Blog Post

Trading invisibles: Exposure of countries to GDPR

This blog post identifies provisions of the EU’s General Data Protection Regulation (GDPR) that affect foreign companies, and discusses implications for trade in services with the EU. The authors provide a novel mapping of countries’ relative exposure to these regulations by a) measuring the digital maturity of their service exports to the EU; and b) the share of these exports in national GDP.

By: and Date: June 28, 2018 Topic: European Macroeconomics & Governance

The General Data Protection Regulation (GDPR) became active on May 25th 2018. It aims to increase the protection of natural persons’ personal data (Art. 1) and to regulate the processing of personal data (Art. 2). We expect trade flows in services to be more affected by these privacy safeguards than trade flows in goods, given their greater dependence on data[1]. We therefore analyse which countries would have to make significant adjustments to their data architecture to prevent a decline in their service exports to the EU.

Two important aspects of GDPR are relevant to service exporters. First, it requires changes in the way companies manipulate personal data. Second, it requires companies to reform management of data transfers with different countries. We will discuss both in turn.

Firstly, GDPR establishes many new requirements for the processing of data within a company, with extra-territorial implications. Indeed, foreign companies established in the EU and companies abroad that collect or process data on EU-based individuals have a new set of regulatory requirements by which they must abide (Art. 3(1) to 3(3)). Therefore, companies with significant commercial interests that rely on personal data from people in the EU are directly affected by GDPR.

In fact, GDPR mandates such companies to undertake a broad set of technical and organisational measures[2]. These requirements are developed to ensure that personal data is processed fairly, transparently, securely and for an explicit and legitimate purpose. These provisions also ensure that the data collected is accurate, is stored only temporarily, and is limited to what is necessary for the stated purposes (Art. 5). Compliance with this new set of regulatory requirements will likely result in higher costs for concerned companies.

Secondly, an additional aspect of GDPR relevant to our analysis relates to the transfers of personal data across companies in different countries. As stated in Article 44, data transfers to a third country and between third countries should not undermine the level of protection established by GDPR.

The regulation, therefore, describes two situations where transfers to a third country are allowed. If the Commission has decided that the third country (wholly or partially) guarantees an adequate level of protection, then transfers of data do not require specific authorisation (Art. 45). Currently, 10 countries have already obtained the status of “full” adequacy for protection of data, in addition to the three EEA countries (Iceland, Liechtenstein and Norway). Adequacy talks are ongoing with Japan and South Korea. Commercial organisations in Canada also have mutual adequacy, as do transfers to the US in the context of the Privacy Shield. If there is no adequacy decision made, a transfer can take place only if the company sets up appropriate safeguards to ensure the level of protection, such as new contractual clauses (Art. 46). These requirements on transfers are an additional compliance burden for service exporters to the EU that are part of a global supply chain.

Although compliance with GDPR is costly, non-compliance could also impose costs in the form of sanctions. These sanctions are designed as administrative fines of up to €20 million or 4% of global turnover (whichever is highest) and are implemented by supervisory authorities in every Member State (Art. 83). As a result, there is a clear enforcement mechanism embedded in the GDPR which incentivises companies to abide by its standards.

Furthermore, since compliance will be costly, GDPR will have an impact on the profitability of doing business with personal data from individuals in the EU. Indeed, foreign companies exporting services to the EU and relying on this personal data for their business processes (such as telecommunications or IT-related services) will have to adapt their data protection approach and, ultimately, will have to upgrade their business models in order to continue trading with the EU, lest they face a fine.

Due to these new regulatory obligations, we can expect the profitability of foreign companies relying on personal data from the EU to be affected. The range of countries concerned is also important. Indeed, the EU imported €0.7 trillion-worth of services from abroad in 2015, 60% of which came from trade partners that have much less than 5% of the total share – as illustrated in Figure 1.

Moreover, countries exporting more data-intensive services to the EU could face greater exposure to the impact of GDPR. To capture this exposure, we first compute an index of the digital maturity (DMX) of a country’s service exports to the EU. This is calculated by the following ratio where subscripts i and j refer to country and service sector respectively.

Dependence on data flows for a service sector is proxied with the importance of investment in software in that service sector (softinvest) provided in the OECD’s Science, Technology and Industry Scoreboard 2017. Based on this measure, we can rank service sectors according to the software intensity of their production technologies. We then use data on service exports of 31 non-EU countries to the EU (servexports) extracted from Eurostat Balance of Payments for the year 2015. These values cover services supplied via modes one (cross-border supply), two (consumption abroad) and four (presence of natural persons).

The underlying logic of using the DMX index is that countries exporting digitally mature services to the EU (such as finance and insurance services) face greater urgency in adopting the EU’s data protection regulations. Variation in the DMX index across countries stems from exploiting two dimensions of heterogeneity: Firstly, countries export different services to the EU (see Figure 2) and secondly, service sectors differ in their dependence on data.

