A year ago, you opened your inbox to an avalanche of emails from companies warning you about this new “GDPR” thing, explaining how they did a tremendous job so far protecting your privacy and asking you for permission to keep using your data.

The General Data Protection Regulation launched last May in Europe with the goal to stop tech giants and their partners from pressuring consumers to relinquish control of their data in exchange for services and end the privacy discussion one and for all.

But as with most regulations, it didn't reduce Facebook and Google's dominance. It had the exact opposite consequences: it made competition harder for new startups and reduced capital flow and liquidity for small players.

Of course, regulators are baffled by this.

When Věra Jourová, the EU’s justice commissioner, traveled to California to meet with Google and Facebook last fall, she was expecting to get an earful from concerned executives. Instead, she realized they already had the situation under control.

“They were more relaxed, and I became more nervous. They have the money, an army of lawyers, an army of technicians and so on.”

No shit, Sherlock. Who would’ve guessed that it would make big tech giant even bigger? Literally, everyone.

How GDPR stifles competition

The great thing about the internet is that the cost of starting up a company has dramatically gone down over the past 20 years.

Now thanks to GDPR compliance costs, that might change.

Microsoft put 1,600 engineers to work on GDPR, and Google calculates it spent hundreds of years of human time complying with GDPR.

The startup I was working with at the time spent months of engineering hours complying with GDPR instead of servicing customers.

How absurd is that?

GDPR is transforming the European internet game into an expensive, pay-to-play model that even huge US-based media companies are struggling to participate in.

On top of the compliance cost, GDPR is taking revenue away from small ad vendors, and funneling it toward, you guessed it, Google.

Days before the law’s arrival on May 25, Google told ad vendors using its products they would be blocked from targeting any user who hadn’t given specific consent to the vendors AND to each of their partners.

Unlike Google, these ad tech firms have no direct relationship with consumers, which means that Google forced them to go ask permission from a stranger, or not use Google anymore.

As a result, publishers decided it’s simpler to just stop using smaller ad-tech companies.

The consequence was that just hours after the law’s enforcement, numerous independent ad exchanges and other vendors watched their ad demand volumes drop between 20% and 40%.

“They are moving their money where there is clear, obvious consent. The huge platforms are really profiting” - Joachim Schneidmadl, COO for Virtual Minds AG.

In the end, Google’s compliance strategy ended up hurting its competitors and redirecting higher demand back to its own marketplace.

Finally, there’s the data portability issue. Article 20 of GDPR (or “Data Portability”) states that:

"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."

That sounds great.

Let people export their Facebook data into competing social media services. What could be wrong with that?

The problem is that the term “commonly used” is broadly defined. And when something is broadly defined, it leaves the interpretation up to Mark Zuckerberg.

If Facebook imposes the "commonly used" standard , it would mean that all future competing social media startups would have to slot their products into a Facebook-compatible template.  

“Let’s say that 17 years from now someone has a virtual reality social network innovation: does it have to be “exportable” into Facebook and other competitors?  It’s hard to think of any better way to stifle innovation.” - Tyler Cowen from Marginal Revolution

If Facebook doesn't impose a standard, then regulators will. But do you really want government to be certifying the “legitimate players” in the market?

In the end, GDPR built a bigger moat around tech giants and forced thousands of startups and small businesses to spend resources complying to asphyxiating regulation that's hurting them.

You know, fun stuff.

How GDPR hurts capital flow across the EU

The second unintended consequence of GDPR was the impact on investment in new and emerging technologies.

Last November, NBER released a paper on the negative post-GDPR effects on EU ventures manifested in the overall dollar amounts raised across funding deals, the number of deals, and the dollar amount raised per individual deal.

"Specifically, our findings suggest a $3.38 million decrease in the aggregate dollars raised by EU ventures per state per crude industry category per week, a 17.6% reduction in the number of weekly venture deals, and a 39.6% decrease in the amount raised in an average deal following the rollout of GDPR."

Some back-of-the-envelope calculation suggests that the job losses that may be incurred by these ventures are estimated between 3,000 to 30,000 jobs for the young startups in their sample.

But what's even worst is that not only capital raises are in trouble, but acquisitions as well.

According to a survey by Merrill Corp., GDPR is turning into a stumbling block for mergers and acquisitions involving companies in Europe. 55% of respondents said they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR.

Not only GDPR makes it harder to compete with Google, but it also reduces the chances of a reward at the end of the road. If liquidity goes down, incentives to build new businesses go down as well.

Regulators suck at second order consequences

Wasn’t GDPR supposed to “condition” tech giants and help consumers? After all, companies that fail to report breaches involving personal data could face fines of up to 4% of global annual revenue or €20 million ($22.5 million), whichever is higher

Not only do fines are ridiculously low for tech giants, but they are barely complying. Here’s a funny example:

"We notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 hr timeframe." - Facebook spokesperson.

Essentially, Facebook took two months to notify customers after one breach, claiming it was still in compliance with GDPR’s 72-hour notification rule because they determined when the 72-hour clock began.

In the end, like any technology legislation, was actually passed was so far away from the spirit of the regulation and so watered down by lobbying that it actually did far more to help “big tech” than it did to help us.

While well-intentioned, GDPR has had an unexpected externality: Instead of limiting the reach of the most powerful players operating in the world of data, it has strengthened their position in multiple ways.