When Regulatory Power and Industrial Ambitions Collide: The “Brussels Effect,” Lead Markets, and the GDPR

Martin, Nicholas; Ebbers, Frank

doi:10.1007/978-3-031-09901-4_8

Nicholas Martin⁴ &
Frank Ebbers⁴

Included in the following conference series:

Privacy Symposium: Data Protection Law International Convergence and Compliance with Innovative Technologies

The original version of this chapter was previously published without open access. A correction to this chapter is available at https://doi.org/10.1007/978-3-031-09901-4_13

Abstract

This chapter explores certain innovation-promoting effects of the GDPR and their geographical dispersion. It also shows that while the GDPR has sparked substantial innovation and the birth of a new industry in the field of “privacy tech,” or technological solutions for data protection compliance, this industry is largely dominated by North America-based companies. Despite the GDPR’s origin in Europe – and despite the hopes of European policymakers that it might spark a wave of new technology innovation in Europe – European companies seem to have struggled to establish themselves in this market. The chapter draws on two concepts from regulatory studies and innovation studies – the “Brussels effect” and regulation-induced lead markets – to explain this outcome, arguing that this surprising outcome (a European law sparking the birth of a new technology industry in America) derives not from idiosyncratic factors connected to the GDPR or even software industries, but from structural factors related to the logic of regulatory globalization.

You have full access to this open access chapter, Download conference paper PDF

The Role of the State in the Innovation Triangle: Law and Policy Fostering the Optimal Regulatory, Business and Innovation Policy Environment

Regulation Tomorrow: Strategies for Regulating New Technologies

The Technology Innovation Time Gap in Competition Law Enforcement: Assessing the European Commission’s Approach

Keywords

1 Introduction

Unrestrained technology development and economic activity can lead to externalities like pollution or unsafe products. To overcome such market failure, governments resort to regulation; coercive rules to guide firms’ behavior by banning, restricting, mandating, or incentivizing desired/undesired practices. At least initially, regulation is liable to impose additional costs or constraints. This can erode firms’ international competitiveness if it is imposed in just one country. Especially for open, export-oriented economies, this is a legitimate concern. Unsurprisingly, attempts to impose new regulation are regularly accompanied by warnings about detrimental effects on the affected industries.

But while the notion that by imposing higher costs or other complications regulation must necessarily reduce competitiveness remains common in public debate, scholars have shown that its economic effects are more complex. For one, regulation pioneered in one jurisdiction can diffuse to others, thus equalizing the competitive playing field. At least under some conditions, far from rendering the pioneer country uncompetitive as others “race to the bottom,” stringent regulation can spark “races to the top” wherein the most stringent standard becomes the global standard, a phenomenon theorized as the “Brussels” or “California effect” [11, 12, 57]. For another, regulation can induce innovation and create new markets for compliant or compliance-supporting products. If the regulation diffuses globally, this can create export opportunities for the pioneer country, a process theorized as regulation-induced “lead markets” [7, 10, 37].

Both the idea of a “Brussels effect” and regulation-induced “lead markets” have some empirical support. They have also attracted considerable political and policy interest as they seem to offer strategies to profit from global regulatory influence and arguments to defend regulatory initiatives against charges of sapping competitiveness. For example, EU Commission officials repeatedly voiced hopes that the General Data Protection Regulation (GDPR, the “Regulation”) might spark a wave of innovation and privacy-friendly digital technologies built in Europe. This possibility was also discussed in the official Impact Assessment of the Regulation [20].

This chapter argues that these hopes are likely to often be misplaced. The “Brussels effect” is real and regulation can create new markets, but the mechanisms underlying the EU’s global regulatory power are liable to actively weaken the formation of specifically European lead markets and lead suppliers. Paradoxically, the stronger the “Brussels effect,” the lower the likelihood of lead markets and suppliers emerging in the EU, absent supportive policy or especially benign demand and supply conditions.

The GDPR is a good example of this. While the Regulation rapidly became the benchmark for privacy regulation globally and almost single-handedly created a large and rapidly growing market for so-called “privacy tech,” innovative software products to help companies govern their data processing and attain compliance, this market seems to be largely dominated by North American firms and venture capital funds. European vendors have been relegated to the sidelines.

Understanding this paradoxical outcome and how it may vary across different markets, industries, and forms of regulation is important given the EU’s emergence as a regulatory superpower able to shape global rules, and European policymakers’ interest in strengthening the EU’s industrial base.

The chapter is structured as follows. In Sect. 2, the two theories of the “Brussels effect” and regulation-induced lead markets are laid out and the interaction of their underlying causal mechanisms analyzed. Section 3 uses the development of the “privacy technologies” industry in Europe and the United States after 2016 in response to the GDPR as a case study to illustrate how the “Brussels effect” can undermine lead market and supplier formation in Europe. Section 4 discusses policy implications and concludes.

2 The “Brussels Effect” and Regulation-Induced Lead Markets

2.1 “Unilateral Regulatory Globalization”: The “Brussels Effect”

The “Brussels effect” was theorized by Anu Bradford [11, 12]. It draws on earlier debates about whether globalization was leading to regulatory races “to the bottom.” Against critics who argued that globalization was leading to the erosion of standards as countries competing for investment reciprocally lowered regulatory requirements, scholars like David Vogel and Robert Kagan pointed to cases where countries seemed to be “regulating up” and the most demanding regulatory standard, often set in California or Brussels, emerged as the global norm [57, 58].

Bradford expanded these empirical observations into a systematic theory, specifying conditions under which single jurisdictions like the EU could engage in “unilateral regulatory globalization,” that is, “externalize [their] laws and regulations outside [their] borders through market mechanism,” so that their standards became the global standard ([11]: p. 3). Briefly stated, jurisdictions like the EU can do this when four conditions hold: the jurisdiction must (1) have a large domestic market and (2) significant regulatory capacity, (3) the regulation in question must set standards for an “inelastic” (i.e., immobile) target, such as consumer markets, as opposed to elastic/mobile targets (e.g., capital), and (4) the affected firms’ conduct or production must be “nondivisable,” meaning that it is economically unattractive (or impractical) for them to produce or conduct themselves simultaneously according to multiple standards across different jurisdictions. Given these conditions, the jurisdiction’s standard is likely to emerge as the world standard, especially if it is the most demanding standard globally ([11]: p. 5).

The causal mechanism behind this globalization of the most stringent regulatory standard is as follows: most foreign (non-EU) companies will be unwilling to forego the EU market (condition 1) but also cannot shirk, undermine, or evade the EU’s regulation given EU regulatory capacity (condition 2) and the fact that it regulates conduct in the geographically immobile consumer market (condition 3). At the same time, business economics makes it unattractive to produce to multiple regulatory standards (condition 4). Thus, firms adopt the most stringent standard voluntarily as they automatically conform to all weaker standards thereby too. The EU standard thus emerges as global de facto standard among export-oriented firms (“de facto Brussels effect”).

