The General Data Protection Regulation (GDPR) is the EU’s stringent regulation to protect consumers’ personal data. Implemented in May 2018, the regulation imposes strict requirements in collecting, processing, and transferring personal data of EU residents. The unprecedented scale and scope of GDPR make it the most important privacy policy since the commercialisation of the internet in the 1990s. It has inspired a wave of privacy regulations in countries such as Brazil, India, Japan, and South Korea. The US is also considering federal privacy regulation to harmonize state privacy laws, led by California (Goldberge et al. 2019).
How did GDPR affect the internet economy? News reports, opinion pieces, and ‘white papers’ point towards costly investments for business, as well as unanticipated consequences. Yet, neither systematic data collection, nor analysis of a census of experiences, informs the headlines.
Research has begun to fill this gap. Evidence suggests significant short-run costs associated with implementation of GDPR. Studies have reported that GDPR has led to a decline in page views, visits, and revenue (Goldberg et al. 2019), a decline in websites’ use of web technology vendors, and a movement away from smaller vendors (Johnson and Shriver 2019). Researchers have also found reduced venture capital investment in European technology startups, especially from distant investors (Jia et al. 2018, 2019). With one exception (Iordanou et al. 2018), which found little change in the geographic distribution of web tracking data, studies to date suggest GDPR has significantly altered the operation of the internet.
These studies focus on the most visible consequences and leave much unexamined below the surface. The internet was designed with a four-layer abstraction: application, transport, internet, and link (Figure 1). Processes in each layer handle requests from layers above and communicate with remote processes at the same layer using layers below. This allows each layer to develop and operate independently. All studies to date have examined only the application layer. How much did GDPR affect investment in growth and the interconnection at the internet layer? This layer comprises thousands of independently owned, managed, and operated networks where networks voluntarily exchange data via bilaterally negotiated agreements.
Figure 1 Four layers of the internet
If the demand for, and usage of, data at the application layer alters investment, then it should alter incentives to interconnect at the internet layer, and bilateral bargaining between network operators ought to change. This is the prediction of the standard economic model of interconnection (e.g. Besen et al. 2001); it also accords with standard practices. Interconnection agreements can be as short as one month or as long as multiple years. Even multiple-year agreements are usually renegotiated yearly. Another common practice in the transit market is to use extremely short-term agreements (Norton 2014). In many cases, setting up an interconnection may simply utilise existing assets, such as configuring an existing port or purchasing circuits between their existing points-of-presences. If GDPR shapes interconnection behaviour, the extent of an effect is an empirical question.
In a recent paper (Zhuo et al. 2019), we examine this topic using data collected by the Center of Applied Internet Data Analysis (CAIDA) at the University of California, San Diego. The data used represent the state-of-the-art methodology for third-party inference of the presence of interconnection agreements, based on large collections of raw data on global network and IP address level topology of the internet. (The datasets are publicly accessible through CAIDA’s website at http://www.caida.org/data/overview/.)
A crucial fact emerges quickly from these data and frames our study: the number of interconnection agreements around the globe has been growing for years. If GDPR affected interconnection, it had to affect the rate of growth of interconnection. That frames the research question: after the implementation of GDPR, do the data indicate slower growth of new interconnection in the countries in the European Economic Area (EEA) compared with other countries with similar economies?
We employ a difference-in-difference approach, classifying networks in countries in the world into three groups. The ‘treatment’ group are in the EEA, as GDPR predominantly affects data-processing organisations located within the EEA. We compare behaviour in this first group with behaviour in a ‘control’ group, comprised of networks owned by organisations headquartered in non-EEA OECD countries. This is a relevant comparison because – as confirmed by data – networks in developed countries have similar growth rates of interconnection prior to GDPR. The final group are networks in non-EEA non-OECD countries and territories. These networks are predominantly in developing countries and grow at different rates in comparison to more developed countries prior to GDPR – again, confirmed in the study.
