Sarah Snelson and Federico Cilauro / Mar 2022
2022 is shaping up to be a critical year for the regulation of data in the European Union, particularly the extent to which companies are able to share data across international borders – a central feature of the modern digital economy.
In February, the European Commission put forward new draft legislation that could effectively limit European companies’ ability to transfer non-personal data abroad. The proposed Data Act requires providers of “data-processing services” to take measures to prevent the international transfer of non-personal data held in the EU where such a transfer would create a conflict with EU or national laws.
Like the General Data Protection Regulation (GDPR), the Data Act leaves it up to each enforcement authority to dictate the compliance steps that companies should take and to set the bar for non-personal data to flow outside Europe. And we have seen an on-going wave of enforcement decisions against personal data flows. The recently announced preliminary data transfer deal between the EU and US may provide greater certainty on personal data. However, at the same time, the Data Act could mean further restrictions to data flows, in particular non-personal data flows, between the EU and most non-EU countries. While the statutory burden of responsibility is on providers of data-processing services, the economic burden of the Act could also be borne by their clients – in principle, any EU company that operates across international borders.
In this context, at Frontier Economics we have recently completed a new study exploring the significance of data flows – particularly of non-personal information – between the EU and non-EU countries and the impact the proposed measures might have. This included surveying 150 European companies with a presence outside the EU who share data across borders.
Two-thirds of the companies surveyed were scale-ups – businesses that have grown by 20% or more annually in the last three years. Scale-ups are of particular interest from a policy perspective because they typically account for 50-60% of new jobs and 40-50% of GDP growth. Indeed, French President Emmanuel Macron has announced €3.5 billion of European investment for scale-ups and hopes Europe will be home to 10 tech giants each valued at more than €100 billion by 2030.
Our survey illustrates the importance of global data flows for European companies. 65% of companies in our sample share data with collaborators and suppliers outside the EU, for example to help manage supply chains.
Similarly, 64% share data with customers outside the EU – this includes rapidly growing scale-ups such as Norway’s Visma which provides cloud computing services to over 1 million customers around the world, as well as European champions such as Philips’s when providing its data services for healthcare professionals, and Volvo when providing its telematics service to trucking companies.
More than 4 out of 5 of companies in our sample share data internally with their offices located outside the EU in order to perform essential functions such as accounting, payroll, R&D and IT.
9 in 10 companies in our sample use software that relies on intensive data sharing, such as customer relationship tools and cloud-based applications.
Restricting data flows could thus have significant financial and operational ramifications. Companies responding to our survey estimated that curbs on non-personal data flows could cost them around 4% of their annual global revenues. For businesses that share data for innovation purposes, the bill could amount to 5% of their annual sales.
Extrapolating the survey results to the wider population of multinationals and scale-ups with an international presence implies a hit to GDP across the EU of almost €80 billion a year, or €560 billion over 2021-2027 – nearly six times more than the EU plans to spend under the Horizon Europe research and innovation programme during the same period.
Businesses would incur extra costs for several reasons. 88% of those surveyed said they would need to make significant short-term changes if they were restricted from sharing non-personal, commercially sensitive data. Over a third would have to ensure greater separation from non-EU sites, reduce cross-border data sharing or hire staff to comply. Two-thirds would need to either redesign their products or re-engineer their processes. 80% of firms using artificial intelligence (AI) said data-sharing curbs would stifle the development of new AI applications.
Frontier’s study looked only at the direct impact of the proposal. In the longer term, companies could be further affected if the EU’s trading partners were to introduce reciprocal measures.
The EU has set ambitious targets for the digitalisation of business as part of its “Digital Decade” initiative. By 2030 it aims to have 75% of EU companies using cloud computing, AI and Big Data. It wants to double the number of EU unicorns – firms valued at €1 billion – by the end of the decade.
For their part, EU policymakers and legislators may want to consider whether curbing international data flows makes sense if Europe is to meet its ambitious digital and industrial objectives. On a continent with precious few tech titans, today’s scale-ups may grow into tomorrow’s unicorns – but only if they are nurtured.