Event “GDPR: What Economic Impact?” – Summary of the discussions

To provide a forum for discussion on the economic impacts of GDPR, the CNIL and the French Treasury (Direction générale du Trésor) organized an international academic event on 20 May 2025. The conference brought together economists and regulators from France (CNIL) and across Europe (including the UK’s Information Commissioner’s Office and the European Commission), contributing to the ex post evaluation of the General Data Protection Regulation (GDPR)’s implementation through a new, more economic and concrete perspective.

The event attracted a broad audience of professionals, institutional representatives, and academics. With more than 350 participants online and around one hundred attending in person, it demonstrated the strong and growing interest of the regulatory community in these issues (see also the concept paper of the event below).

The participants

Opened by Marie-Laure DENIS, chair of the CNIL, and punctuated by three keynote speeches on the economic effects of the GDPR (Dorothée ROUZET, Chief Economist of the French Treasury), artificial intelligence (Philippe AGHION, Nobel Prize in Economics 2025 and Professor of Economics at the Collège de France and the London School of Economics) and the economics of privacy (Alessandro ACQUISTI, Professor at Carnegie Mellon University, United States), the event was structured around two roundtable discussions:

Round table 1 - Economic impact assessments of GDPR, methodology and key lessons

Moderator: Tom REYNOLDS, Chief economist of the ICO - Information Commissioner's Office (UK data protection authority)

• Olivier MICOL, Head of the data protection unit at the European Commission (DG JUST C3)
• Klaus MILLER, Assistant professor of marketing at HEC Paris (École des Hautes Études Commerciales)
• Sam Ruiqing CAO, PhD in economics, assistant professor of management, Stockholm School of Economics
• Andrea RENDA, Research director at CEPS (Center for European Policy Studies) in Brussels and Professor at the European University Institute in Florence.

Round table 2 - Impact of GDPR on innovation, competition, trust, and interregulatory aspects

Moderator: Bertrand du Marais, Councillor of State and CNIL commissioner

• Nicholas MARTIN, PhD in political science, researcher at the Fraunhofer Institute, Germany
• Christian REIMSBACH-KOUNATZE, Information economist at the OECD (Organisation for Economic Co-operation and Development)
• Patrick WAELBROECK, Professor of industrial economics at Télécom Paris
• Aymeric PONTVIANNE, Head of economic analysis, CNIL.

Grazia CECERE, Professor of economics at Institut Mines-Télécom Business School, hosted the event and contributed to its preparation, together with CNIL teams.

Economic impact assessments and fundamental rights

Marie Laure DENIS’s opening speech first emphasized the relevance of the topic for both economists and regulators, noting that seven years after the GDPR came into force, economic impact studies of this regulation now constitute a substantial body of literature. It fell to the CNIL, the first data protection authority in continental Europe to establish a team of economists, to take the initiative to organize this event.

Marie-Laure DENIS also noted that the European Commission had recently put forward a legislative proposal for targeted simplification of the GDPR. The purpose of the day was not, of course, to debate potential revisions of GDPR, as studies show that the issue is complex, not fully enlightened, and requires considerable caution. However, the interest of an academic discussion was to allow participants to begin forming their own informed opinions on the matter.

The GDPR protects fundamental rights but also has an economic objective: to support the free flow of personal data within the European Single Market and contribute to the economic integration of EU countries. In this way, the GDPR indeed promotes the development of a European market through a use of data that is more respectful of individual freedoms. These economic impact studies, due to their complexity and significance, are of great interest not only to economists but also to data protection authorities, as their actions can have economic effects of which they need to be aware, even though they are not market regulators in the strict sense.

The authorities’ objective is also to provide legal certainty, to identify the unintended consequences of their actions, and ultimately to guide markets so that consumers’ privacy preferences can be expressed.

While the economic literature has addressed the topic, it has largely focused on the compliance costs for businesses. Yet it is essential to compare these costs with the benefits (for both companies and citizens) to achieve a comprehensive assessment. Further research and evaluation are needed to obtain a full picture of GDPR’s economic effects, as the economist Garrett JOHNSON also explains.

These considerations also call for a more complex and nuanced analysis than the sometimes-heard discourse suggests. The goal is not to oppose regulation and economic progress, but to understand how the protection of fundamental rights enhances the overall economic well-being of society and how these phenomena can be modelled.

