Blog Post

Trading invisibles: Exposure of countries to GDPR

This blog post identifies provisions of the EU’s General Data Protection Regulation (GDPR) that affect foreign companies, and discusses implications for trade in services with the EU. The authors provide a novel mapping of countries’ relative exposure to these regulations by a) measuring the digital maturity of their service exports to the EU; and b) the share of these exports in national GDP.

By: and Date: June 28, 2018 Topic: European Macroeconomics & Governance

The General Data Protection Regulation (GDPR) became active on May 25th 2018. It aims to increase the protection of natural persons’ personal data (Art. 1) and to regulate the processing of personal data (Art. 2). We expect trade flows in services to be more affected by these privacy safeguards than trade flows in goods, given their greater dependence on data[1]. We therefore analyse which countries would have to make significant adjustments to their data architecture to prevent a decline in their service exports to the EU.

Two important aspects of GDPR are relevant to service exporters. First, it requires changes in the way companies manipulate personal data. Second, it requires companies to reform management of data transfers with different countries. We will discuss both in turn.

Firstly, GDPR establishes many new requirements for the processing of data within a company, with extra-territorial implications. Indeed, foreign companies established in the EU and companies abroad that collect or process data on EU-based individuals have a new set of regulatory requirements by which they must abide (Art. 3(1) to 3(3)). Therefore, companies with significant commercial interests that rely on personal data from people in the EU are directly affected by GDPR.

In fact, GDPR mandates such companies to undertake a broad set of technical and organisational measures[2]. These requirements are developed to ensure that personal data is processed fairly, transparently, securely and for an explicit and legitimate purpose. These provisions also ensure that the data collected is accurate, is stored only temporarily, and is limited to what is necessary for the stated purposes (Art. 5). Compliance with this new set of regulatory requirements will likely result in higher costs for concerned companies.

Secondly, an additional aspect of GDPR relevant to our analysis relates to the transfers of personal data across companies in different countries. As stated in Article 44, data transfers to a third country and between third countries should not undermine the level of protection established by GDPR.

The regulation, therefore, describes two situations where transfers to a third country are allowed. If the Commission has decided that the third country (wholly or partially) guarantees an adequate level of protection, then transfers of data do not require specific authorisation (Art. 45). Currently, 10 countries have already obtained the status of “full” adequacy for protection of data, in addition to the three EEA countries (Iceland, Liechtenstein and Norway). Adequacy talks are ongoing with Japan and South Korea. Commercial organisations in Canada also have mutual adequacy, as do transfers to the US in the context of the Privacy Shield. If there is no adequacy decision made, a transfer can take place only if the company sets up appropriate safeguards to ensure the level of protection, such as new contractual clauses (Art. 46). These requirements on transfers are an additional compliance burden for service exporters to the EU that are part of a global supply chain.

Although compliance with GDPR is costly, non-compliance could also impose costs in the form of sanctions. These sanctions are designed as administrative fines of up to €20 million or 4% of global turnover (whichever is highest) and are implemented by supervisory authorities in every Member State (Art. 83). As a result, there is a clear enforcement mechanism embedded in the GDPR which incentivises companies to abide by its standards.

Furthermore, since compliance will be costly, GDPR will have an impact on the profitability of doing business with personal data from individuals in the EU. Indeed, foreign companies exporting services to the EU and relying on this personal data for their business processes (such as telecommunications or IT-related services) will have to adapt their data protection approach and, ultimately, will have to upgrade their business models in order to continue trading with the EU, lest they face a fine.

Due to these new regulatory obligations, we can expect the profitability of foreign companies relying on personal data from the EU to be affected. The range of countries concerned is also important. Indeed, the EU imported €0.7 trillion-worth of services from abroad in 2015, 60% of which came from trade partners that have much less than 5% of the total share – as illustrated in Figure 1.

Moreover, countries exporting more data-intensive services to the EU could face greater exposure to the impact of GDPR. To capture this exposure, we first compute an index of the digital maturity (DMX) of a country’s service exports to the EU. This is calculated by the following ratio where subscripts i and j refer to country and service sector respectively.

Dependence on data flows for a service sector is proxied with the importance of investment in software in that service sector (softinvest) provided in the OECD’s Science, Technology and Industry Scoreboard 2017. Based on this measure, we can rank service sectors according to the software intensity of their production technologies. We then use data on service exports of 31 non-EU countries to the EU (servexports) extracted from Eurostat Balance of Payments for the year 2015. These values cover services supplied via modes one (cross-border supply), two (consumption abroad) and four (presence of natural persons).

The underlying logic of using the DMX index is that countries exporting digitally mature services to the EU (such as finance and insurance services) face greater urgency in adopting the EU’s data protection regulations. Variation in the DMX index across countries stems from exploiting two dimensions of heterogeneity: Firstly, countries export different services to the EU (see Figure 2) and secondly, service sectors differ in their dependence on data.