The compliance costs these non-EU firms incur in order to adapt their production (and/or other practices) to the EU standard in turn incentivize them to lobby their home governments to adopt the EU standard in order to level the playing field vis-à-vis domestic, nonexport-oriented competitors (“de jure Brussels effect”) ([11]: p. 5–6).^{Footnote 1}

Note two implications of this theory. Firstly, the timing of these moves by foreign (non-EU) exporters implicit in the theory: since even temporary noncompliance with the new EU standard would mean loss of access to the EU market, they will adopt compliance measures at the same time as EU firms, that is, immediately upon the regulation’s enactment. Any adjustments to business processes, introductions of new products, or purchases of compliance products will be made at the same time as EU firms. Secondly, the kinds of foreign and domestic firms primarily affected by (and responding to) the regulation: while all domestic (EU) firms active in the regulated field will be affected, among foreign (non-EU) firms, it will primarily be export-oriented companies as only they sell to the EU market. Foreign producers who only address their own domestic market are unaffected by EU regulation. This matters as export-oriented companies are likely to be, on average, larger and relatively more competitive (i.e., better capitalized, higher technological capabilities) than purely domestically oriented firms.

2.2 Regulation-Induced Lead Markets

The notion that regulation might induce the formation of lead markets and lead sup-pliers derives from the literature on the Porter hypothesis and on lead markets. The former has several variants. Roughly summarized, it suggests that environmental regulation can induce innovation that will improve firms’ competitiveness [45]. While the hypothesis’ validity remains disputed [1], scholars took from it the idea that regulation could spark compliance innovations – either among the regulated firms or among suppliers who provided them with equipment to achieve compliance (e.g., pollution control technology) – that might be of economic value [40, 48, 52].

Research on lead markets was initially mainly concerned with strengthening European competitiveness. Scholars like Meyer-Krahmer and Reger [42] and Beise [4,5,6] sought to define the characteristics of markets in which globally dominant products might emerge to guide industrial policy. This was part of a larger interest in the role of demand-side factors in innovation and industrial policy, and has had a sustained influence on Germany’s “High Tech Strategy” and EU policy.

A “lead market” is commonly understood as the (geographically delimited) market in which internationally successful products are first widely adopted and assume their final shape or “dominant design,” which is then subsequently exported [7, 19, 54, 55]. The structure of demand plays a key role in this concept. Lead markets are those markets where the largest and most sophisticated buyers of the new technology sit – whose requirements for quality and functionality shape the emergent product characteristics – and where aggregate demand for the new technology is sufficiently large as to enable suppliers to develop economies of scale/scope that will yield durable competitive advantage. That is, the lead market is the geographic area where significant volumes of sophisticated demand for the new technology emerge first, giving local suppliers a significant first-mover advantage vis-à-vis companies elsewhere and enabling them to emerge as lead suppliers. (The concept assumes that innovating the new product usually requires suppliers to be located close to their customers.)

Scholars have debated preconditions necessary for a market to emerge as lead market. Of interest here is how these ideas were applied to the case of regulation-induced innovation and how they intersect with the “Brussels effect.” Driven by the observation that (environmental) policies and regulation tend to diffuse globally, from pioneer countries who regulate first, to others, the literature on lead markets and the “Porter hypothesis” were brought together in studies on the potential of regulation to create markets and export success for “eco-innovations” [7, 13, 36, 37, 47, 48, 59].

Scholars theorized that if (1) pioneer country regulation prompted the emergence of compliance innovations, and (2) this regulation subsequently diffused, then (3) pioneer country suppliers who had innovated the necessary compliance equipment to supply their own home market, where the regulation had happened first, could enjoy first-mover advantages and gain export market share [7, 37]. That is, by creating domestic lead markets with export potential, supposedly competitiveness-sapping consumer or environmental regulation might contribute to economic growth. The idea found some empirical support, especially in the case of renewable energy technologies, where industry development seemed to derive from initial market-making home country regulation with subsequent export success as policy diffusion created markets abroad. It proved highly influential especially in the German Environment Ministry [13, 47, 59].

Note three assumptions implicit in this theory. Firstly, timing: there must be a nontrivial time lag between the regulation’s adoption in the pioneer country and its international diffusion. Otherwise, pioneer country suppliers may struggle to build up first-mover advantages vis-à-vis other potential suppliers abroad.

Secondly, low regulatory internationalization: the theory assumes that the main economic area where the regulation unfolds its effects is the regulating jurisdiction’s home market. Prior to diffusion, the firms affected (as targets of regulation or suppliers of compliance equipment) are mostly domestic. At least, the largest and most sophisticated demand for the new compliance products – that will do most to drive innovation and determine technological trajectories – is assumed to be located in the domestic market. In effect, the regulation is assumed to create a sheltered home market where domestic suppliers develop first-mover advantages.

Thirdly, demand-side emphasis: while theorists going back to Meyer-Krahmer and Regner [42] had noted the role of supply-side factors, the theory and related policy actions like the EU Lead Markets Initiative focused on the role of domestic demand in bringing forth domestic supply and then making suppliers internationally competitive.

Impressed by Chinese suppliers’ ability to profit from European renewables’ man-dates, scholars have critiqued this neglect of the supply side. Quitzow et al. [47] point out that while pioneer country regulation may create domestic demand, it does not guarantee that supply will remain domestic. Given free trade, domestic demand can suck in supply from elsewhere if suitable technological and production capabilities exist abroad. Similarly, if a regulation diffuses to other countries with more favorable conditions for technology deployment, then the locus of the developing industry might move too. The pioneer market may thus have to cede lead status to other geographies.

These critiques are important. The argument pursued made here though is more fundamental: when the EU sets (de facto) global standards, significant demand for compliance innovations itself will automatically emerge elsewhere (if the regulated industry is distributed globally) and will do so instantly upon enactment of the regulation, or at least at the same pace as demand emerges in Europe. That is, the logic of the “Brussels effect” vitiates key assumptions around timing and slow regulatory internationalization of the idea of regulation-induced lead markets. The time lag crucial to the idea – between the development of the home market in the regulating jurisdiction (wherein the domestic suppliers are to develop first-mover advantages) and the development of the global market for their products following regulatory diffusion – may never happen.

Indeed, if the largest and most sophisticated pools of demand for compliance technologies sit abroad, then the lead market and supply base themselves might emerge abroad, including many of the strongest and technologically most advanced suppliers. This is quite a different phenomenon to that of low-cost emerging economy producers flooding European markets with cheap, essentially commodified products in response to European regulation/subsidies, as occurred in solar. Here, the “Brussels effect” may lead to the most advanced suppliers emerging abroad.

The following sections use a case study of the emergence of “privacy tech” in response to the GDPR to show that these dynamics are not merely hypothetical possibilities.

3 The GDPR and “Privacy Tech”

3.1 The GDPR: Setting Rules for Foreign Technology Companies

Reportedly the single-most lobbied regulation in the EU’s history, the GDPR was first proposed in 2012. Finally enacted in 2016, it entered into force on May 25, 2018. It updates the 1995 Data Protection Directive and creates a comprehensive set of rules for processing personal data.