Economic impacts on the market

Following the same line of thought, Dorothée ROUZET’s keynote on the economic evaluation of GDPR - an important topic for the economic analysis of public policy - demonstrated that the regulation is not intended to discriminate against economic actors. The keynote identified three transmission channels for the economic effects of the GDPR: consumer welfare and awareness, the structuring of data markets, and the impact on innovation.

The keynote also emphasized that, even though the direct benefits of GDPR are not always immediately visible while the costs are more easily quantifiable, both effects must be considered. Estimating the impact on individual welfare is undoubtedly a challenging exercise, as it is difficult - but worthwhile - to compare monetary services with non-monetary considerations. Moreover, most contributions on this topic are theoretical, while the community needs more empirical evaluation.

Dorothée ROUZET also pointed out that protecting consumer choices provides another economic justification for the GDPR. Indeed, it can be difficult for consumers to assign a value to their own data. In the context of digital services and large platforms, it is therefore necessary, to protect this data, to encourage privacy-respecting behaviours, allowing individuals to control their information (for example, through the right to data portability or the right to object). Moreover, the business models of digital companies can affect market structure, potentially leading to dominant positions. The more data a company collects, the greater the potential impact on consumers. In this sense, privacy acts as a competitive parameter for digital platforms.

The GDPR can therefore play a role in increasing market contestability. For instance, the Apple ATT case shows that data protection cannot be used to justify anti-competitive practices, particularly given the current level of cooperation between data protection and competition authorities. Sanctions exist and can be significant. Consequently, when analysing the economic effects of GDPR, it is necessary to consider the overall proportionality of such sanctions.

The GDPR has not, however, led to the creation of a data market in Europe, nor was that its objective, even though the presence of significant negative externalities, a familiar concern for economists, might have supported such an outcome. Other regulations, such as the Digital Governance Act (DGA), were needed to address this. Nevertheless, the GDPR’s impact on trust can benefit data sharing. However, the analysis of the GDPR’s effects and its contribution to opening up the European Union market, another of its economic objectives, remains an open question.

Finally, the effects of GDPR on innovation are multiple and far from one-sided. Data has become a key driver of innovation: serving as a dataset for AI models or enabling new use cases based on personal data. However, the use of such data can sometimes raise concerns, particularly in the case of dominant digital platforms. It is therefore important to examine the effectiveness of the regulation in order to maintain a level playing field among all market participants.

Measuring the disparities between companies with different capacities to comply with the regulation is also an important issue for many sectors, in order to promote an innovation approach that is GDPR-compliant by design. This category of innovations helps enhance user trust.

A methodology in development

The discussions during the first round table on economic impact studies and their methodologies highlighted the importance of time in estimating effects across multiple heterogeneous groups. Relevant and extensive data sources are therefore required. One possible approach could be to conduct highly targeted studies, but this would limit the scope of the analysis. It is also necessary to distinguish between short-term and long-term effects.

According to Andrea RENDA, the current literature reveals just how complex the data economy truly is. The neoclassical framework may not be the most suitable for this exercise. As already noted, it is also important to be wary of the “lamp post effect”, leading to focus only on what has been illuminated or measured while ignoring everything else.

There are also ongoing reflections on adapting the GDPR to economic developments, as Olivier MICOL agreed. In this regard, the European Commission remains active. The challenge of such an evaluation lies in maintaining the predictability and coherence of the regulation. It is also necessary to take other regulations into account in order to determine the GDPR’s actual effects.

Klaus MILLER presented his academic work on the impact of the GDPR on online tracking and internet usage. This work follows a complementary logic: a negative impact on traffic represents a cost for businesses, while a reduction in online tracking represents a privacy gain for the individuals concerned.

The methodology involves observing a so-called “treatment group” subject to the GDPR and a so-called “control group” not subject to it, serving as a counterfactual. One challenge lies in defining the control group due to the territorial scope of the GDPR. Another challenge is that online tracking data are also subject to consent, so it is necessary to ensure that the data source itself is not affected by the GDPR.

While methodological solutions for conducting these evaluations are not straightforward, some are more effective than others, particularly methods that allow the study of losses for businesses, rather than the more difficult, but valuable, measurement of benefits.

The dynamic effect of the GDPR is also difficult to address. Most studies focus on its short-term impact, as the long-term effect is harder to isolate. Nevertheless, it can be expected that companies will adapt to the regulation over the long term, through innovations facilitating compliance or according to the observed level of effective GDPR enforcement.

