Blog Post

Trading invisibles: Exposure of countries to GDPR

This blog post identifies provisions of the EU’s General Data Protection Regulation (GDPR) that affect foreign companies, and discusses implications for trade in services with the EU. The authors provide a novel mapping of countries’ relative exposure to these regulations by a) measuring the digital maturity of their service exports to the EU; and b) the share of these exports in national GDP.

By: and Date: June 28, 2018 Topic: European Macroeconomics & Governance

The General Data Protection Regulation (GDPR) became active on May 25th 2018. It aims to increase the protection of natural persons’ personal data (Art. 1) and to regulate the processing of personal data (Art. 2). We expect trade flows in services to be more affected by these privacy safeguards than trade flows in goods, given their greater dependence on data[1]. We therefore analyse which countries would have to make significant adjustments to their data architecture to prevent a decline in their service exports to the EU.

Two important aspects of GDPR are relevant to service exporters. First, it requires changes in the way companies manipulate personal data. Second, it requires companies to reform management of data transfers with different countries. We will discuss both in turn.

Firstly, GDPR establishes many new requirements for the processing of data within a company, with extra-territorial implications. Indeed, foreign companies established in the EU and companies abroad that collect or process data on EU-based individuals have a new set of regulatory requirements by which they must abide (Art. 3(1) to 3(3)). Therefore, companies with significant commercial interests that rely on personal data from people in the EU are directly affected by GDPR.

In fact, GDPR mandates such companies to undertake a broad set of technical and organisational measures[2]. These requirements are developed to ensure that personal data is processed fairly, transparently, securely and for an explicit and legitimate purpose. These provisions also ensure that the data collected is accurate, is stored only temporarily, and is limited to what is necessary for the stated purposes (Art. 5). Compliance with this new set of regulatory requirements will likely result in higher costs for concerned companies.

Secondly, an additional aspect of GDPR relevant to our analysis relates to the transfers of personal data across companies in different countries. As stated in Article 44, data transfers to a third country and between third countries should not undermine the level of protection established by GDPR.

The regulation, therefore, describes two situations where transfers to a third country are allowed. If the Commission has decided that the third country (wholly or partially) guarantees an adequate level of protection, then transfers of data do not require specific authorisation (Art. 45). Currently, 10 countries have already obtained the status of “full” adequacy for protection of data, in addition to the three EEA countries (Iceland, Liechtenstein and Norway). Adequacy talks are ongoing with Japan and South Korea. Commercial organisations in Canada also have mutual adequacy, as do transfers to the US in the context of the Privacy Shield. If there is no adequacy decision made, a transfer can take place only if the company sets up appropriate safeguards to ensure the level of protection, such as new contractual clauses (Art. 46). These requirements on transfers are an additional compliance burden for service exporters to the EU that are part of a global supply chain.

Although compliance with GDPR is costly, non-compliance could also impose costs in the form of sanctions. These sanctions are designed as administrative fines of up to €20 million or 4% of global turnover (whichever is highest) and are implemented by supervisory authorities in every Member State (Art. 83). As a result, there is a clear enforcement mechanism embedded in the GDPR which incentivises companies to abide by its standards.

Furthermore, since compliance will be costly, GDPR will have an impact on the profitability of doing business with personal data from individuals in the EU. Indeed, foreign companies exporting services to the EU and relying on this personal data for their business processes (such as telecommunications or IT-related services) will have to adapt their data protection approach and, ultimately, will have to upgrade their business models in order to continue trading with the EU, lest they face a fine.

Due to these new regulatory obligations, we can expect the profitability of foreign companies relying on personal data from the EU to be affected. The range of countries concerned is also important. Indeed, the EU imported €0.7 trillion-worth of services from abroad in 2015, 60% of which came from trade partners that have much less than 5% of the total share – as illustrated in Figure 1.

Moreover, countries exporting more data-intensive services to the EU could face greater exposure to the impact of GDPR. To capture this exposure, we first compute an index of the digital maturity (DMX) of a country’s service exports to the EU. This is calculated by the following ratio where subscripts i and j refer to country and service sector respectively.

Dependence on data flows for a service sector is proxied with the importance of investment in software in that service sector (softinvest) provided in the OECD’s Science, Technology and Industry Scoreboard 2017. Based on this measure, we can rank service sectors according to the software intensity of their production technologies. We then use data on service exports of 31 non-EU countries to the EU (servexports) extracted from Eurostat Balance of Payments for the year 2015. These values cover services supplied via modes one (cross-border supply), two (consumption abroad) and four (presence of natural persons).