An important concern was to make the GDPR binding upon foreign (read US) technology companies, which had come to dominate much of the Internet. Thus, Article 3 GDPR specifies that the Regulation applies not only to data controllers and data processors (firms, other organizations) established in the Union but also to controllers and processors located anywhere in the world if they process “personal data of data subjects who are in the Union” in the context of “offering goods or services” to them (including goods or services offered for free) or “monitoring their behavior.” Virtually any online or offline interaction between foreign companies (and other institutions) and individuals located in the European Union is covered by the GDPR, irrespective of whether the foreign entity is physically present in the territory of the Union. It is a prime example of unilateral regulatory globalization by the EU – the de facto extension of European standards to the rest of the world – that is at the heart of the “Brussels effect.”

To incentivize companies to adhere to the GDPR, the Regulation drastically upped the fines servable for violations. Under the Data Protection Directive, penalties had been set by Member State legislation and rarely amounted to large sums [3, 8, 38]. In Germany, fines prior to 2018 seem to have mostly been in the range of a few thousand euros. Data protection law was widely ignored [38, 41].

This changed with the GDPR, which threatened fines of up to 4% of annual worldwide turnover (Article 83(5)). Regulators signaled that they would enforce the law much more aggressively than before. Within 2 years, British, German, and French authorities had begun to hand out fines as high as several hundred million euros. Unsurprisingly, firms seem to have generally taken GDPR compliance very seriously.

3.2 Regulatory Diffusion

European data protection law, especially the GDPR, has been a remarkable “export success.” As early as 2012, studies showed that globally most data privacy laws have substantially incorporated many key principles of the European laws [25, 26]. The GDPR accelerated this. After it entered into force, laws heavily modeled on the GDPR were enacted in Brazil (2020), California (2018), Thailand (2019), and Tunisia (2018, draft law), among others, and the GDPR has influenced ongoing legislative endeavors in India and Canada [15,16,17,18, 27]. More broadly, the GDPR has substantially shaped global privacy norms, discourse, and expectations, not only among advocates but business leaders, regulators, and policymakers too [49]. In particular with regard to the United States and Canada, several interviewees noted that business tends to treat the GDPR as the baseline for global privacy compliance programs, with additional country-specific rules then bolted on, and that the GDPR was helping to define a new social license to operate (interviews 3 and 9).

3.3 Compliance Tools: “Privacy Tech”

Privacy and data protection are complex, situation-specific concepts. They include aspects of IT security but go far beyond this. Arguably the central concern of data protection law is to protect people from illegitimate use of their data by organizations acting in accordance with their internal (but illegal) rules and objectives, and more broadly to give individuals control over how their data is used. The GDPR like other privacy laws tries to accomplish this by mandating extensive process controls (e.g., specifying conditions under which data can be legally processed), transparency requirements and security measures, and by granting data subjects rights vis-à-vis the data controller.

This makes compliance complex. Aside from ensuring conventional IT security, compliance requires extensive documentation, risk assessments, and implementing processes for data governance (e.g., access rules) and for responding to data subjects’ requests and rights’ exercise. This requires firms to establish a high level of internal transparency and control over their data processing. To be able to comply with the GDPR, they need to have a solid understanding of what data, exactly, is collected, processed, and stored where in the organization, by whom, for what purposes, and for how long, including maintaining accurate metadata. Much anecdotal evidence suggests that prior to the GDPR this was not the case in many organizations. Compliance is complicated further by the GDPR’s broad definition of “personal data” (cf. Art. 4(1) GDPR), the rapidly growing size and complexity of corporate data sets, and the fact that key principles of the GDPR run counter to data management practices hitherto prevalent. How challenging compliance can be is underscored by a survey suggesting that even in 2020 only 57% of German firms had by their own account, “largely” or “fully” implemented the GDPR, while 41% claimed to still be in the process of doing so [9].

Traditionally, compliance was (in smaller organizations, often still is) handled manually – by defining organizational policies and processes, conducting pen-and-paper surveys and interviewing employees to track data flows and uses, with results recorded in forms, registers, and spreadsheet. But the growing scale and complexity of data processing, coupled with the GDPR’s demands, has made this approach increasingly impractical for larger firms or firms with large and complex data stores and processes. In response, entrepreneurs and technologists have begun developing various technical solutions to facilitate compliance, sometimes called “privacy tech.”

As a set of commercial technologies, the “privacy tech” space is still young and rapidly developing. The International Association of Privacy Professionals (IAPP),^{Footnote 2} which seems to have coined the term “privacy tech,” identified nine product categories in its inaugural 2017 Privacy Tech Vendors Report [30,31,32,33,34]. By fall 2020, this had expanded to 11 categories [33]. These broadly overlap with the tools and actions described in Gartner’s [22] outline of a “technologically enabled privacy program” and also largely correspond to the functions named in IDC’s [44] definition of the “data privacy software market.”^{Footnote 3}

The IAPP product categories are listed in Table 8.1. They support (and increasingly, automate) core tasks of privacy professionals, including documentation, impact assessments, identifying and mapping the pieces of personal data held and their flows across the organizations, governance (access, processing) of this data, management of user consent and other legal bases, and responding to data subject requests and data breaches. “Privacy tech” also includes solutions to anonymize or pseudonymize data and process it in privacy-preserving ways (e.g., multiparty computation).

Table 8.1 The IAPP’s “privacy tech” product categories

Full size table

The products grouped together as “privacy tech” are related to so-called “privacy-enhancing technologies” (PETs) that, since the 1990s, have been developed in various academic contexts (if less often commercialized). Some “privacy tech” solutions are based on PETs, for example, solutions for privacy-preserving data analysis like secure multiparty computation or homomorphic encryption.^{Footnote 4} However, “privacy tech” also includes functionalities not usually associated with PETs (e.g., data discovery and mapping, tracking evolving regulation and policy compliance, and others). Also, the underlying objective of commercial “privacy tech” is, often, in a sense orthogonal to PETs (which mostly derive from academic or privacy activist projects). PETs are a class of technologies aimed at “protecting the individual’s privacy,” for example, by providing users with “anonymity, pseudonymity, unlinkability, and unobservability” [28]. Privacy tech conversely aims to help organizations remain legally compliant.