There is also a real challenge in methodologically differentiating between large and smaller companies, as relevant data on smaller firms are often unavailable. Additionally, observing data from companies operating in multiple countries can be a challenge. The quality of the data itself can vary greatly depending on the criteria being examined. A sectoral effect can also be observed: sectors already subject to strong regulation (for example, the banking sector) faced fewer difficulties in achieving compliance, which limits the GDPR’s impact on costs.

Even though the samples can sometimes be small, it is possible to show that, following the GDPR, various economic impacts have occurred, but none have had substantial, lasting negative effects on the market. These impacts are highly heterogeneous across the sites concerned, suggesting a change in user behaviour, with individuals concentrating their online activity and data sharing on a smaller number of websites they trust.

Sam Ruiqing CAO found in her research that companies more exposed to the GDPR in the United States experienced a greater increase in operating results. A potential explanation is the streamlining of data processing and better monetisation of the data held by these companies. Methodological challenges concern data availability and sampling issues. One possible solution would be the standardisation of the measures used. 

GDPR impact and AI regulation: intersecting perspectives

Philippe AGHION delivered a keynote on AI and its regulation. There are debates regarding the potential economic impact of AI. Some economists, such as Daron ACEMOGLU, are rather sceptical about the economic growth that AI might generate. However, these estimates should be seen more as lower-bound approximations. By extrapolating the impact of other innovations that triggered industrial revolutions, such as electricity, one finds a strongly positive effect of AI on growth. Additionally, AI could accelerate the pace of innovation by automating the creation of new ideas.

Other studies indicate that AI will have positive effects on both productivity and employment. There is no reason for concern regarding overall job numbers, although the conditions of competition among workers and certain types of employment could be affected. This is particularly the case in the IT and digital technology sectors, as this revolution is driven by major tech companies. The main obstacles to AI development are the lack of competition and access to computing power, meaning that regulation can play a positive role.

Regarding data, the keynote cited Jean TIROLE, who argued that regulations restricting the storage and use of data tend to favour large players and internal data collection due to increasing returns in this area. However, exempting SMEs would not be optimal, and it is preferable to standardise implementation while helping SMEs adapt. Another issue is the unequal distribution of data along the value chain, which also raises competitive concerns. Large players are often unwilling to share their data, and such data accumulation behaviours generates challenges for AI, highlighting the importance of data portability in reducing these advantages.

The GDPR allows for predominantly ex-post regulation. However, some countries, such as France, have chosen an ex-ante approach for health data. Philippe AGHION, advocating for greater harmonisation of the internal market, refers in this context to his 2024 report on generative AI. From this perspective, data and the ways in which they can be used are crucial for AI, creating challenges related to personal data under both the GDPR and the AI Regulation.

What are the impacts of the GDPR on innovation, competition, and trust?

The second round table highlighted the importance of the GDPR for trust. Trust is essential for the adoption of innovations, particularly when they involve monetary transactions. According to Patrick WAELBROECK, consumers are not in apposition to know all the risks they may face. There is an information asymmetry between companies and consumers regarding the use of their data. The presence of strong institutions, particularly in terms of enforcement and sanctions, is therefore crucial. In fact, higher, more dissuasive sanctions should be favored.

Nevertheless, measuring these impacts remains challenging for both researchers and companies. To undertake this exercise, companies must be able to understand how data is being used. This entails costs, but it also provides an opportunity to build more comprehensive data governance. If they succeed, the long-term impact can be positive. Indeed, compliance costs exist, particularly as a one-time fixed cost.

Nicholas MARTIN pointed out that the GDPR reduces access to user data, resulting empirically in a slight short-term negative impact on innovation. However, this is subsequently offset by the significant development of the Privacy Enhancing Technologies (PETs) sector, as these technologies can ultimately facilitate GDPR compliance.

The GDPR therefore shifts innovation towards forms that are less risky for society and can have a beneficial effect for individuals by promoting innovations that are more respectful of privacy.

One concern at the EU level is that the PETs sector has mainly developed in the United States, which signals a broader innovation issue in the EU that goes beyond the GDPR framework. PETs are still in development, but their adoption has been relatively slow, potentially indicating a market failure, as these solutions could nevertheless provide welfare gains to consumers. Demand remains fairly limited, supporting the case for strong regulatory incentives.

