That’s bad for patients, who’re the citizens the privacy law means to help
In 2016, as people were getting really fed up about finding their personal details in the hands of commercial entities, consumers widely applauded the European Union’s efforts to restore their data privacy. The General Data Protection Regulation aimed to give consumers control over who, if anyone, could collect and use their identifying details, which range from names and birthdates to credit card spending and genetic makeup. At the time, the GDPR was the world’s most comprehensive and strictest commercial regulation around collecting, storing, using and sharing personal data.
In the decade since, economists have found some evidence that the GDPR inadvertently reduced new commercial ventures and product development, impeded research collaborations and possibly disadvantaged small firms.
A working paper highlights and expands on these unintended consequences by looking at how the regulation affected drug development, a field that collects and shares a lot of personal data. One might have expected a favorable result — more willing clinical trial participants because EU citizens knew, under GDPR, their data would be kept safe.
But pharmaceutical companies most exposed to the GDPR ran about 18% fewer Phase II clinical drug trials after it took effect in 2018, according to the working paper, by University of California Santa Barbara’s Sukhun Kang and UCLA Anderson’s Jennifer Kao. (They defined “most exposed firms” as those with a greater research activity in Europe before the regulation.) The effect, they found, “was immediate and persistent.”
Younger Firms Suffer
Overall, clinical trials under GDPR requirements studied fewer diseases than in the previous era, the study finds. GDPR-regulated trials took longer and were less likely to reach completion. Companies also reduced the number of sites in the EU they used for clinical trials under the new regulations.
Perhaps to limit compliance costs around sharing personal data, drug developers formed fewer new collaborations under the GDPR, the findings suggest. But they increased collaborations with existing partners; a strategy that essentially squeezed out young firms from potentially lucrative partnerships.
There’s no indication that this issue — or slower innovation, or high compliance costs or any other GDPR fallout suffered by industry — has made consumers interested in toning down the regulation. A series of surveys by the EU continue to show that its citizens want “a high level of data protection and stringent implementation.” Their frustrations, one report notes, are aimed squarely at industry itself: “…citizens indicate irritation with industry’s haphazard implementation of their data protection and privacy expectations.”
With the GDPR, individuals throughout the EU gained the right to access, correct, delete and block use of their personal data. Companies — any firm that offered goods or services to EU residents — gained the responsibility of enabling those personal rights. These include, for example, responding to consumer requests to correct, delete, etc. their data in a timely manner and reporting data breaches to affected individuals.
Europe’s Bigger Penalties for Noncompliance
The new regulation also dictated how companies should collect and maintain privacy of any personal data they hold. These included creating new processes and new positions for securing data, even after they share it with others, including collaborators. Transferring personal data to a firm or organization without an “adequate level of data protection” is, effectively, illegal.
The regulation effectively raised costs for collecting, managing and using personal data by about 20%, according to a 2024 working paper out of the Chicago Fed. Large potential fines make noncompliance even costlier. For example, the cost of not reporting a data breach within 72 hours: a fine of up to 20 million Euros ($23.8 million, as of this writing), or 4% of the firm’s global annual revenue for the previous year, whichever is greater.
Generally, large pharmaceutical companies have fared much better than small firms under GDPR, although they, too, significantly reduced the scale and scope of their clinical trials, according to the study. While collaborations at large firms dropped slightly, small firms saw significant reduction in development partnerships and the drug trials they enable.
Consumers also have felt some unintended consequences of the GDPR. Those annoying pop-ups on websites demanding acceptance of a privacy policy to gain access, for example, are meant to comply with clear and informed consent requirements for tracking visitors or sharing any personal data collected by a site. Whether the text is clear, informative or even concise enough to digest without expertise is often up for debate.
Featured Faculty
-
Jennifer Kao
Assistant Professor of Strategy
About the Research
Kang, S. & Kao, J. (2025). Data Privacy Regulation and Innovation.
Jia, J., Jin, G.Z., & Wagman, L. (2021). The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment. Marketing Science 40(4):661-684. https://doi.org/10.1287/mksc.2020.1271
Lalova-Spinks, T., Valcke, P., Ioannidis, J.P.A., & Huys, I.(2024). EU-US Data Transfers: An Enduring Challenge for Health Research Collaborations. npj Digital Medicine. Med. 7(1), 215. https://doi.org/10.1038/s41746-024-01205-6
Geradin, D., Karanikioti, T., & Katsifis, D. (2021). GDPR Myopia: How a Well-Intended Regulation Ended Up Favouring Large Online Platforms – The Case of Ad Tech. European Competition Journal, 17(1), 47–92. https://doi.org/10.1080/17441056.2020.1848059
Demirer, M., Hernandez, D. J. J., Li, D., & Peng, S. (2024). Data Privacy Laws and Firm Production: Evidence from the GDPR. Federal Reserve Bank of Chicago.