4 Creating Lead Markets Abroad: The GDPR and the Development of a “Privacy Tech” Market and Industry

4.1 Research Strategy

To understand the GDPR’s role in the emergence of the privacy tech industry and test the hypothesis that the Regulation has created a lead market and lead suppliers for these technologies in America rather than Europe, three sets of evidence were examined. Firstly, quantitative data from the IAPP’s biannual Privacy Tech Vendors Report, published since 2017. The Report is the best available overall guide to the structure and evolution of the industry. It has a regularly updated directory of all privacy tech firms known to the Report’s authors, including their nationality (headquarter location), year founded, and product portfolio.^{Footnote 5} Secondly, various pieces of qualitative, documentary evidence: the IAPP’s Privacy Tech Newsfeed (https://iapp.org/news/privacy-tech/; 285 pieces of original reporting on the sector going back to 2015), market/industry reports by consultancies like Gartner, Forrester, and IDC, and general media and tech and business reporting, plus talks and conference presentations by technologists, investors, and entrepreneurs. Thirdly, 10 semi-structured interviews were conducted with industry insiders. These were

Three Europe- and US-based analysts at different market research companies who covered the privacy tech sector and had authored reports on it (interviews 2, 3, and 8). One had also worked for a European privacy tech firm (interview 8)
One senior Europe-based executive from a leading North American privacy tech company (interview 7)
Two executives (product managers) from a major European enterprise software company that sells (among other products) GDPR compliance software tools (interviews 1 and 5)
One senior Europe-based employee of a North American privacy tech startup (interview 6)
One cofounder of a North American–European privacy tech startup (interview 9)
One cofounder of a European privacy tech startup (interview 10)
One academic who was also a cofounder of an Israeli–North American security and privacy tech startup (interview 4)

The interviewees were selected on the basis of their experience and knowledge of the privacy tech market and industry, as attested by their organizational seniority or publications. One interview came about through another interviewee’s recommendation. The interviewed companies represented a broad cross section of the industry, including purveyors of comprehensive product suites aiming to address all (or most) needs of the global privacy compliance office of large multinational enterprises (interview 7), vendors of software offering more basic functionalities targeted to smaller or less personal data-intensive companies (e.g., a sportswear manufacturer) (interviews 1, 5, 8, and 10), and developers of various kinds of specialized, technologically advanced solutions for privacy-preserving data analytics and data governance solutions catering to data/analytics-focused clients in highly regulated sectors such as finance, health care, or law (interviews 4, 6, and 9). They included both companies that had been founded specifically to provide compliance solutions for the GDPR or other privacy laws (interviews 6–10), and firms whose main business was in other fields but had realized that their products could also be used for privacy compliance (interviews 1, 4, and 5).

The interviews followed a common outline, with variation to allow for interviewees’ different backgrounds. They were asked about the GDPR’s role in the growth of the privacy tech industry, their perception of the relative positions and product and market/customer strategies of European and American privacy tech vendors, how the market was segmented, which players covered which customer segments, and – if they stated that they perceived salient divergences in the relative positions or strategies of American and European vendors – what they believed the reasons for these divergences might be. Interviewees who worked for privacy tech firms were asked about their own firms’ strategies, customer base, competitors, and got-to-market experiences. The interviews were recorded, transcribed, and analyzed independently by both authors.

4.2 Industry Growth

The GDPR kick-started the rapid growth of the privacy tech market and industry. The crucial role of the Regulation emerges clearly from both the quantitative and qualitative data. Figure 8.1 shows the number of companies included in the IAPP Privacy Tech Vendors Report, which can be treated as a reliable representation of the overall growth of the industry. As the figure shows, the number of companies active in the space (as captured in the Report) has grown from 44 in 2017 to 365 in autumn 2021.

Partly this reflects entry by established firms adding privacy compliance-related products to their offering. Thus, German enterprise software giant SAP entered the privacy tech market in 2018, with three software products for GDPR compliance (covering two of the IAPP’s privacy tech categories). By 2020, SAP had added further tools, now covering six of the IAPP’s categories. SAP also entered into a partnership with BigID, an American–Israeli privacy tech startup [31, 33]. Similarly, IBM entered the Vendors Report in 2019 with products for two of the IAPP categories. By 2020, IBM products covered six IAPP categories [32, 33].

But the growing number of companies also strongly reflects entry by newly founded firms. Fig. 8.2 shows annual company starts for firms included in the Vendors Report since 1997 (the year TrustArc, today widely considered number 2 in the space globally, was founded).^{Footnote 6} The number of company starts began rising sharply in 2012, the year the GDPR was proposed, and accelerated in 2016, when it was passed, reaching a high in 2017, the year before the GDPR entered into force. Thereafter, the number of new starts declines again; likely reflecting increasing saturation of the space. Not all of these firms are focused solely on privacy. Notwithstanding the early foundation of privacy-only firms like TrustArc (1997) or Nymity (2002), many of the older firms in particular were likely founded to pursue other use cases (e.g., IT security) and only added privacy with the GDPR. Conversely, younger firms likely have a much greater privacy-only focus. Notably, while a number of firms existed prior to the GDPR, many of the firms considered as leading in the privacy tech space are new companies. The only two privacy-only companies to have achieved unicorn status, OneTrust and BigID, were both founded in 2016 [14, 43].

Qualitative evidence, too, supports the contention that the GDPR served as the stimulus for the development of the privacy tech industry and prompted the initiation of new companies in particular. Interviewees consistently stated that the GDPR was the key cause triggering the industry’s development and prompting them to start their own firms (interviews 2, 3, 5, and 7–10). The founders of three of the most successful new privacy tech companies OneTrust, BigID, and Integris (all founded in 2016), too, have repeatedly cited the GDPR as the key event prompting them to start their firms as they believed it would create significant market opportunities.

With the beginning of the GDPR legislative process, significant amounts of venture capital flowed into the privacy tech sector. No complete figures are available, but the following numbers are indicative. Since 2015, the six privacy tech companies specialized only in privacy compliance included in reports on leading companies in the “privacy management software” industry by the consultancies Forrester [29] and IDC [44] jointly raised almost $1.4 billion.^{Footnote 7} Other significant VC investments in privacy tech companies reported in the media include Immuta, Privitar, Integris, and Ethyca, which have raised a total of $354.3 million since 2015.^{Footnote 8}

4.3 Geographical Distribution of Privacy Tech Firms

Figure 8.3 shows the geographical distribution (headquarter locations) of the privacy tech firms in the Vendors Report (as of fall 2021). The large majority of companies are headquartered in North America (the United States and Canada) or Europe (EU-27 plus the United Kingdom, Norway, and Switzerland). A small number sits in the rest of the world. North America has slightly more firms than Europe (183 versus 158). The United States has the largest number of privacy tech firms. In Europe, the United Kingdom has most, followed by the Netherlands, Germany, and Ireland. Another 16 European countries have at least one firm (not shown).

At first glance, these numbers would seem to suggest that Europe, on the back of the GDPR, has managed to generate a significant privacy tech industry, much as the Commission’s GDPR Impact Assessment had hoped. Closer examination of the data though suggests that this is not so. Rather, almost all the leading privacy tech companies are US-based, and the main technological developments in this space, too, are occurring in North America. Several pieces of evidence support this claim. Firstly, this was stated consistently by the interviewees (interviews 2, 3, and 6–10). Consistently, they affirmed that the industry was dominated by US companies, and that most or all of the largest privacy tech firms were North American. As discussed further below, they also felt that the technologically most sophisticated and/or comprehensive (in terms of privacy dimensions covered) product offerings were mostly produced by North American companies, and that hence these were the companies that served the largest and/or technologically most sophisticated and demanding customer segments (which should also tend to be the most lucrative). Conversely, they consistently described European companies as smaller, mostly focused on national markets and smaller or technologically less sophisticated or demanding customers, with simpler products.

