Blog Post

Trading invisibles: Exposure of countries to GDPR

This blog post identifies provisions of the EU’s General Data Protection Regulation (GDPR) that affect foreign companies, and discusses implications for trade in services with the EU. The authors provide a novel mapping of countries’ relative exposure to these regulations by a) measuring the digital maturity of their service exports to the EU; and b) the share of these exports in national GDP.

By: and Date: June 28, 2018 Topic: Global economy and trade

The General Data Protection Regulation (GDPR) became active on May 25th 2018. It aims to increase the protection of natural persons’ personal data (Art. 1) and to regulate the processing of personal data (Art. 2). We expect trade flows in services to be more affected by these privacy safeguards than trade flows in goods, given their greater dependence on data[1]. We therefore analyse which countries would have to make significant adjustments to their data architecture to prevent a decline in their service exports to the EU.

Two important aspects of GDPR are relevant to service exporters. First, it requires changes in the way companies manipulate personal data. Second, it requires companies to reform management of data transfers with different countries. We will discuss both in turn.

Firstly, GDPR establishes many new requirements for the processing of data within a company, with extra-territorial implications. Indeed, foreign companies established in the EU and companies abroad that collect or process data on EU-based individuals have a new set of regulatory requirements by which they must abide (Art. 3(1) to 3(3)). Therefore, companies with significant commercial interests that rely on personal data from people in the EU are directly affected by GDPR.

In fact, GDPR mandates such companies to undertake a broad set of technical and organisational measures[2]. These requirements are developed to ensure that personal data is processed fairly, transparently, securely and for an explicit and legitimate purpose. These provisions also ensure that the data collected is accurate, is stored only temporarily, and is limited to what is necessary for the stated purposes (Art. 5). Compliance with this new set of regulatory requirements will likely result in higher costs for concerned companies.

Secondly, an additional aspect of GDPR relevant to our analysis relates to the transfers of personal data across companies in different countries. As stated in Article 44, data transfers to a third country and between third countries should not undermine the level of protection established by GDPR.

The regulation, therefore, describes two situations where transfers to a third country are allowed. If the Commission has decided that the third country (wholly or partially) guarantees an adequate level of protection, then transfers of data do not require specific authorisation (Art. 45). Currently, 10 countries have already obtained the status of “full” adequacy for protection of data, in addition to the three EEA countries (Iceland, Liechtenstein and Norway). Adequacy talks are ongoing with Japan and South Korea. Commercial organisations in Canada also have mutual adequacy, as do transfers to the US in the context of the Privacy Shield. If there is no adequacy decision made, a transfer can take place only if the company sets up appropriate safeguards to ensure the level of protection, such as new contractual clauses (Art. 46). These requirements on transfers are an additional compliance burden for service exporters to the EU that are part of a global supply chain.

Although compliance with GDPR is costly, non-compliance could also impose costs in the form of sanctions. These sanctions are designed as administrative fines of up to €20 million or 4% of global turnover (whichever is highest) and are implemented by supervisory authorities in every Member State (Art. 83). As a result, there is a clear enforcement mechanism embedded in the GDPR which incentivises companies to abide by its standards.

Furthermore, since compliance will be costly, GDPR will have an impact on the profitability of doing business with personal data from individuals in the EU. Indeed, foreign companies exporting services to the EU and relying on this personal data for their business processes (such as telecommunications or IT-related services) will have to adapt their data protection approach and, ultimately, will have to upgrade their business models in order to continue trading with the EU, lest they face a fine.

Due to these new regulatory obligations, we can expect the profitability of foreign companies relying on personal data from the EU to be affected. The range of countries concerned is also important. Indeed, the EU imported €0.7 trillion-worth of services from abroad in 2015, 60% of which came from trade partners that have much less than 5% of the total share – as illustrated in Figure 1.

Moreover, countries exporting more data-intensive services to the EU could face greater exposure to the impact of GDPR. To capture this exposure, we first compute an index of the digital maturity (DMX) of a country’s service exports to the EU. This is calculated by the following ratio where subscripts i and j refer to country and service sector respectively.

