This article is more than 1 year old
Europe's GDPR coincides with dramatic drop in Android apps
Privacy rules increase cost, reduce choice, slash revenues, study concludes
Europe's data protection regime has reduced the number of apps available in Google Play by "a third," increased costs, and reduced developer revenues, according to a study published Monday.
And with higher costs, fewer apps are being created, to the detriment of consumers and the mobile app economy, it claims.
"At the start of our sample period in July 2016, our data on the contain 2.1 million apps in the Google Play Store, while AppBrain reported 2.2 million.26 The number of Play Store apps in our sample then rises to 2.8 million in the fourth quarter of 2017, then falls by almost one million – about 32 percent – by the end of 2018. Available apps in AppBrain saw a similar decline, by 31 percent between the beginning of 2018 and the end of 2018
In a paper titled, "GDPR and the Lost Generation of Innovative Apps", economic researchers Rebecca Janßen (ZEW Mannheim, Germany), Reinhold Kesler (University of Zurich, Switzerland), Michael Kummer (University of East Anglia, UK) & Joel Waldfogel (University of Minnesota, USA) examined the impact of Europe's General Data Protection Regulation (GDPR) on the mobile app business.
The paper, distributed via the US-based National Bureau of Economic Research, finds, "Whatever the benefits of GDPR’s privacy protection, it appears to have been accompanied by substantial costs to consumers, from a diminished choice set, and to producers from depressed revenue and increased costs."
The researchers looked at 4.1 million apps available through Google Play between July 2016 and October 2019. Presently, Google Play has about 3.48 million apps, up from about 2.2 million in 2016. GDPR was approved shortly before the survey period, on April 27, 2016 but was not enacted until May 25, 2018.
App revenue can be generated through app purchases, in-app purchases, or in-app advertising. Together, the paper says, two largest mobile app platforms (Apple and Google) grew total revenue from $43.6bn in 2016 to $83.6bn in 2019, with two-thirds of that going to Apple.
Mobile ad revenue across both platforms grew from $80.7 billion in 2016 to $189.2 billion in 2019, of which the researchers say, Google captured about $42.8bn in 2016, rising to $95.9bn in 2019. Mobile ad revenue during this period accounted for just over two thirds of total app revenue.
Under GDPR, app developers face the cost of complying with rules that require consent for data gathering, transparent data processing, purpose limitation, accuracy, limited retention, confidentiality, and accountability.
The research paper, which has been presented at various economics conferences and is going to be submitted for journal publication, finds that the Android app market has been transformed by GDPR. The number of Android apps fell by about a third in the quarters following the implementation of the law, according to the paper. And under GDPR, fewer new apps were created – new app entries fell by 47.2 percent – and usage of those remaining fell 45.3 percent.
What's more, average users per app increased by about 25 percent – users migrated toward quality apps – and apps became "somewhat less intrusive after GDPR," though that was already a pre-existing trend.
Cause and effect?
Dr Lukasz Olejnik, independent privacy researcher and consultant, told The Register in an email that he applauded the researchers for undertaking a tricky, complex study, but questioned whether the reported impact could really be causally linked to GDPR.
"The authors apparently ignore, or are unaware of, the fact that prior to GDPR data protection laws existed in Europe, as well," said Olejnik. "For example when I read the following in the paper: 'Under GDPR, developers must obtain user consent to continue processing user data…', I couldn't help but think that this sentence was entirely true also prior to GDPR.
The authors apparently ignore, or are unaware of, the fact that prior to GDPR data protection laws existed in Europe
"Data processors had to have a proper legal ground for processing data, one of those is consent. So what is the reported impact in the paper really showing? Non-compliance and privacy abuses prior to GDPR?"
Olejnik said it's important to recognize that privacy is important not only morally and ethically but economically.
"The EU Competition investigation process already acknowledges this, by including privacy as an integral parameter of welfare analysis — meaning that privacy is not only a valid concern (it is a constitutional right in the European Union), but it can be reconciled with the economy and aspects of competition," Olejnik said. "This year the EU Commission will be updating more than a dozen of EU Competition laws, and I expect these updates to reflect the importance of privacy."
Schrems speaks out
Max Schrems, honorary chair of noyb and the lawyer/campaigner behind the Schrems I and Schrems II cases, told The Register that while he could not comment on the specifics of the paper, he has seen a lot of pushback against GDPR.
"If the GDPR would be the big killer, we would see tons of apps or websites that are not available in the EU, while being available in the US," he said. "This is in fact a trend, but only in very specific cases (such as local US news outlets that have basically no EU readership and therefore just did not care to bother with the GDPR)."
Schrems suggested there are various other factors worth considering that don't appear to be accounted for, such as periodic app store purges. He also questioned why a side-by-side comparison with US and EU apps wasn't attempted.
"It may well be that some 'flashlight apps' are gone now, but I am not sure if anyone misses them," he said. "I guess people have more demand for fair quality apps, and these apps usually don't do terrible stuff with your data, so they have no major need to adjust to GDPR. So instead of counting the number of apps, it would probably be more important to see if any quality or relevant apps have disappeared."
"In summary, we have not come across any relevant apps that were pulled out of the EU because of GDPR in the past three years we worked on this," Schrems said. "We also did not get any emails or feedback in this direction (and we get complaints about everything). So I personally have my doubts if this is really a 'thing'..."
In a phone interview, co-author Michael Kummer, a lecturer at the University of East Anglia in the UK, said, "We recognize the use and potential value of regulating data and user privacy in the digital sphere, but it looks like GDPR – all the value it might have generated notwithstanding – has had this very high cost on innovation in the app market."
Kummer said the one-third decline looks scary but the paper does point out that these apps only accounted for 3 percent of app usage. "These apps are, largely as Max [Schrems] suspects, useless," he said. "That's not the problem. …The problem is that entry into the app market has become much less attractive. And we're seeing much lower numbers of new apps that are being created."
- Europe twists YouTube's arm to get better cookie consent popups
- Google must pay €150 million fine to French Competition Authority, court orders
- Google chases sovereignty market with EU Workspace Data product
- The first step to data privacy is admitting you have a problem, Google
Kummer emphasized what he and his colleagues calculated for was long-term market equilibrium. "If this goes on in the long run, and if the EU or the app market doesn't find a solution for this problem, then seven to ten years down the road, the app market will be a third less valuable," he explained.
Responding to Olejnik's suggestion that perhaps the researchers had overlooked that other privacy regulations pre-dated GDPR, Kummer, who is Austrian, said that he and two of his co-authors are native German-speakers and the fourth also speaks German, and all are familiar with European privacy laws.
"Our main argument is basically compliance with the law implies costs for a developer that hadn't adhered to [GDPR and related data protection] principles before the regulation kicked in," he said.
Kummer said he hopes the paper will encourage regulators to look into what laws actually do and make adjustments if necessary.
"It's extremely difficult to evaluate the effect that these laws actually have causally," he said, noting that there's no equivalent to a pharmaceutical industry controlled trial when it comes to market regulation.
"We issue these policies and we don't actually design any random controlled trial or any kind of methodological approach of how to evaluate what the new regulation does to the firms in the market. That's the piece that's missing here." ®