Countries whose service exports to the EU constitute a greater share of their GDP are likely to be more exposed to the new EU regulatory constraints than others. Hence, we calculated the ratio of total service exports to the EU against the annual GDP for every country in our sample. Data on GDP for the same year was obtained from the IMF’s World Economic Outlook tables.

All in all, countries that a) export services extensively to the EU; and b) export more digitally mature services to the EU, face higher exposure to GDPR. The scatter plot in Figure 3 provides an informative visual representation of this concept. Countries are coloured by their current adequacy status. Movement from the bottom left to the upper right corner in this ‘heatmap’ can be understood as an increase in a country’s GDPR exposure.

As we can draw from Figures 2 and 3, the GDPR compliance of Switzerland, Liechtenstein and the US (limited to the Privacy Shield) is critical considering that these countries export data-intensive services relatively extensively to the EU.

In addition, India appears to be comparatively more exposed than China – an observation that is not obvious from simply comparing the magnitude of their total service sector exports to the EU. A 46.04% share of India’s exports to the EU comprises “Other business services” (legal, accounting, R&D, consultancy etc.) and “Telecommunications, computer and information services” (20.5%). Both services categories are digitally mature as measured by software investments. For China, these sectors respectively comprise 42.8% and 3.15% of total service exports to the EU. Hence, making certain to account for the rich variation both in countries’ service export baskets to the EU and in digital maturity across services is key to understanding the differential implications for countries arising from GDPR.

The high levels of exposure of Singapore and Hong Kong suggests that alignment with EU’s data protection norms will be important for their services trade moving forward as they currently do not have adequacy status.

We also observe that the DMX value for Japan (0.543) is nearly double that of South Korea (0.285). Hence, the successful completion of ongoing negotiations on GDPR may be more critical for service trade with Japan, in comparison to South Korea.

Finally, Turkey is an important service provider to the EU. However, travel-related services comprise nearly 53% of its service exports – as can be seen in Figure 2. Since this sector is relatively low on digital maturity, one can expect service trade with Turkey to be less disrupted by new privacy regulations in the EU.

What will be the implications of GDPR for the UK following Brexit? In 2015, the UK exported nearly €140 billion of services to the EU27, placing it as the second largest service provider to the EU behind the US (€170 billion) and before Switzerland (€66 billion).

The UK’s service exports to the EU are mainly within two categories of digitally mature industries – namely, finance and business services (including R&D, legal, professional services etc.). They account for 56% of the total services sold to the EU (House of Commons Briefing Paper). Given the volume and composition of these service exports, the harmonisation of data protection standards with the EU will be crucial for the UK.

In a Notice to Stakeholders in January 2018, the European Commission stated that the UK would have ‘third country’ status for GDPR (i.e. non-EU and non-EEA) after Brexit. In order to maintain uninterrupted data transfers, the UK would require an adequacy decision from the EU or firms would need to adopt contractual safeguards. Since adequacy talks can take several months, the consequent regulatory uncertainty may adversely affect the UK’s service exports to the EU. However, the recent modernisation of the UK’s privacy framework under the Data Protection Act (DPA) 2018 could facilitate matters.

In this blog post, we have analysed the implications of GDPR for trade in services. However, GDPR may have far-reaching consequences for trade in goods with the EU as well – for example, services such as R&D, software and engineering that are embedded in manufacturing exports are digitally mature. The growing share of value added by such service sectors in the final output of manufacturing industries hence constitutes an additional channel through which countries may be exposed to the GDPR. In conclusion, GDPR will have different implications for different trade partners of the EU. While the range of countries concerned by GDPR is broad, some countries should feel more concerned than others. This heterogeneity of impact should inform EU policy-makers in their efforts to make GDPR the global standard for personal data protection.

[1] Based on the intensity of software investment per sector, provided by OECD Science, Technology and Industry Scoreboard (2017).

[2] These are detailed in Articles 24, 25, 27, 28, 30, 32, 35 and 37.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article More on this topic More by this author

Opinion

La lunga marcia della Cina sui porti europei

I porti sono una risorsa vitale per l'economia europea: oltre il 70% delle merci che attraversano le frontiere europee viaggiano via mare. L'anno scorso, il presidente della Commissione europea ha proposto di istituire un nuovo meccanismo europeo per la verifica degli investimenti esteri diretti tra le crescenti preoccupazioni sull'acquisizione di infrastrutture europee e attività ritenute strategiche dall'estero. Alla luce di questi sviluppi, riteniamo che sia utile concentrarsi sul crescente coinvolgimento della Cina nel sistema portuale europeo.

By: Simone Tagliapietra Topic: Global Economics & Governance Date: July 20, 2018
Read article More on this topic More by this author

Opinion

A Brexit deal is still not achieved

The UK paper should be seriously considered. While it breaks a number of European red-lines, it is also an attempt to solve some issues. The question is whether the EU will be ready to seriously negotiate. Geostrategic considerations suggest that it is time for the EU to do so.