The above-cited market reports paint a similar picture. Of the 15 companies identified as the “most significant” privacy tech vendors by Forrester [29] on the basis of client feedback and own research,^{Footnote 9} 9 are North American (eight US, one Canadian); 5 are European and 1 Australian. Iannopollo [29] divides these firms into four bands on the basis of their strength of product offering, strength of strategy, and market presence. Notably, the European firms cluster in the bottom band, while all the firms in the top two bands are American or Australian. The North American firms also tend to have the largest market presence. The market study by IDC [44] paints a similar picture. By IDC’s estimate, seven US companies held around 62% of the global “data privacy management software” market in 2019, with the two largest companies (OneTrust and TrustArc) together holding about 45.7% market share.

Further evidence for the dominance of US companies and the centrality of the North American ecosystem comes from reported mergers and acquisitions. With incipient market consolidation, the industry has seen growing M&A activity. Acquisitions serve to cement the position of already-powerful firms, but they are also indicative of which firms are considered to be particularly competitive, since acquirers usually try to buy companies with attractive technology, product, or customer portfolios. To understand acquisitions, Crunchbase.com data on acquisitions by the 17 companies defined as leading privacy tech companies in the Forrester and IDC market reports, and the IAPP Privacy Tech Newsfeed and Vendor Reports were analyzed.

Six privacy tech companies could be identified that have performed acquisition; OneTrust (the United States), TrustArc (the United States), Exterro (the United States), Crownpeak (the United States), SAP (Germany), and SAI Global (France). Since 2012, they have made 43 acquisitions.^{Footnote 10} Of these, 15 concerned target firms that were active in the privacy tech and/or broader governance and compliance space.^{Footnote 11} Of these 15 acquisitions, 12 were of North American companies (11 US, 1 Canadian); 3 were European (one German, one British, and one Dutch firm).^{Footnote 12}

It is perhaps not surprising that American firms should tend to buy other American firms. However, both OneTrust and Crownpeak have made acquisitions in Europe. Hence, that the majority of their acquisitions should be in the United States suggests that that is where the more valuable target opportunities sit. This reading is also supported by the fact that of the five acquisitions made by French SAI Global four were of American firms; only one of a European firm. Likewise, SAP’s arguably most important strategic tie-up in the privacy tech space is with BigID – an American, not European, firm.

4.4 Explaining the Privacy Tech Industry’s Evolution

How to explain that while a European law created the privacy tech market and industry and fundamentally shaped global privacy regulation it is American companies that have come to dominate this industry? The interviews pointed to how, stimulated by the GDPR, demand- and supply-side factors have interacted to create this outcome.

Demand-Side Factors in North America

Corresponding to the logic set out in Sect. 2, the GDPR instantaneously created a large market for privacy tech and other compliance services in the United States as well as in Europe. Precise numbers are hard to come by, but the following are indicative. One 2017 survey of 200 US firms with more than 500 employees by consulting company PWC found that for 92% of respondents the GDPR was either their top or one of their top privacy compliance priorities, with 77% planning to spend US$1 million or more on GDPR obligations [46]. Another 2017 survey by the IAPP and consultancy EY of 548 corporate privacy professionals, mostly in North America,^{Footnote 13} reported similar results: 71% of the non-EU respondents believed the GDPR applied to their organization. Also, 50% of US respondents even described it as “driving” their privacy program. And 55% of respondents planned to “invest in technology” as part of their compliance strategy [35]. Based on the IAPP-EY data, the Financial Times estimated Fortune 500 companies would spend ~$7.8 billion on GDPR compliance [39].

This outcome was quite logical given American companies’ deep economic ties to the EU and legislators’ concern to make the GDPR binding on US tech firms. Moreover, several factors emerged from the interviews, suggesting that the market created in North America was especially suitable for the emergence of a privacy tech industry.

For one, there is reason to believe that the North American (and particularly US) firms affected by the GDPR (and hence in the market for privacy tech solutions) will have disproportionately been large and/or technologically sophisticated. The reasons for this are the general correlation between export orientation and size and technological sophistication, the size of the US tech sector (which was particularly exposed to the GDPR), and America’s significantly greater population of large enterprises compared to Europe generally.

This is supported also by the interviews and ancillary data. Interviewees consistently stated that the leading US privacy tech firms primarily served “the large enterprises of this world” (interview 2; similarly interviews 3, 7, 8, and 10) or firms engaged in fairly advanced data analysis (e.g., medical data) (interviews 6 and 10). US-based OneTrust, the largest privacy tech firm globally, has stated that ~50% of its market is in the United States, and that over half of the Fortune 500 firms are among its customers [2, 21]. Similarly, the (much smaller) Seattle-based Integris worked with several Fortune 500 firms to develop its products and counted these plus a larger stable of “Fortune 1000” firms among its customers [51, 56].

In short, the GDPR created a significant home market for US vendors among large firms. Their requirements in turn shaped the vendors’ product offerings and technological development trajectory. According to interviewees, products’ capacity to handle high levels of complexity in customer organizations’ data and technology stacks, and – with the growing number of new, post-GDPR data privacy laws globally – the finer details of different jurisdictions’ regulations have emerged as a key competitive differentiator. This is also driving a trend toward automated and sometimes AI-based solutions (e.g., data discovery engines that can automatically identify and map personal data across the organization, or apply diverse governance or de-identification rules to it). Satisfying these customer requirements takes significant engineering and legal expertise, which is costly and time-consuming to build up, and which not many vendors possess (interviews 2, 3, and 6–9).

Customer requirements seem to have also pushed major US vendors like OneTrust and TrustArc to develop fairly comprehensive compliance offerings – usually in the form of a modular, customizable platform – that (promises to) cover most dimensions of GDPR compliance (and increasingly of other laws like California’s CCPA or Brazil’s privacy law), in as far as they can be addressed technologically. One factor behind this push for “comprehensive” solutions seems to have been that, because prior to the GDPR fines for data protection law violations were miniscule, many US organizations seem to have neglected building up much compliance capacity. GDPR then caught them flat-footed – they had to rapidly build up comprehensive capacities. Technology offered a tempting solution (interview 2). Indeed, beyond the immediate painpoint of last-minute GDPR compliance, interviewees felt that, in their experience, US firms were generally more open to using technological solutions to address compliance challenges than European firms (interviews 2 and 6–10).

In summary, enactment of the GDPR instantaneously created a substantial market for compliance solutions in North America. This market consisted especially of relatively larger firms, who were open to addressing compliance challenges technologically (and therefore interested in privacy tech as a solution), and, on account of their size and complexity, had relatively demanding technological requirements for solutions.

Demand-Side Factors in Europe

That the United States, not Europe, should emerge as a major market for privacy tech seems to have partly taken industry players by surprise. According to one analyst, American firms had initially expected that Europe would be a key market, but then found their products in less demand than they had hoped (interview 2). This was also the experience of several executives (interviews 6 and 9).