The underlying logic of using the DMX index is that countries exporting digitally mature services to the EU (such as finance and insurance services) face greater urgency in adopting the EU’s data protection regulations. Variation in the DMX index across countries stems from exploiting two dimensions of heterogeneity: Firstly, countries export different services to the EU (see Figure 2) and secondly, service sectors differ in their dependence on data.

Countries whose service exports to the EU constitute a greater share of their GDP are likely to be more exposed to the new EU regulatory constraints than others. Hence, we calculated the ratio of total service exports to the EU against the annual GDP for every country in our sample. Data on GDP for the same year was obtained from the IMF’s World Economic Outlook tables.

All in all, countries that a) export services extensively to the EU; and b) export more digitally mature services to the EU, face higher exposure to GDPR. The scatter plot in Figure 3 provides an informative visual representation of this concept. Countries are coloured by their current adequacy status. Movement from the bottom left to the upper right corner in this ‘heatmap’ can be understood as an increase in a country’s GDPR exposure.

As we can draw from Figures 2 and 3, the GDPR compliance of Switzerland, Liechtenstein and the US (limited to the Privacy Shield) is critical considering that these countries export data-intensive services relatively extensively to the EU.

In addition, India appears to be comparatively more exposed than China – an observation that is not obvious from simply comparing the magnitude of their total service sector exports to the EU. A 46.04% share of India’s exports to the EU comprises “Other business services” (legal, accounting, R&D, consultancy etc.) and “Telecommunications, computer and information services” (20.5%). Both services categories are digitally mature as measured by software investments. For China, these sectors respectively comprise 42.8% and 3.15% of total service exports to the EU. Hence, making certain to account for the rich variation both in countries’ service export baskets to the EU and in digital maturity across services is key to understanding the differential implications for countries arising from GDPR.

The high levels of exposure of Singapore and Hong Kong suggests that alignment with EU’s data protection norms will be important for their services trade moving forward as they currently do not have adequacy status.

We also observe that the DMX value for Japan (0.543) is nearly double that of South Korea (0.285). Hence, the successful completion of ongoing negotiations on GDPR may be more critical for service trade with Japan, in comparison to South Korea.

Finally, Turkey is an important service provider to the EU. However, travel-related services comprise nearly 53% of its service exports – as can be seen in Figure 2. Since this sector is relatively low on digital maturity, one can expect service trade with Turkey to be less disrupted by new privacy regulations in the EU.

What will be the implications of GDPR for the UK following Brexit? In 2015, the UK exported nearly €140 billion of services to the EU27, placing it as the second largest service provider to the EU behind the US (€170 billion) and before Switzerland (€66 billion).

The UK’s service exports to the EU are mainly within two categories of digitally mature industries – namely, finance and business services (including R&D, legal, professional services etc.). They account for 56% of the total services sold to the EU (House of Commons Briefing Paper). Given the volume and composition of these service exports, the harmonisation of data protection standards with the EU will be crucial for the UK.

In a Notice to Stakeholders in January 2018, the European Commission stated that the UK would have ‘third country’ status for GDPR (i.e. non-EU and non-EEA) after Brexit. In order to maintain uninterrupted data transfers, the UK would require an adequacy decision from the EU or firms would need to adopt contractual safeguards. Since adequacy talks can take several months, the consequent regulatory uncertainty may adversely affect the UK’s service exports to the EU. However, the recent modernisation of the UK’s privacy framework under the Data Protection Act (DPA) 2018 could facilitate matters.

In this blog post, we have analysed the implications of GDPR for trade in services. However, GDPR may have far-reaching consequences for trade in goods with the EU as well – for example, services such as R&D, software and engineering that are embedded in manufacturing exports are digitally mature. The growing share of value added by such service sectors in the final output of manufacturing industries hence constitutes an additional channel through which countries may be exposed to the GDPR. In conclusion, GDPR will have different implications for different trade partners of the EU. While the range of countries concerned by GDPR is broad, some countries should feel more concerned than others. This heterogeneity of impact should inform EU policy-makers in their efforts to make GDPR the global standard for personal data protection.

[1] Based on the intensity of software investment per sector, provided by OECD Science, Technology and Industry Scoreboard (2017).

[2] These are detailed in Articles 24, 25, 27, 28, 30, 32, 35 and 37.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article More on this topic

Blog Post

Competing Globally: Europe’s Debate Over Trade and Sovereignty

This blog is part of a series following the 2019 Bruegel annual meetings, which brought together nearly 1,000 participants for two days of policy debate and discussion.

