Investment in European startups has dropped by 36% compared to American or other global startups since the rollout of GDPR.At least, that’s what the data shows in a report published in the academic journal Marketing Science this month.
The new report, titled “The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment,” uses commercial investment data from Crunchbase and VentureXpert, an investment data base owned by Thomson Reuters, to track startup investments from the two years before and after the enactment of GDPR.
Liad Wagman, one of the three authors and an economics professor at the Illinois Institute of Technology, said he previously studied the venture investment of the Gramm-Leach-Bliley Act, a US law signed in 1999 that required financial institutions to disclose how personal data was collected and shared when customers signed up for loans, insurance and investment advice.
The venture capital investment totals are a proxy for innovation, Wagman said. “It begins with the idea of where the entrepreneurial energy and investment dollars are going after GDPR.”
The aggregate number of startup investments dropped by about a third in the EU after the GDPR became law. The US and the rest of the world saw slight increases in the average number of deals per month.
Overall investment totals showed starker disparities. The EU remained flat while American and other global companies saw gains of 50% from 2017 to 2018.
There are some bright spots within the EU investment scene. The study breaks investments into three categories: Healthcare and life sciences, information technology, and nonhigh tech. The biggest drop-offs came from healthcare companies and mature startups that would be looking for larger late-round funding, as opposed to seed stage or angel investments, Wagman said.
And while the aggregate trend is down for EU investments, European startups that focus on “privacy,” “security” and “data security” saw 50% more investments per month following GDPR’s announcement; American data security and privacy startups increased in the US and rest of world too, but less than in Europe.
“Privacy and security are potential long-term countervailing effects here,” Wagman said “we are seeing that increase our data for that particular niche.”
For now, however, the total number of privacy-related or data security investments isn’t enough to balance out investor pullback in other verticals.
Wagman hypothesized there would be a decline in overall EU investment based on his previous research. Financial product investment declines followed the Gramm-Leach-Bliley Act, which switched from default customer consent to an opt-in consented model. The higher barrier to entry and the potential repercussions for a violation can dampen investor enthusiasm.
An early warning sign before GDPR became law in 2018, he said, was when major platforms including Google, Amazon, Facebook, Apple and Shopify started to change data privacy and security rules, sometimes at the expense of startup revenue.
Unfortunately for European entrepreneurs, the effects aren’t limited to just the two years following the enactment of GDPR. Wagman said he and his co-authors have a continuation of this study that tracks investments through the end of last year.
The pace of investment in the EU dropped by half in late 2019 and 2020, following COVID-19 lockdowns. In the US, investments decreased sharply immediately after the pandemic struck but bounced back over the course of 2020, while EU venture capital remained stuck in neutral.
“I did expect an effect of innovation,” Wagman said. “But not for the effect to be so substantial.”