Blog Post

Trading invisibles: Exposure of countries to GDPR

This blog post identifies provisions of the EU’s General Data Protection Regulation (GDPR) that affect foreign companies, and discusses implications for trade in services with the EU. The authors provide a novel mapping of countries’ relative exposure to these regulations by a) measuring the digital maturity of their service exports to the EU; and b) the share of these exports in national GDP.

By: and Date: June 28, 2018 Topic: European Macroeconomics & Governance

The General Data Protection Regulation (GDPR) became active on May 25th 2018. It aims to increase the protection of natural persons’ personal data (Art. 1) and to regulate the processing of personal data (Art. 2). We expect trade flows in services to be more affected by these privacy safeguards than trade flows in goods, given their greater dependence on data[1]. We therefore analyse which countries would have to make significant adjustments to their data architecture to prevent a decline in their service exports to the EU.

Two important aspects of GDPR are relevant to service exporters. First, it requires changes in the way companies manipulate personal data. Second, it requires companies to reform management of data transfers with different countries. We will discuss both in turn.

Firstly, GDPR establishes many new requirements for the processing of data within a company, with extra-territorial implications. Indeed, foreign companies established in the EU and companies abroad that collect or process data on EU-based individuals have a new set of regulatory requirements by which they must abide (Art. 3(1) to 3(3)). Therefore, companies with significant commercial interests that rely on personal data from people in the EU are directly affected by GDPR.

In fact, GDPR mandates such companies to undertake a broad set of technical and organisational measures[2]. These requirements are developed to ensure that personal data is processed fairly, transparently, securely and for an explicit and legitimate purpose. These provisions also ensure that the data collected is accurate, is stored only temporarily, and is limited to what is necessary for the stated purposes (Art. 5). Compliance with this new set of regulatory requirements will likely result in higher costs for concerned companies.

Secondly, an additional aspect of GDPR relevant to our analysis relates to the transfers of personal data across companies in different countries. As stated in Article 44, data transfers to a third country and between third countries should not undermine the level of protection established by GDPR.

The regulation, therefore, describes two situations where transfers to a third country are allowed. If the Commission has decided that the third country (wholly or partially) guarantees an adequate level of protection, then transfers of data do not require specific authorisation (Art. 45). Currently, 10 countries have already obtained the status of “full” adequacy for protection of data, in addition to the three EEA countries (Iceland, Liechtenstein and Norway). Adequacy talks are ongoing with Japan and South Korea. Commercial organisations in Canada also have mutual adequacy, as do transfers to the US in the context of the Privacy Shield. If there is no adequacy decision made, a transfer can take place only if the company sets up appropriate safeguards to ensure the level of protection, such as new contractual clauses (Art. 46). These requirements on transfers are an additional compliance burden for service exporters to the EU that are part of a global supply chain.

Although compliance with GDPR is costly, non-compliance could also impose costs in the form of sanctions. These sanctions are designed as administrative fines of up to €20 million or 4% of global turnover (whichever is highest) and are implemented by supervisory authorities in every Member State (Art. 83). As a result, there is a clear enforcement mechanism embedded in the GDPR which incentivises companies to abide by its standards.

Furthermore, since compliance will be costly, GDPR will have an impact on the profitability of doing business with personal data from individuals in the EU. Indeed, foreign companies exporting services to the EU and relying on this personal data for their business processes (such as telecommunications or IT-related services) will have to adapt their data protection approach and, ultimately, will have to upgrade their business models in order to continue trading with the EU, lest they face a fine.

Due to these new regulatory obligations, we can expect the profitability of foreign companies relying on personal data from the EU to be affected. The range of countries concerned is also important. Indeed, the EU imported €0.7 trillion-worth of services from abroad in 2015, 60% of which came from trade partners that have much less than 5% of the total share – as illustrated in Figure 1.

Moreover, countries exporting more data-intensive services to the EU could face greater exposure to the impact of GDPR. To capture this exposure, we first compute an index of the digital maturity (DMX) of a country’s service exports to the EU. This is calculated by the following ratio where subscripts i and j refer to country and service sector respectively.

Dependence on data flows for a service sector is proxied with the importance of investment in software in that service sector (softinvest) provided in the OECD’s Science, Technology and Industry Scoreboard 2017. Based on this measure, we can rank service sectors according to the software intensity of their production technologies. We then use data on service exports of 31 non-EU countries to the EU (servexports) extracted from Eurostat Balance of Payments for the year 2015. These values cover services supplied via modes one (cross-border supply), two (consumption abroad) and four (presence of natural persons).