Dependence on data flows for a service sector is proxied with the importance of investment in software in that service sector (softinvest) provided in the OECD’s Science, Technology and Industry Scoreboard 2017. Based on this measure, we can rank service sectors according to the software intensity of their production technologies. We then use data on service exports of 31 non-EU countries to the EU (servexports) extracted from Eurostat Balance of Payments for the year 2015. These values cover services supplied via modes one (cross-border supply), two (consumption abroad) and four (presence of natural persons).

The underlying logic of using the DMX index is that countries exporting digitally mature services to the EU (such as finance and insurance services) face greater urgency in adopting the EU’s data protection regulations. Variation in the DMX index across countries stems from exploiting two dimensions of heterogeneity: Firstly, countries export different services to the EU (see Figure 2) and secondly, service sectors differ in their dependence on data.

Countries whose service exports to the EU constitute a greater share of their GDP are likely to be more exposed to the new EU regulatory constraints than others. Hence, we calculated the ratio of total service exports to the EU against the annual GDP for every country in our sample. Data on GDP for the same year was obtained from the IMF’s World Economic Outlook tables.

All in all, countries that a) export services extensively to the EU; and b) export more digitally mature services to the EU, face higher exposure to GDPR. The scatter plot in Figure 3 provides an informative visual representation of this concept. Countries are coloured by their current adequacy status. Movement from the bottom left to the upper right corner in this ‘heatmap’ can be understood as an increase in a country’s GDPR exposure.

As we can draw from Figures 2 and 3, the GDPR compliance of Switzerland, Liechtenstein and the US (limited to the Privacy Shield) is critical considering that these countries export data-intensive services relatively extensively to the EU.

In addition, India appears to be comparatively more exposed than China – an observation that is not obvious from simply comparing the magnitude of their total service sector exports to the EU. A 46.04% share of India’s exports to the EU comprises “Other business services” (legal, accounting, R&D, consultancy etc.) and “Telecommunications, computer and information services” (20.5%). Both services categories are digitally mature as measured by software investments. For China, these sectors respectively comprise 42.8% and 3.15% of total service exports to the EU. Hence, making certain to account for the rich variation both in countries’ service export baskets to the EU and in digital maturity across services is key to understanding the differential implications for countries arising from GDPR.

The high levels of exposure of Singapore and Hong Kong suggests that alignment with EU’s data protection norms will be important for their services trade moving forward as they currently do not have adequacy status.

We also observe that the DMX value for Japan (0.543) is nearly double that of South Korea (0.285). Hence, the successful completion of ongoing negotiations on GDPR may be more critical for service trade with Japan, in comparison to South Korea.

Finally, Turkey is an important service provider to the EU. However, travel-related services comprise nearly 53% of its service exports – as can be seen in Figure 2. Since this sector is relatively low on digital maturity, one can expect service trade with Turkey to be less disrupted by new privacy regulations in the EU.

What will be the implications of GDPR for the UK following Brexit? In 2015, the UK exported nearly €140 billion of services to the EU27, placing it as the second largest service provider to the EU behind the US (€170 billion) and before Switzerland (€66 billion).

The UK’s service exports to the EU are mainly within two categories of digitally mature industries – namely, finance and business services (including R&D, legal, professional services etc.). They account for 56% of the total services sold to the EU (House of Commons Briefing Paper). Given the volume and composition of these service exports, the harmonisation of data protection standards with the EU will be crucial for the UK.

In a Notice to Stakeholders in January 2018, the European Commission stated that the UK would have ‘third country’ status for GDPR (i.e. non-EU and non-EEA) after Brexit. In order to maintain uninterrupted data transfers, the UK would require an adequacy decision from the EU or firms would need to adopt contractual safeguards. Since adequacy talks can take several months, the consequent regulatory uncertainty may adversely affect the UK’s service exports to the EU. However, the recent modernisation of the UK’s privacy framework under the Data Protection Act (DPA) 2018 could facilitate matters.

In this blog post, we have analysed the implications of GDPR for trade in services. However, GDPR may have far-reaching consequences for trade in goods with the EU as well – for example, services such as R&D, software and engineering that are embedded in manufacturing exports are digitally mature. The growing share of value added by such service sectors in the final output of manufacturing industries hence constitutes an additional channel through which countries may be exposed to the GDPR. In conclusion, GDPR will have different implications for different trade partners of the EU. While the range of countries concerned by GDPR is broad, some countries should feel more concerned than others. This heterogeneity of impact should inform EU policy-makers in their efforts to make GDPR the global standard for personal data protection.