We perform every difference-of-difference of potential interest. The details take considerable effort to explain and execute, so we recommend reading our paper for the complete story. Here we summarise. Despite evidence of significant effects at the application layer, we find no evidence of consequences at the internet layer. Across multiple measures, we observed no measurable effects of GDPR on interconnection topology at the network level. Networks in the EEA grow at a rate similar to networks in non-EEA OECD countries in terms of the number of interconnecting parties and types of agreements reached. The observed numbers of IP address-level interconnection points between each pair of interconnecting networks are also unaffected. We also find economically small effects of GDPR on the entry and the number of networks. Overall, we reject the hypothesis that the negative impact of GDPR at the application layer has thus far propagated to the internet layer.
Figure 2a and 2b (from Figure 4 of Zhuo et al. 2019) gives illustrative examples. The figures compare the total number of agreements in the EEA countries and in the non-EEA OECD countries, holding fixed the counterparties. Figure 2a uses networks in EEA countries as the counterparty, while Figure 2b uses networks in non-EEA-OECD countries as the counterparty. We also examined networks in non-EEA non-OECD countries as the counterparty, and got similar results. Two bars indicate key dates: when GDPR was approved (14 April 2016) and implemented (25 May 2018).
Figure 2a Number of interconnection agreements by networks, comparing EEA and non-EEA OECD countries, counterparty within EEA countries
Figure 2b Number of interconnection agreements by networks, comparing EEA and non-EEA OECD countries, counterparty within non-EEA OECD countries
Formal statistical tests confirm the visible patterns. EEA countries have more agreements with EEA countries than with non-EEA OECD countries, and vice versa for non-EEA OECD countries. Despite the differences in levels, EEA countries and non-EEA OECD countries exhibit remarkable parallel trends in setting up agreements with counterparties.
A number of possible reasons could have contributed to this finding. First, the lack of discernible short-run effect could have arisen from slow investment and behavioural changes at the internet layer. This seems unlikely because we observe continued growth across all network connections. Second, it is possible that the effect is small, overwhelmed by many other factors contributing to growth. We cannot rule out this explanation. Third, these measurements do not capture traffic volumes, which could change even as the number of interconnections remains unchanged. Finally, we only observe the short run, so we cannot rule out that more gradual changes due to GDPR may surface in the longer run.
Our results also speak to the debate on the allocation of rents generated through the successful commercialisation of the internet. The enormous rents associated with the exploitation of Web 2.0 and mobile web represent a large portion of the private returns to innovation in the 21st century. These rents have been overwhelmingly captured by players at the application layer, notably the ‘big tech’ content and service companies. Our study is consistent with the view that the costs of GDPR have been borne by the application layer, paid out of the rents from innovation.
References
Besen, S, P Milgrom, B Mitchell, and P Srinagesh (2001), “Advances in Routing Technologies and Internet Peering Agreements”, American Economic Review 91(2): 292-296.
Goldberg, S, G Johnson, and S Shriver (2019), “Regulating Privacy Online: The Early Impact of the GDPR on European Web Traffic & E-Commerce Outcomes.” available at SSRN 3421731.
Iordanou, C, G Smaragdakis, I Poese, and N Laoutaris (2018), “Tracing Cross Border Web Tracking”, in Proceedings of the Internet Measurement Conference 2018, ACM, pp. 329-342.
Jia, J, G Z Jin, and L Wagman (2018), “The Short-Run Effects of GDPR on Technology Venture Investment”, NBER Working Paper No. w25248.
Jia, J, G Z Jin, and L Wagman (2019), “GDPR and the Localness of Venture Investment”, Available at SSRN 3436535.
Johnson, G A and S K Shriver (2019), “Privacy & Market Concentration: Intended & Unintended Consequences of the GDPR”, Available at SSRN 3477686.
Norton, W B (2014) The 2014 Internet Peering Playbook: Connecting to the Core of the Internet, DrPeering Press.
Zhuo, R, B Huffaker, KC claffy, and S Greenstein (2019), “The Impact of the General Data Protection Regulation on Internet Interconnection”, NBER Working Paper 26481.