Countries whose service exports to the EU constitute a greater share of their GDP are likely to be more exposed to the new EU regulatory constraints than others. Hence, we calculated the ratio of total service exports to the EU against the annual GDP for every country in our sample. Data on GDP for the same year was obtained from the IMF’s World Economic Outlook tables.

All in all, countries that a) export services extensively to the EU; and b) export more digitally mature services to the EU, face higher exposure to GDPR. The scatter plot in Figure 3 provides an informative visual representation of this concept. Countries are coloured by their current adequacy status. Movement from the bottom left to the upper right corner in this ‘heatmap’ can be understood as an increase in a country’s GDPR exposure.

As we can draw from Figures 2 and 3, the GDPR compliance of Switzerland, Liechtenstein and the US (limited to the Privacy Shield) is critical considering that these countries export data-intensive services relatively extensively to the EU.

In addition, India appears to be comparatively more exposed than China – an observation that is not obvious from simply comparing the magnitude of their total service sector exports to the EU. A 46.04% share of India’s exports to the EU comprises “Other business services” (legal, accounting, R&D, consultancy etc.) and “Telecommunications, computer and information services” (20.5%). Both services categories are digitally mature as measured by software investments. For China, these sectors respectively comprise 42.8% and 3.15% of total service exports to the EU. Hence, making certain to account for the rich variation both in countries’ service export baskets to the EU and in digital maturity across services is key to understanding the differential implications for countries arising from GDPR.

The high levels of exposure of Singapore and Hong Kong suggests that alignment with EU’s data protection norms will be important for their services trade moving forward as they currently do not have adequacy status.

We also observe that the DMX value for Japan (0.543) is nearly double that of South Korea (0.285). Hence, the successful completion of ongoing negotiations on GDPR may be more critical for service trade with Japan, in comparison to South Korea.

Finally, Turkey is an important service provider to the EU. However, travel-related services comprise nearly 53% of its service exports – as can be seen in Figure 2. Since this sector is relatively low on digital maturity, one can expect service trade with Turkey to be less disrupted by new privacy regulations in the EU.

What will be the implications of GDPR for the UK following Brexit? In 2015, the UK exported nearly €140 billion of services to the EU27, placing it as the second largest service provider to the EU behind the US (€170 billion) and before Switzerland (€66 billion).

The UK’s service exports to the EU are mainly within two categories of digitally mature industries – namely, finance and business services (including R&D, legal, professional services etc.). They account for 56% of the total services sold to the EU (House of Commons Briefing Paper). Given the volume and composition of these service exports, the harmonisation of data protection standards with the EU will be crucial for the UK.

In a Notice to Stakeholders in January 2018, the European Commission stated that the UK would have ‘third country’ status for GDPR (i.e. non-EU and non-EEA) after Brexit. In order to maintain uninterrupted data transfers, the UK would require an adequacy decision from the EU or firms would need to adopt contractual safeguards. Since adequacy talks can take several months, the consequent regulatory uncertainty may adversely affect the UK’s service exports to the EU. However, the recent modernisation of the UK’s privacy framework under the Data Protection Act (DPA) 2018 could facilitate matters.

In this blog post, we have analysed the implications of GDPR for trade in services. However, GDPR may have far-reaching consequences for trade in goods with the EU as well – for example, services such as R&D, software and engineering that are embedded in manufacturing exports are digitally mature. The growing share of value added by such service sectors in the final output of manufacturing industries hence constitutes an additional channel through which countries may be exposed to the GDPR. In conclusion, GDPR will have different implications for different trade partners of the EU. While the range of countries concerned by GDPR is broad, some countries should feel more concerned than others. This heterogeneity of impact should inform EU policy-makers in their efforts to make GDPR the global standard for personal data protection.

[1] Based on the intensity of software investment per sector, provided by OECD Science, Technology and Industry Scoreboard (2017).

[2] These are detailed in Articles 24, 25, 27, 28, 30, 32, 35 and 37.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article More on this topic More by this author

Blog Post

How could net balances change in the next EU budget?

The gap between payments into the EU budget and EU spending in a particular country has importance when EU spending does not constitute European public goods, or there are risks for their improper use. I estimate that the Juncker Commission’s proposal for the next seven-year budget would lead to big reductions (as a share of GNI) in the net payments to most central European countries, while the changes for other countries seem small

By: Zsolt Darvas Topic: European Macroeconomics & Governance Date: January 23, 2020
Read about event

Upcoming Event

Jan
28
09:30

A post-Brexit agreement for research and innovation

What is the future of EU's and UK's relationship on research and innovation?