The underlying logic of using the DMX index is that countries exporting digitally mature services to the EU (such as finance and insurance services) face greater urgency in adopting the EU’s data protection regulations. Variation in the DMX index across countries stems from exploiting two dimensions of heterogeneity: Firstly, countries export different services to the EU (see Figure 2) and secondly, service sectors differ in their dependence on data.

Countries whose service exports to the EU constitute a greater share of their GDP are likely to be more exposed to the new EU regulatory constraints than others. Hence, we calculated the ratio of total service exports to the EU against the annual GDP for every country in our sample. Data on GDP for the same year was obtained from the IMF’s World Economic Outlook tables.

All in all, countries that a) export services extensively to the EU; and b) export more digitally mature services to the EU, face higher exposure to GDPR. The scatter plot in Figure 3 provides an informative visual representation of this concept. Countries are coloured by their current adequacy status. Movement from the bottom left to the upper right corner in this ‘heatmap’ can be understood as an increase in a country’s GDPR exposure.

As we can draw from Figures 2 and 3, the GDPR compliance of Switzerland, Liechtenstein and the US (limited to the Privacy Shield) is critical considering that these countries export data-intensive services relatively extensively to the EU.

In addition, India appears to be comparatively more exposed than China – an observation that is not obvious from simply comparing the magnitude of their total service sector exports to the EU. A 46.04% share of India’s exports to the EU comprises “Other business services” (legal, accounting, R&D, consultancy etc.) and “Telecommunications, computer and information services” (20.5%). Both services categories are digitally mature as measured by software investments. For China, these sectors respectively comprise 42.8% and 3.15% of total service exports to the EU. Hence, making certain to account for the rich variation both in countries’ service export baskets to the EU and in digital maturity across services is key to understanding the differential implications for countries arising from GDPR.

The high levels of exposure of Singapore and Hong Kong suggests that alignment with EU’s data protection norms will be important for their services trade moving forward as they currently do not have adequacy status.

We also observe that the DMX value for Japan (0.543) is nearly double that of South Korea (0.285). Hence, the successful completion of ongoing negotiations on GDPR may be more critical for service trade with Japan, in comparison to South Korea.

Finally, Turkey is an important service provider to the EU. However, travel-related services comprise nearly 53% of its service exports – as can be seen in Figure 2. Since this sector is relatively low on digital maturity, one can expect service trade with Turkey to be less disrupted by new privacy regulations in the EU.

What will be the implications of GDPR for the UK following Brexit? In 2015, the UK exported nearly €140 billion of services to the EU27, placing it as the second largest service provider to the EU behind the US (€170 billion) and before Switzerland (€66 billion).

The UK’s service exports to the EU are mainly within two categories of digitally mature industries – namely, finance and business services (including R&D, legal, professional services etc.). They account for 56% of the total services sold to the EU (House of Commons Briefing Paper). Given the volume and composition of these service exports, the harmonisation of data protection standards with the EU will be crucial for the UK.

In a Notice to Stakeholders in January 2018, the European Commission stated that the UK would have ‘third country’ status for GDPR (i.e. non-EU and non-EEA) after Brexit. In order to maintain uninterrupted data transfers, the UK would require an adequacy decision from the EU or firms would need to adopt contractual safeguards. Since adequacy talks can take several months, the consequent regulatory uncertainty may adversely affect the UK’s service exports to the EU. However, the recent modernisation of the UK’s privacy framework under the Data Protection Act (DPA) 2018 could facilitate matters.

In this blog post, we have analysed the implications of GDPR for trade in services. However, GDPR may have far-reaching consequences for trade in goods with the EU as well – for example, services such as R&D, software and engineering that are embedded in manufacturing exports are digitally mature. The growing share of value added by such service sectors in the final output of manufacturing industries hence constitutes an additional channel through which countries may be exposed to the GDPR. In conclusion, GDPR will have different implications for different trade partners of the EU. While the range of countries concerned by GDPR is broad, some countries should feel more concerned than others. This heterogeneity of impact should inform EU policy-makers in their efforts to make GDPR the global standard for personal data protection.

[1] Based on the intensity of software investment per sector, provided by OECD Science, Technology and Industry Scoreboard (2017).

[2] These are detailed in Articles 24, 25, 27, 28, 30, 32, 35 and 37.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

Read article More by this author
 

Podcast

Podcast

One rule to ring them all? Europe's financial markets after Brexit

What effect will brexit have on Europe's financial markets?