Several reasons were given by interviewees for this outcome. For one, they noted that Europe continued to be not a single but 27 + 5 separate national markets, divided by language, business networks, culture, and despite the GDPR, regulatory approaches. Customizing products as language-sensitive as compliance software to more than 20 different languages and building up corresponding sales organizations is usually too costly, leading European vendors to focus on one or a couple of national markets and languages. This in turn restricts growth potential (interviews 2, 3, 5, 7, 8, and 10).^{Footnote 14}

It also means that the number of large companies available as potential customers – and spurs to technology development – is reduced. Interviewees felt that European vendors mostly served SMEs, including independent DPOs, or less personal data-intensive companies (e.g., manufacturers), whose technological requirements were correspondingly lower. Accordingly, European vendors’ product offerings tend to be simpler (e.g., digitized forms, templates, survey and process modeling tools to be filled out by hand, instead of the automated solutions and complex data governance policy machines developed by North American vendors) (interviews 2, 3, 7, and 8). As one European vendor (interview 10) put it, his company focused on “digitizing data protection documentation” (i.e., digitizing previously pen-and-paper-based data protection processes while remaining within a basically manual framework), contrasting this attempts to wholly “technify (technisieren)” data protection (i.e., substitute manual processes with automation), which seemed to be pursued mainly by US vendors. European vendors, interviewees felt, still mainly offered only GDPR-products – which makes sense if one is serving smaller, national market-focused customers. (Conversely, US vendors increasingly seek to offer comprehensive global solutions covering the privacy regulatory regimes of all, or at least all major, jurisdictions worldwide.) (Interviews 2, 3, 7, and 8.)^{Footnote 15}

Several interviewees also cited a further factor, making it harder for European vendors to win big clients: especially larger European organizations and those in more highly regulated verticals like health care, finance, or communications often already had established privacy compliance programs. After all, much of the GDPR’s content had already been law in Europe since at least the 1995 Data Protection Directive. For these organizations, the GDPR represented an incremental regulatory evolution more than a revolution. Therefore, they had less need than perhaps large American companies to rapidly build up extensive new compliance processes and were accordingly less interested in investing in expensive new compliance software – especially if operating this would have also required them to significantly alter established, human-based compliance processes (interviews 2 and 6). While that seems to have been a key reason why US vendors found the European market less lucrative than hoped, it also restricted growth opportunities for native vendors and demand for them to develop more advanced product offerings.

More broadly, interviewees felt that European companies were generally less open to using technology to solve legal compliance challenges (interviews 2 and 6–10), noting also that European compliance departments still tend (in the interviewees’ view) to be much more heavily dominated by lawyers and have a more strongly law and text-focused approach than US compliance teams (interviews 2, 6, and 7).

In summary, while the GDPR did create a market for privacy tech in Europe, this was more a series of smaller national markets than a large single one, making it harder for vendors to scale – not least as they seem to have also lacked a sufficiently big pool of large companies interested in comprehensive compliance solutions, and had to contend with greater hesitance to try out new technology-based approaches to compliance.

Supply-Side Factors in Both Regions

Interviewees also pointed to several supply-side factors that constrained European and advantaged North American vendors. Most frequently mentioned was the much greater and easier access to venture capital in North America (interviews 2, 4, 7, 9, and 10). Almost as often mentioned was access to technical and entrepreneurial talent. Interviewees noted that many of the most successful US vendors had been built by individuals whose background was in the tech industry (often in enterprise software), not privacy, and who often also had prior entrepreneurial experience (interviews 3, 6, and 8). This is certainly true of the leadership teams of successful US vendors like OneTrust, BigID, WhireWheel, Securiti, or Integris. Enterprise software (which is what privacy tech is) is a particularly hard market to get into as customers are usually wary of purchasing from new firms, quality requirements are very high, and relationships often crucial for winning contracts (interviews 1, 3, and 5). The much larger North American ecosystem means not only that employee talent is easier to source (interviews 8–10), but that the likelihood is higher than that winning combinations of individuals with the right experience, talent, and relationships to exploit emergent entrepreneurial opportunities like the GDPR will emerge in North America.

5 Conclusion: Regulation and the Preconditions for the Emergence of Lead Markets

This chapter has argued that while regulation can create new markets and stimulate the innovation of new technologies, the very power of the European Union to set global standards makes it harder to predict where demand for these technologies will emerge. In particular, it is by no means guaranteed that, just because a regulation is European, any associated lead market and lead suppliers – that is, the largest pools of demand, with the highest technological requirements – will also emerge in Europe. The chapter used a case study of the GDPR to show that it is quite possible for EU regulation to create lead markets and lead suppliers abroad.

This finding has implications for theory and policy. On the theory side, it underscores that the economic and technological effects of regulation need to be understood in a global context. Even as theorizing on regulation-driven lead markets has recognized the potential for regulation-created demand to “suck in” compliance products from elsewhere (especially from low-cost producers in China), theorizing has often continued to operate with an implicit vision of national (or regional) markets and regulatory jurisdictions as relatively closed and siloed entities. In fact, however, the two or three major global jurisdictions (the EU, the United States, perhaps China) are increasingly able to shape the de facto standards in each other’s markets, thereby triggering concomitant market and technology developments.

A second, more specific implication for theory concerns the role of supply-side factors in lead market development. While the case study underscores the role of large and/or technologically sophisticated lead customers in driving lead market development, it also suggests that this potential will only be exploitable if a sufficiently rich ecosystem of experienced entrepreneurs and technologists with ample access to (venture) capital exists. While early lead market theorists noted the importance of supply-side factors, seeing lead markets as emerging from the interplay of lead customers and suppliers [42], later theorists attempted to exclude all supply-side factors from the theory (see [47]).

The policy implications flow from this. The case study underscores that regulation to address social (or environmental) externalities certainly can promote technological innovation and economic development. However, it also shows that profiting from this is not easy. In particular, it suggests that three factors may be decisive: the existence of a large – continental-scale – home market, the presence of a substantial pool of large and/or technologically sophisticated companies in this home market to act as lead users, and a sufficiently rich and well-funded supplier ecosystem. In the digital era, it is no longer possible to assume that these three factors are unproblematically given in Europe.