By: Jean Pisani-Ferry and Rebecca Christie Topic: Global Economics & Governance Date: September 12, 2019
Read about event More on this topic

Past Event

Past Event

EU-Singapore relations in a global context

At this event Minister S. Iswaran and Commissioner Malmström will discuss Singapore-EU relations, following the signing of a FTA in 2018 and in the context of the global situation.

Speakers: S. Iswaran, Cecilia Malmström and André Sapir Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: September 11, 2019
Read about event

Past Event

Past Event

China-EU investment relations: Exploring competition and industrial policies

This is a closed-door workshop jointly organised by MERICS and Bruegel looking at China-EU investment relations.

Speakers: Miguel Ceballos Barón, Alicia García-Herrero, Mikko Huotari, Yi Huang and Xu Sitao Topic: Finance & Financial Regulation, Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: September 9, 2019
Read article More on this topic More by this author

Blog Post

Truths about Trade: A speech by Cecilia Malmström

Cecilia Malmström, European Commissioner for Trade, talks on the truths of EU trade at the Bruegel Annual Meetings 2019.

By: Cecilia Malmström Topic: Global Economics & Governance Date: September 4, 2019
Read article More on this topic More by this author

Podcast

Podcast

Backstage at BAM19: Europe's trade policy

Backstage at the Bruegel Annual Meetings, Giuseppe Porcaro talks with André Sapir on European trade policy.

By: The Sound of Economics Topic: Global Economics & Governance Date: September 4, 2019
Read article More on this topic More by this author

Opinion

Dousing the Sovereignty Wildfire

In time, the current spat between French President Emmanuel Macron and his Brazilian counterpart Jair Bolsonaro regarding the Amazon rainforest may become a mere footnote. But other rows between collective and national interests are sure to erupt, and the world needs to find a way to manage them.

By: Jean Pisani-Ferry Topic: European Macroeconomics & Governance Date: September 3, 2019
Read article More by this author

Opinion

The Coming Clash Between Climate and Trade

The new leaders of the European Union, who have relentlessly championed open markets, will, ironically, likely trigger a conflict between climate preservation and free trade. But this clash is unavoidable, and how Europe and the world manage it will help to determine the fate of globalisation, if not that of the climate.

By: Jean Pisani-Ferry Topic: Energy & Climate, Global Economics & Governance Date: August 1, 2019
Read article More on this topic More by this author

Opinion

A reflection on the Mercosur agreement

The EU accepts the deal because it is worried about the catastrophic scenario of a world without the WTO.

By: Alicia García-Herrero Topic: Global Economics & Governance Date: July 26, 2019
Read article More on this topic More by this author

Blog Post

The consequences of Switzerland’s lost equivalence status

Due to a spat between the European Commission and the government of Switzerland over the negotiation of an institutional framework agreement, equity securities that are listed on Swiss exchanges are banned from being traded on stock exchanges in the European Union. This blog post reviews the background of this incident and assesses the consequences for companies listed in Switzerland as well as EU investors investing in Swiss equity securities.

By: Michael Baltensperger Topic: European Macroeconomics & Governance Date: July 25, 2019
Read about event More on this topic

Past Event

Past Event

The 4th industrial revolution: opportunities and challenges for Europe and China

What is the current status of EU-China relations concerning innovation, and what might their future look like?

Speakers: Elżbieta Bieńkowska, Chen Dongxiao, Patrick Child, Eric Cornuel, Maria Demertzis, Ding Yuan, Luigi Gambardella, Jiang Jianqing, Frank Kirchner, Pascal Lamy, Li Mingjun, Gwenn Sonck, Gerard Van Schaik, Reinhilde Veugelers, Wang Hongjian, Guntram B. Wolff, Xu Bin, Zhang Hongjun and Zhou Snow Topic: Global Economics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: July 12, 2019
Read article More on this topic More by this author

Opinion

Brexit banking exodus creates a dilemma for Dublin

Irish consumers’ interests may not coincide with the needs of banks relocating here.

By: Rebecca Christie Topic: Finance & Financial Regulation Date: July 10, 2019
Read article More on this topic More by this author

Blog Post

Where Brexit goes, the law shall follow

How the financial industry and the law firms that support it are preparing for what comes next

By: Rebecca Christie Topic: European Macroeconomics & Governance Date: June 25, 2019
Load more posts