According to Christian REIMSBACH-KOUNATZE, data can act as a barrier to entry while simultaneously maximizing user trust. The literature should therefore take into account the importance of utility. It should also examine the relative success of data portability, a tool that fosters competition. Moreover, the link between competition and privacy is an important topic, as is the cooperation between these different authorities.

Aymeric PONTVIANNE presented the joint work between the French Autorité de la concurrence and the CNIL. The two authorities align their respective concepts and cooperate on common topics to leverage their mutual expertise and achieve higher-quality regulation, maximizing both privacy protection and competition. The goal is not so much to reduce tensions as to maximize synergies, providing legal certainty to the market.

Especially because this concerns the digital economy, where the same dominant players operate across most relevant sectors, it is important to question the origin and use of data. Certain business models can incentivize the illegal acquisition of personal data. If a company obtains data illegally, it gains a competitive advantage that facilitates the acquisition of even more data, and so on. It is therefore important for both authorities to cooperate in order to break this cycle.

Patrick WAELBROECK noted that this problem is now also present in the field of AI. The way companies collect and use data risks giving them a significant competitive advantage by raising costs for competitors. This also raises the issue of reusing data for AI training, which can be more advantageous for players who already possess large amounts of data.

International aspects

In her intervention, Marie-Laure DENIS recalled that the international effects of the GDPR (the so-called “Brussels effect”) illustrate the export of a European standard to the rest of the world, rather than a competitive disadvantage for European actors. In this sense, the GDPR promotes a level playing field while contributing to the creation of a global standard for the protection of fundamental rights.

It was also incorrect to view the GDPR as a non-tariff barrier to international trade, as Dorothée ROUZET also noted in her keynote. The GDPR facilitates international data transfers through numerous mechanisms, and its positive impact on consumer trust also benefits service trade, and therefore countries that are highly specialized in these sectors. This is highlighted by recent work from international organizations such as the Organisation for Economic Co-operation and Development (OECD) and the World Trade Organisation (WTO).

What future for research in the economics of privacy?

Alessandro ACQUISTI’s final keynote provided a historical perspective on the supposed conflict between the economic valorisation of data and the respect for privacy. Alessandro ACQUISTI sees the influence of the Chicago School (Posner), which has profound implications for GDPR impact studies. This legacy is reflected in a certain scepticism toward government intervention in market regulation and a predominantly monetary view of privacy (revealed preferences), which tends to underestimate its importance for individuals. Privacy, according to Posner, is seen as a barrier to the flow of information in the market for example, in the labor market, potentially generating inefficiencies. To date, there is limited research on the benefits of data use, although redistribution can occur to the detriment of consumers, such as through personalized pricing.

Finally, Alessandro ACQUISTI, concluding the afternoon, challenged the common view that economic efficiency must be balanced against privacy protection. The costs associated with failing to respect privacy can be catastrophic in certain circumstances. For example, the genocide of the Rohingya people in Myanmar was partly driven by the promotion of hate-inciting content by a social network’s algorithms, which were trained on personal data indicating that such content generates engagement. Furthermore, the benefits of data circulation remain relatively understudied; the GDPR’s impact has been fairly limited on media content, mobile applications, and the effect on market concentration appears to be a short-term phenomenon, as illustrated by ongoing research with V. LEFRERE and C. CHEYRE.

These economic gains from data sharing therefore appear limited, and primarily benefit companies rather than consumers. Finally, the very notion of an incompatibility between data sharing and privacy is challenged by the development of PETs, such as differential privacy, which protects individuals’ privacy while only marginally reducing the value of the data.

Consideration of, and proper alignment with, other regulations is fundamental, particularly in relation to competition and consumer protection.

It is therefore necessary to adopt a perspective on the economics of privacy that goes beyond overly narrow theoretical frameworks, toward a broader microeconomic approach à la Jack HIRSHLEIFER. Once this is established, many uncertainties regarding the impact of the GDPR remain. Our understanding of the trade-offs between different objectives needs refinement. The short-term costs of GDPR are known, but its long-term impact remains uncertain, as do the actual economic consequences of data sharing and the benefits for individuals. Does such sharing ultimately harm them, for instance through surplus extraction via personalized pricing?

Research in these areas is still in its infancy, but these are the next topics of interest for obtaining a comprehensive view of the GDPR’s economic impact.