By: Guntram B. Wolff Topic: European Macroeconomics & Governance Date: July 13, 2018
Read about event More on this topic

Past Event

Past Event

Designing a new institutional framework for UK-EU relations

Finding the right way forward for the EU and the UK.

Speakers: Raphael Hogarth, Jill Rutter and Guntram B. Wolff Topic: European Macroeconomics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: July 13, 2018
Read article More on this topic More by this author

Opinion

Ubu ou Machiavel?

L'administration Trump veut imposer une approche transactionnelle des relations économiques gouvernée par le rapport de force bilatéral en lieu et place du contrat multilatéral. Un défi d'une ampleur inédite pour l'Europe.

By: Jean Pisani-Ferry Topic: Global Economics & Governance Date: July 6, 2018
Read about event

Upcoming Event

Sep
3-4
08:30

Bruegel Annual Meetings 2018

The 2018 Annual Meetings will be held on 3-4 September and will feature sessions on European and global economic governance, as well as finance, energy and innovation.

Speakers: Maria Åsenius, Richard E. Baldwin, Carl Bildt, Nadia Calviño, Maria Demertzis, Mariya Gabriel, Péter Kaderják, Joanne Kellermann, Jörg Kukies, Emmanuel Lagarrigue, Philippe Lespinard, Montserrat Mir Roca, Dominique Moïsi, Jean Pierre Mustier, Ana Palacio, Jean Pisani-Ferry, Lucrezia Reichlin, Norbert Röttgen, André Sapir, Jean-Claude Trichet, Johan Van Overtveldt, Margrethe Vestager, Reinhilde Veugelers, Thomas Wieser, Guntram B. Wolff and Georg Zachmann Topic: Energy & Climate, European Macroeconomics & Governance, Finance & Financial Regulation, Global Economics & Governance, Innovation & Competition Policy Location: Brussels Comic Strip Museum, Rue des Sables 20, 1000 Brussels
Read article More on this topic More by this author

Blog Post

US tariffs and China's holding of Treasuries

China has the biggest bilateral trade surplus vis-à-vis the US but is also a top holder of US government bonds. While China has started to counteract US trade tariffs, economists have been discussing the case of China acting on its holdings of US Treasuries. We review recent contributions.

By: Silvia Merler Topic: Global Economics & Governance Date: July 2, 2018
Read about event More on this topic

Past Event

Past Event

Trade war trinity: analysis of global consequences

Analysis of the long-term impact of the trade war and its three key players: EU, US, and China.

Speakers: Alicia García-Herrero, Ignasi Guardans and Carl B Hamilton Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: June 28, 2018
Read article More on this topic

Blog Post

China’s strategic investments in Europe: The case of maritime ports

The EU is currently working on a new framework for screening foreign direct investments (FDI). Maritime ports represent the cornerstone of the EU trade infrastructure, as 70% of goods crossing European borders travel by sea. This blog post seeks to inform this debate by looking at recent Chinese involvement in EU ports.

By: Shivali Pandya and Simone Tagliapietra Topic: Global Economics & Governance Date: June 27, 2018
Read article More by this author

Parliamentary Testimony

European Parliament

The potential impact of Brexit on ICT policy

Testimony before the European Parliament's Committee on Industry, Research and Energy (ITRE).

By: J. Scott Marcus Topic: European Parliament, Innovation & Competition Policy, Testimonies Date: June 27, 2018
Read about event More on this topic

Past Event

Past Event

EU-LAC Economic Forum 2018

The second edition of the EU-LAC Economic Forum, a high level gathering for in-depth research-based exchanges on economic issues between European, Latin American and Caribbean (LAC) policy makers and experts.

Speakers: Angel Badillo, Federico Bonaglia, Maria Demertzis, Sylvie Durán, Guillermo Fernández de Soto, Alicia García-Herrero, Elisa Grafulla, Gonzalo Gutiérrez, Bert Hoffmann, Juan Jung, Emilio Lamo de Espinosa, Carlos Malamud, J. Scott Marcus, Neven Mimica, Fabio Nasarre de Letosa, Detlef Nolte, Anne Sperschneider and Guntram B. Wolff Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: June 26, 2018
Read about event More on this topic

Upcoming Event

Oct
3
09:00

International trade and the EU-Japan Economic Partnership Agreement

This event; jointly organised by Bruegel and the Graduate School of Economics, Kobe University, will discuss the EU-Japan trade deal and asses its impact.

Speakers: Marco Chirullo, Gabriel Felbermayr, François Godement, Hiroo Inoue, Sébastien Jean, Yoichi Matsubayashi, Tamotsu Nakamura, André Sapir, Cécile Toubeau, Agata Wierzbowska and Guntram B. Wolff Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels
Read about event

Upcoming Event

Oct
11-12
20:00

Policy responses for an EU-MENA shared future

In the third edition of the "Platform for Advanced & Emerging Economies Policy Dialogue" we will discuss trade flows and trade policy between Europe and MENA, integration of developing economies into global value chains, and regional energy relations.

Speakers: Karim El Aynaoui and Guntram B. Wolff Location: Rome
Load more posts