By: The Sound of Economics Topic: European Macroeconomics & Governance, Global Economics & Governance Date: June 26, 2020
Read article Download PDF More on this topic
 

External Publication

EU-China trade and investment relations in challenging times

In this report, we have focused on trade and investment relations and have not attempted to define the many other policy instruments that the EU can and should pursue to increase its leverage towards China, and to protect its domestic economy while boosting domestic investment and trade.

By: Alicia García-Herrero, Guntram B. Wolff, Jianwei Xu, Niclas Poitiers, Gabriel Felbermayr, Rolf J. Langhammer, Wan-Hsin Liu and Alexander Sandkamp Topic: Global Economics & Governance Date: June 4, 2020
Read article More on this topic More by this author
 

Opinion

COVID-19 and India: economic impact and response

This piece was published the day before India imposed one of the world's strictest lockdowns in its response to the COVID-19 response. It remains relevant in assessing the government's actions in the ten weeks that have since passed.

By: Suman Bery Topic: Global Economics & Governance Date: May 27, 2020
Read article More on this topic More by this author
 

Opinion

How will COVID-19 impact Brexit? The collision of two giant policy imperatives

The United Kingdom left the European Union on Jan. 31, 2020. Now, the U.K. must decide whether and how to extend the transition period, currently set to expire at the end of 2020.

By: Rebecca Christie Topic: European Macroeconomics & Governance Date: May 19, 2020
Read article Download PDF More on this topic
 

Policy Contribution

The European Union’s post-Brexit reckoning with financial markets

In the negotiations between the European Union and the United Kingdom over their future relationship, we see a high probability of a weak contractual outcome, given the dominance of politics over considerations of market efficiency.

By: Rebecca Christie and Thomas Wieser Topic: European Macroeconomics & Governance Date: May 13, 2020
Read about event More on this topic
 

Past Event

Past Event

Keeping trade open during and after Covid-19

This event examines the impact of the Covid-19 crisis on open markets and connected supply chains globally.

Speakers: Maria Demertzis, André Sapir, Senator the Hon Simon Birmingham and Rebecca Fatima Sta Maria Topic: Global Economics & Governance Date: April 30, 2020
Read article More on this topic More by this author
 

Blog Post

What the EU should do and not do on trade in medical equipment

The European Union has introduced export controls on some medical supplies. This was a mistake. It should announce that it is withdrawing the measure, and call on other countries to do the same.

By: André Sapir Topic: European Macroeconomics & Governance Date: March 25, 2020
Read about event
 

Past Event

Past Event

ONLINE ROUND TABLE: Future of the EU-UK science cooperation

How do we rebuild and keep the science cooperation between the EU and the UK?

Speakers: Michael Leigh and Beth Thompson Topic: European Macroeconomics & Governance, Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: March 17, 2020
Read about event More on this topic
 

Past Event

Past Event

CANCELLED: India-EU Partnership: New Vistas for the Next Decade

Policymakers, academics and private sector actors from the EU and India come together to work on common issues and explore further areas of cooperation.

Speakers: Yamini Aiyar, Suman Bery, Navroz K Dubash, Alicia García-Herrero, Rajat Kathuria, Partha Mukhopadhyay, Ananth Padmanabhan, Georgios Petropoulos, André Sapir, Shyam Saran, Simone Tagliapietra and Marc Vanheukelen Topic: Global Economics & Governance Location: India International Centre, Lodhi Gardens, Lodhi Estate, New Delhi, Delhi, India Date: March 12, 2020
Read article More on this topic
 

Blog Post

What can the EU learn from the China-Switzerland free trade agreement?

The US-China trade war has placed EU trade relations with China under the microscope. Should the EU challenge China’s trade practices and employ trade defence measures? Or should they be diplomatic and embark on negotiations, perhaps paving the way to a Free Trade Agreement? Close examination of the 2013 agreement between China and Switzerland suggests much will have to change for trade negotiations between China and the EU to succeed.

By: Uri Dadush and Marta Domínguez-Jiménez Topic: Global Economics & Governance Date: March 3, 2020
Read about event More on this topic
 

Past Event

Past Event

The Sound of Economics Live - The Brussels effect: How the European Union rules the world

This was a live recording of an episode of the Sound of Economics, Bruegel's podcast series. The discussion centered around the book of Anu Bradford, The Brussels Effect.

Speakers: Anu Bradford, Ashoka Mody, Giuseppe Porcaro and Guntram B. Wolff Topic: European Macroeconomics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: March 3, 2020
Read article More on this topic More by this author
 

Opinion

Companies must move supply chains further from China

Virus shows Southeast Asian factories too dependent on imported production inputs

By: Alicia García-Herrero Topic: Global Economics & Governance Date: February 28, 2020
Load more posts