Speakers: Adrian Hayday, Philippe Lamberts, Michael Leigh, Clare Moody, Martin Muller, Joe Owen, Jaroslaw Pietras, Uta Staiger, André Sapir, Beth Thompson and Guntram B. Wolff Topic: European Macroeconomics & Governance, Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels
Read article More on this topic More by this author

Podcast

Podcast

Banking after Brexit

Will Brexit damage Britain's financial services industry? Or is talk of its diminished status just a storm in a teacup? The City of London could move closer to Wall Street or it might become "Singapore-on-Thames". Nicholas Barrett talks to Rebecca Christie about banking after Brexit.

By: The Sound of Economics Topic: Finance & Financial Regulation Date: January 16, 2020
Read article More on this topic More by this author

Opinion

Understanding populism

Political identity is a group stereotype. As no camp corresponds exactly to our expectations, we choose the one to which we are closest and which is also the most distant from the ideas we reject

By: Jean Pisani-Ferry Topic: European Macroeconomics & Governance Date: January 2, 2020
Read article More on this topic More by this author

Opinion

The WTO is dead: long live the WTO?

Should the EU fight to save the WTO when the US seeks to dismantle it? We argue that the only way for the EU to decide that is to first understand the US’s strategy (as distinct from its tactics) and then make up its mind in terms of how much of a threat it perceives China to be.

By: Maria Demertzis Topic: Global Economics & Governance Date: December 20, 2019
Read article More on this topic

Blog Post

Lessons from the China-US trade truce

The tentatively agreed deal between China and the United States temporarily stops a dangerous dynamic, yet it falls far short of the negotiating objectives of both sides. US trade policy has become a dominion of the executive branch guided principally by the President’s electoral interests. Meanwhile, China demonstrates its capacity to resist pressure: it will enact structural reforms at its own pace in line with its interests. Sadly, the deal confirms that the United States no longer feels obligated to follow WTO rules, and can induce others to do the same.

By: Uri Dadush and Marta Domínguez-Jiménez Topic: Global Economics & Governance Date: December 19, 2019
Read article More on this topic More by this author

Podcast

Podcast

Appellate Body Politic

This week, the WTO's Appellate Body, the dispute settlement body, became inoperational: it no longer has the necessary number of judges to render verdicts. What does this mean for international trade and multilateralism? Are we now living in a world without dispute settlement? This week, Guntram Wolff is joined by Alan Beattie, the author of the FT's new Trade Secrets newsletter, and Alicia García-Herrero to discuss the crisis of the Appellate Body.

By: The Sound of Economics Topic: Global Economics & Governance Date: December 12, 2019
Read article More by this author

Opinion

Watch out for China’s currency in case of no-deal scenario

The U.S. and China’s negotiations on a phase-one deal seem to have stalled again. The market was already aware of the limited nature of the likely deal, but was still hoping for it. Against this backdrop, the investors have reacted negatively to the increased likelihood of not reaching a deal on December 15. If this is the case, the U.S. will apply additional tariffs on Chinese imports. The obvious question to address, thus, is, what can happen to China under such a scenario?

By: Alicia García-Herrero Topic: Finance & Financial Regulation Date: December 11, 2019
Read article More on this topic More by this author

Podcast

Podcast

Getting post-Brexit trade deals done

The UK goes to the polls on Thursday to decide who (and if) they want to "get Brexit done". But, as soon as Britain leaves, it will have 11 months to agree a trade deal with the EU. Is it possible? Nicholas Barrett is joined by Maria Demertzis and Niclas Poitiers to discuss post-Brexit trade deals with the EU and the USA.

By: The Sound of Economics Topic: European Macroeconomics & Governance Date: December 10, 2019
Read article More on this topic More by this author

Blog Post

High noon at the Appellate Body

This blog post explains the working method of the dispute settlement body, and then discusses the objections the US has raised against the Appellate Body, and the implications of its potential demise.

By: Niclas Poitiers Topic: Global Economics & Governance Date: December 9, 2019
Read article More on this topic More by this author

Opinion

The UK election viewed from continental Europe: Meh

It will take more than the vote on December 12 to make the continent pay attention to the UK. Viewed from the continent, the UK election is one more episode in a Brexit series that “jumped the shark” long ago.

By: Nicolas Véron Topic: European Macroeconomics & Governance Date: November 29, 2019
Read article Download PDF More on this topic

External Publication

Manufacturing employment, international trade, and China

The decline in manufacturing employment is often seen as a major reason for rising inequality, social tensions, and the slump of entire communities. With the rise of national populists and protectionists in recent years, the issue has become even more prominent.

By: Uri Dadush and Abdelaziz Ait Ali Topic: Global Economics & Governance Date: November 28, 2019
Load more posts