Change history

01 July 2023
A correction has been published.

Notes

1.
Global policy diffusion of course can be driven by more factors than just these neo-Stiglerian regulatory politics by self-interested producers [53]. Learning [23], symbolic emulation [24] and competition and coercion [50] can be important too.
2.
The main international professional association for individuals working in corporate, legal, and government positions related to privacy.
3.
IDC [44] excludes security controls from its definition of the “data privacy software market,” while the IAPP partially includes certain such controls in its definition of “privacy tech” (e.g., computation on encrypted data). In any event, the seven named companies, which IDC sees as dominating the “data privacy software market,” are all listed in the IAPP Vendors Reports and collectively provide solutions for all of the 12 product categories defined by the IDC.
4.
In the IAPP’s scheme, these fall into the “Deidentification/Pseudonymity” product category.
5.
While it cannot be ruled out that the Report’s authors have on occasion missed the odd company, it is unlikely that they should miss any significant company, simply because companies themselves have an obvious interest to be listed in the directory. Interviewed industry insiders considered the report authoritative (interviews 2 and 7).
6.
Twenty-six of the companies from the autumn 2021 Report were founded before 1997.
7.
OneTrust, TrustArc, Nymity, WhireWheel, Securiti, and BigID.
8.
Own calculations based on Cruchbase.com data.
9.
Private communication with Ms. Iannopollo, January 5, 2021.
10.
The year the GDPR was proposed was chosen as cutoff date as this event effectively birthed the privacy tech industry.
11.
The remaining 28 acquisitions were performed by nonprivacy-only firms (mostly SAP) and concerned a range of different software/IT firms.
12.
Own analysis of Crunchbase.com data.
13.
In total, 59% of the IAPP-EY respondents represented US companies, 14% Canadian, and 22% Europeans, with 74% representing firms with 1000 or more employees.
14.
There was some disagreement among interviewees about the difficulty of customizing products for different languages (likely reflecting differences in their respective products). All agreed though that building separate sales organizations for multiple European national markets was usually uneconomical, leading to a focus on one or a couple of countries.
15.
This may be changing though: thus the company of interviewee 10 had recently expanded to Brazil and Canada, seeking to serve the same segment of less data-intensive SMEs and DPOs they also sold to in Europe.