[1] Based on the intensity of software investment per sector, provided by OECD Science, Technology and Industry Scoreboard (2017).

[2] These are detailed in Articles 24, 25, 27, 28, 30, 32, 35 and 37.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

Read about event
 

Upcoming Event

May
19
15:00

Three data realms: Managing the divergence between the EU, the US and China in the digital sphere

Major economies are addressing the challenges brought by digital trade in different ways, resulting in diverging regulatory regimes. How should we view these divergences and best deal with them?

Speakers: Susan Ariel Aaronson, Henry Gao, Esa Kaunistola and Niclas Poitiers Topic: Digital economy and innovation, Global economy and trade Location: Bruegel, Rue de la Charité 33, 1210 Brussels
Read article More on this topic More by this author
 

Podcast

Podcast

Global trade Down Under

A conversation on the global trading landscape.

By: The Sound of Economics Topic: Global economy and trade Date: May 4, 2022
Read article More on this topic
 

Blog Post

The decoupling of Russia: European vulnerabilities in the high-tech sector

Although Russia bears the brunt of Western high-tech sanctions, the European Union will face challenges in sectors where it relies on Russian and Ukrainian commodities and technologies.

By: Monika Grzegorczyk, J. Scott Marcus, Niclas Poitiers and Pauline Weil Topic: Global economy and trade Date: April 12, 2022
Read article More on this topic
 

Blog Post

The impact of the war in Ukraine on food security

Global food production will be sufficient to feed the global population this year. But export bans, high prices and increasing transport cost might prevent vulnerable countries from procuring sufficient food supplies. Measures to ensure global access to scarcer food supplies and to boost grain production are warranted.

By: Pauline Weil and Georg Zachmann Topic: Global economy and trade Date: March 21, 2022
Read article More on this topic More by this author
 

Opinion

China’s economic support for Russia is not a panacea

The EU is still Russia’s largest trading partner, actually several times bigger than China.

By: Alicia García-Herrero Topic: Global economy and trade Date: February 28, 2022
Read article More on this topic More by this author
 

Opinion

Global chip shortage may soon turn into an oversupply crisis

Only companies investing in advanced semiconductors will see their margins increase.

By: Alicia García-Herrero Topic: Global economy and trade Date: February 25, 2022
Read article Download PDF More on this topic More by this author
 

Policy Contribution

Is the post-war trading system ending?

This policy contribution assesses how the trading system has changed over the last five years – roughly coinciding with the start of the Trump administration and one year of President Biden – and sets out scenarios for how the situation might evolve.

By: Uri Dadush Topic: Global economy and trade Date: February 21, 2022
Read about event More on this topic
 

Past Event

Past Event

EU-India relations in a post-COVID world

Closed door event for a selection of experts on India and the EU to discuss the state and future of EU-India relations.

Speakers: Yamini Aiyar, Vinita Bali, François Godement, Sébastien Jean, Mohan Kumar, Silvia Piana, Shyam Saran and Guntram B. Wolff Topic: Global economy and trade Date: February 15, 2022
Read about event More on this topic
 

Past Event

Past Event

Towards an inventory of corporate subsidies by China, the EU and the USA

In this event, panellists discussed corporate subsidies by China, the European Union and the United States.

Speakers: Simon J. Evenett, Denis Redonnet, André Sapir and Reinhilde Veugelers Topic: Global economy and trade Date: February 2, 2022
Read article More on this topic More by this author
 

Podcast

Podcast

Understanding Japan’s economic relations with China

What can Europe learn?

By: The Sound of Economics Topic: Global economy and trade Date: January 12, 2022
Read article More on this topic
 

Opinion

How an open climate club can generate carbon dividends for the poor

The German-led G7 can accelerate decarbonisation while tackling climate justice.

By: Andreas Goldthau and Simone Tagliapietra Topic: Green economy Date: January 11, 2022
Read article Download PDF More on this topic More by this author
 

Working Paper

Timely measurement of real effective exchange rates

This paper contributes to the measurement of monthly consumer price index-based real effective exchange rates with two main novelties.

By: Zsolt Darvas Topic: Global economy and trade Date: December 23, 2021
Load more posts