In 2016, the European Union ratified the General Data Protection Regulation, more commonly known as GDPR, to update the block’s data protection rules that dated to 1995. As the New York Times noted one day before the rules took effect, GDPR created “the world’s toughest rules to protect people’s online data.” Given the growing concern about data privacy, advocates in the United States have pressed Congress to legislate more stringent data protections, similar to GDPR.

While implementing more rigorous data protection requirements is generally good policy, the effects of the GDPR in Europe should serve as a clear warning to lawmakers in the United States about the dangers of overregulating data protection. The damage is particularly apparent in lost innovation and compliance costs that make operating expensive, particularly for small businesses that must comply with the same regulations as giants like Apple and Twitter. 

When GDPR took effect in 2018, it imposed several burdensome regulations on businesses operating on the continent, particularly those that handle consumer data. These included granting consumers the right to be forgotten, the right to restrict data processing, the right to know what data companies hold on them, and required consent to collect consumer data. Failure to adhere to these standards could result in a 20 million Euro fine or 4% of annual revenue, whichever was greater. 

Such substantial financial penalties have led to the collection of more than 1.6 billion Euros in fines since 2018. 

The most significant flaw of GDPR is that it dramatically raised compliance costs for European businesses and all-size companies operating within the EU. For example, in 2018, the same year that GDPR took effect, EY and the International Association of Privacy Professionals calculated that companies spent $1.3 million on compliance with GDPR’s provisions. 

For businesses looking to operate in Europe, meeting these compliance costs depresses their ability to develop new and innovative products, hire more staff to increase output, or invest in growing their business. For consumers, this means fewer, more expensive, and less innovative goods and services.

These compliance costs are particularly concerning because it does not penalize companies equally. Rather it unfairly discriminates against smaller companies. While large companies have the financial resources to meet these compliance costs, smaller companies do not, with many being forced out of the European market. This concern is not abstract, with the Financial Times reporting that “tech startups, video games makers and advertising businesses…pulling out of Europe” rather than pay the compliance costs. For businesses, an inability to meet GDPR’s strict standards ultimately means lost revenue, and for consumers, it means lost innovation and lost access to goods and services. 

A recent report from National Bureau of Economic Research has highlighted the significant damage GDPR has inflicted on innovation, particularly in the mobile app market. In their recent working paper, NBER found that GDPR “precipitated the exit of over a third of available apps; and following its enactment, the rate of new entry fell by 47.2 percent, in effect creating a lost generation of apps.”

While NBER’s research only focused on mobile applications, their work dovetails with broader startup investment declines that have plagued the continent since 2018. A 2021 study published in the academic journal Marketing Science, for example, found that since GDPR took effect, “investment in European startups has dropped by 36% compared to American or other global startups.” Investment loss is particularly harmful to consumers because investment drives access to new and innovative products.  

While advocates of more robust data protections are advocating good policy for American consumers, the experience of Europe should serve as a clear warning to Washington about creating onerous regulations that mirror GDPR in particular. Acknowledging the lost innovation and increased compliance costs makes it clear that Brussels has failed to balance privacy with a regulatory environment that unleashes innovation. Failing to acknowledge this lesson could ultimately see Washington repeating Brussels’ mistakes.

Congress must chart a path that strikes this balance. Lawmakers have been warned.