References

Ambec, S., Cohen, M. A., Elgie, S., and Lanoie, P. (2013). The Porter Hypothesis at 20: Can environmental regulation enhance innovation and competitiveness? Review of Environmental Economics and Policy, 7(1), 2–22
Article Google Scholar
Azvevo, M.A. (2020). Atlanta-based OneTrust Raises $210M Series B, More Than Doubles Valuation to $2.7B. Crunchbase News, 20 February, https://news.crunchbase.com/venture/atlanta-based-onetrust-raises-210m-series-b-more-than-doubles-valuation-to-2-7b/
Bamberger, K. A., & Mulligan, D. K. (2013). Privacy in Europe: Initiald ata on governance choices and corporate practices. GeorgeWashington Law Review, 81(5), 1529–1664.
Google Scholar
Beise, M., 2001. Lead Markets: Country-Specific Success Factors of the Global Diffusion of Innovations. Physika-Verlag, Heidelberg.
Book Google Scholar
Beise, M., 2004. Lead markets: country-specific drivers of the global diffusion of innovations. Research Policy 33 (6/7), 997–1018
Article Google Scholar
Beise M (2006) Die Lead-Markt-Strategie: Das Geheimnis weltweit erfolgreicher Innovationen. Springer, Berlin
Google Scholar
Beise, M., and Rennings, K. (2004). Lead markets and regulation: a framework for analyzing the international diffusion of environmental innovations. Ecological Economics 52, 5–17
Article Google Scholar
Bignami, Francesca (2011): Cooperative Legalism and the Non-Americanization of European Regulatory Styles: The Case of Data Privacy. In: American Journal of Com-parative Law 59 (2), S. 411–461.
Google Scholar
bitkom (2020) DS-GVO und Corona –Datenschutzherausforderungen für die Wirtschaft. https://www.bitkom.org/sites/default/files/2020-09/bitkom-charts-pk-privacy-29-09-2020.pdf
Blind, K., Bührlen, B., Menrad, K., Hafner, S., Walz, R., & Kotz, C. (2004). New products and services: Analysis of regulations shaping new markets. Fraunhofer Institute for Systems and Innovation Research, Karlsruhe. http://publica.fraunhofer.de/documents/N-24301.html.
Google Scholar
Bradford, A. (2012). The Brussels Effect, 107 Northwestern University Law Review 1.
Google Scholar
Bradford, A. (2020). The Brussels Effect: How the European Union Rules the World, Oxford and New York: Oxford University Press
Book Google Scholar
Bundesministerium für Bildung und Forschung BMBF (2011). Wettbewerbsfähiger durch Leitmarktstrategie? BMBF-Workshop vom 7. April 2011 (Dokumentation). (on file with author).
Google Scholar
BusinessWire (2020) BigID Announces $70 Million in New Investment, Raising the Company’s Valuation to $1B. https://www.businesswire.com/news/home/20201216005157/en/BigID-Announces-70-Million-in-New-Investment-Raising-the-Companys-Valuation-to-1B. Accessed 5 June 2021
DLA Piper (2020): Data Protection Laws Around the World: India. https://www.dlapiperdataprotection.com/index.html?t=law&c=IN&c2= Last visited 4/06/2021
DLA Piper (2021a): Data Protection Laws Around the World: Brazil. https://www.dlapiperdataprotection.com/index.html?t=law&c=BR&c2= Last visited 4/06/2021
DLA Piper (2021b): Data Protection Laws Around the World: Tunisia, https://www.dlapiperdataprotection.com/index.html?t=law&c=TN&c2= Last visited 4/06/2021
DLA Piper (2021c): Data Protection Laws Around the World: Thailand, https://www.dlapiperdataprotection.com/index.html?t=law&c=TH&c2= Last visited 4/06/2021
Edler J (ed) (2007) Bedürfnisse als Innovationsmotor: Konzepte und Instrumente nachfrageorientierter Innovationspolitik. Studien des Büros für Technikfolgen-Abschätzung beim Deutschen Bundestag, vol 21. ed. sigma, Berlin
Google Scholar
European Commission (2012): Impact Assessment Accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. Brussels, 25.1.2012, SEC(2012) 72 final
Google Scholar
Foster, T. (2020). ‘A Growth Industry Like I’ve Never Seen:’ Inside America’s No. 1 Fastest-Growing Company, Inc.com Magazine, https://www.inc.com/magazine/202009/tom-foster/onetrust-kabir-barday-fastest-growing-company-2020-inc5000.html
Gartner (2020) Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy Regulations. https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023%2D%2D65%2D%2Dof-the-world-s-population-w. Accessed 5 June 2021
Gilardi, F. (2005). The institutional foundations of regulatory capitalism: the diffusion of independent regulatory agencies in Western Europe. The Annals of the American Academy of Political and Social Science, 598(1), 84–101.
Article Google Scholar
Gilardi, F., Füglister, K., Luyet, S. (2008). Learning From Others: The Diffusion of Hospital Financing Reforms in OECD Countries. Comparative Political Studies, 42(4), 549–573
Article Google Scholar
Greenleaf G (2012). Global Data Privacy Laws: 89 Countries, and Accelerating. Privacy Laws & Business International Report, Issue 115, Special Supplement, February 2012, Queen Mary School of Law Legal Studies Research Paper No. 98/2012
Google Scholar
Greenleaf G (2017). ‘European’ data privacy standards implemented in laws outside Europe. Privacy Laws & Business International Report, 21 UNSWLRS 2
Google Scholar
Greenleaf G (2018). Global Convergence of Data Privacy Standards and Laws: Speaking Notes for the European Commission Events on the Launch of the General Data Protection Regulation (GDPR) in Brussels & New Delhi, 25 May 2018. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3184548.
Heurix J, Zimmermann P, Neubauer T, Fenz S (2015) A taxonomy for privacy enhancing technologies. Computers & Security 53:1–17. https://doi.org/10.1016/j.cose.2015.05.002
Iannopollo E (2020) The Forrester Wave™: Privacy Management Software, Q1 2020. https://www.forrester.com/report/The+Forrester+Wave+Privacy+Management+Software+Q1+2020/-/E-RES146976. Accessed 6 June 2021
IAPP (2017) Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-report
IAPP (2018) Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-report
IAPP (2019) Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-report
IAPP (2020) Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-report
IAPP (2021) Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-report
IAPP-EY 2017. IAPP-EY Annual Privacy Governance Report 2017. On file with author.
Google Scholar
Jacob K, Beise M, Blazejczak J, Edler D, Haum R, Jänicke M, Löw T, Petschow U, Rennings K (2005) Lead Marketsfor EnvironmentalInnovations. Heidelberg: Phvsica-Verlag. R&D Internationalisation from an Indo-German Perspective 181
Google Scholar
Jänicke, M., and Jacob, K. (2004). Lead Markets for Environmental Innovation: A new Role for the Nation State. Global Environmental Politics, 4(1), 29–46
Article Google Scholar
Karaboga, M., Martin, N. & Friedewald, M., 2022, i.E. Governance der EU-Datenschutzpolitik: Harmonisierung und Technikneutralität in und Innovationswirkung der DSGVO. In M. Friedewald & A. Roßnagel (Hrsg.) Die Zukunft von Privatheit und Selbstbestimmung: Analysen und Empfehlungen zum Schutz der Grundrechte in der digitalen Welt. Wiesbaden: Springer Vieweg. https://doi.org/10.1007/978-3-658-35263-9_2
Chapter Google Scholar
Khan, M. 19 Nov. 2017. “Companies face high cost to meet new EU data protection rules”, Financial Times https://www.ft.com/content/0d47ffe4-ccb6-11e7-b781-794ce08b24dc
Martin N, Matt C, Niebel C, Blind K (2019a) How Data Protection Regulation Affects Startup Innovation. Inf Syst Front 21:1307–1324. https://doi.org/10.1007/s10796-019-09974-2
Article Google Scholar
Martin, N., Bile, T., Nebel, M., Bieker, F., Geminn, C., Roßnagel, A., Schöning, C. (2019b): Das Sanktionsregime der Datenschutz-Grundverordnung: Auswirkungen auf Unternehmen und Datenschutzaufsichtsbehörden. Forschungsbericht, Forum Privatheit und selbstbestimmtes Leben in der digitalen Welt, http://publica.fraunhofer.de/documents/N-541115.html
Meyer-Krahmer F, Reger G (1999) New perspectives on the innovation strategies of multinational enterprises: lessons for technology policy in Europe. Research policy 28, 751–776
Article Google Scholar
Miller R (2020) OneTrust nabs $300M Series C on $5.1B valuation to expand privacy platform. https://techcrunch.com/2020/12/21/onetrust-nabs-300m-series-c-on-5-1b-valuation-to-expand-privacy-platform. Accessed 5 June 2021
O’Leary, R. (2020) Worldwide Data Privacy Management Software Forecast, 2020-2024. IDC International Data Corporation https://www.idc.com/getdoc.jsp?containerId=US46770219
Porter, M., and van der Linde, C. (1995). Toward a new conception of the environment-competitiveness relationship. Journal of Economic Perspectives, 9(4), 97–118
Article Google Scholar
PWC 2017. GDPR Series: Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets. On file with author.
Google Scholar
Quitzow, R., Walz, R., Köhler, J., Rennings, K. (2014). The concept of “lead markets” revisited: Contribution to environmental innovation theory, Environmental Innovation and Societal Transitions 10, 4–19
Article Google Scholar
Rennings K, Rammer C (2011) The Impact of Regulation-Driven Environmental Innovation on Innovation Success and Firm Performance. Industry and Innovation 18:255–283. https://doi.org/10.1080/13662716.2011.561027
Article Google Scholar
Schwartz PM (2019) Global Data Privacy: The EU Way. N.Y.U. L. Rev. 94:771
Google Scholar
Shipan CR, Volden C (2008) The mechanisms of policy diffusion. American journal of political science 52, 840–857
Article Google Scholar
Soper, T. (2020) Seattle startup Integris acquired by data privacy giant OneTrust, Geekwire, 29 June, https://www.geekwire.com/2020/seattle-startup-integris-acquired-data-privacy-giant-onetrust
Stewart LA (2010) The impact of regulation on innovation in the United States: A cross-industry literature review. Information technology & innovation foundation 6
Google Scholar
Stigler GJ (1971) The Theory of Economic Regulation. The Bell Journal of Economics and Management Science 2(3).
Google Scholar
Tiwari R (2016) Frugality in Indian Context: What Makes India a Lead Market for Affordable Excellence? In: Herstatt C, Tiwari R (eds) Lead Market India: Key Elements and Corporate Perspectives for Frugal Innovations. Springer International Publishing, Cham
Google Scholar
Tiwari R, Herstatt C (2014) Setting the Scene. In: Tiwari R, Herstatt C (eds) Aiming big with small cars: Emergence of a lead market in India. Springer International Publishing, Cham, pp. 1–18
Chapter Google Scholar
Trumbull, T. (2020) Privacy Software Company OneTrust Acquires Integris, Channele2e.com, 30 June, https://www.channele2e.com/investors/mergers-acquisitions/privacy-software-company-onetrust-buys-integris/
Vogel, D. (1995). Trading Up: Consumer and Environmental Regulation in a Global Economy. Cambridge: Harvard University Press
Google Scholar
Vogel D, Kagan RA (eds) (2004) Dynamics of regulatory change: How globalization affects national regulatory policies. University of California international and area studies. Univ. of California Press, Berkeley, Calif.
Google Scholar
Walz R, Köhler J (2014) Using lead market factors to assess the potential for a sustainability transition. Environmental Innovation and Societal Transitions 10, 20–41
Article Google Scholar

Download references

Author information

Authors and Affiliations

Fraunhofer Institute for Systems and Innovation Research ISI, Karlsruhe, Germany
Nicholas Martin & Frank Ebbers

Authors

Nicholas Martin
View author publications
You can also search for this author in PubMed Google Scholar
Frank Ebbers
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicholas Martin .

Editor information

Editors and Affiliations

University of Münster, Münster, Germany
Stefan Schiffner
Mandat International, Geneva, Switzerland
Sebastien Ziegler
Mandat International, Geneva, Switzerland
Adrian Quesada Rodriguez

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this paper

Cite this paper

Martin, N., Ebbers, F. (2022). When Regulatory Power and Industrial Ambitions Collide: The “Brussels Effect,” Lead Markets, and the GDPR. In: Schiffner, S., Ziegler, S., Quesada Rodriguez, A. (eds) Privacy Symposium 2022. DPLICIT 2022. Springer, Cham. https://doi.org/10.1007/978-3-031-09901-4_8

Download citation

DOI: https://doi.org/10.1007/978-3-031-09901-4_8
Published: 18 October 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09900-7
Online ISBN: 978-3-031-09901-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics