps the easiest to measure. Of course, they “are real and inevitable”, recognizes the CNIL. However, the authority adds that they correspond to an “investment in compliance”.
And this investment “includes economic benefits.” Thus, “one of the virtues of the GDPR can be, by allowing better information and more rationality in choices” would be “to resolve market flaws.”
The CNIL also considers it necessary to qualify the effects of the implementation of the GDPR on French companies. According to studies, the impacts go “in both directions”. In addition, they depend on the economic activity and the nature of the business model.
Finally, “certain operations are more supervised”. This is the case, for example, of canvassing and reselling customer data. Others, on the contrary, argues the CNIL, “are facilitated by the increase in customer confidence.”
Benefits too, but less easily observable
The regulator, however, wants to be cautious in analyzing the real impacts of the GDPR. The first reason is “methodological difficulties”. As a result, “it is complicated (…) to isolate the specific effect of the GDPR.”
The CNIL also encourages the benefits for businesses and individuals to be taken into account. She concedes that the benefits of compliance for businesses are “less easily observable.”
From a qualitative point of view, the CNIL estimates multiple ROIs: reputation in the eyes of customers and partners, IT security, knowledge of available data, etc. “It would be useful for economists to try to objectify these gains to achieve a real cost/benefit analysis,” she reacts.
But if the Authority highlights the shortcomings of economic studies, it nevertheless draws lessons. Among these, the importance of “providing companies with tools adapted to their needs, thus reducing the cost of compliance” and providing “legal certainty.”
Regulation favorable to big players
She also notes that the “GDPR is proportionally more favorable to large economic players”. The reason is simple: they have “more resources to devote to compliance” – even if they are otherwise “monitored more regularly.”
The CNIL therefore considers it necessary to “actively compensate for this trend with a demanding policy towards large players, and even more so with very large players”. This involves “an asymmetric dimension of its regulatory action”.
This asymmetry, in accordance with the joint CNIL-Competition Authority declaration of December 2023, the CNIL already claims to assume. And she will assume it even more in the future, she warns.