The EU’s General Data Protection Regulation (GDPR) was initially heralded as a ground-breaking legal framework for data privacy. However, in its current form and application, it has become a roadblock to digital progress, stifling innovation, impeding AI development and hampering essential research. A review of the GDPR is now overdue, with the current rules in place since 2018.
If Europe wants to remain competitive in an increasingly data-driven world, some immediate reforms to the GDPR are essential. We need urgent measures to resolve access issues to datasets, implement a risk-based approach to regulation and create a harmonised and simplified legal framework that promotes both privacy and innovation.
In the digital age, data is the currency of progress. Without access to datasets, AI models cannot be trained, medical research cannot advance and businesses cannot operate efficiently. Yet under the GDPR’s stringent and often inconsistent enforcement, accessing, processing and sharing data has become an administrative nightmare. The regulation’s complexity, combined with varied national interpretations, has led to a bureaucratic bottleneck that stymies economic growth and research advancements.
That’s why it’s time for a pragmatic revision that balances protecting personal information with the need to leverage data for innovation and societal benefit.
A risk-based approach
One of the GDPR’s fundamental flaws is its fragmented enforcement across the EU. Each Member State applies its own interpretation of the rules, leading to a lack of legal certainty for businesses and researchers operating across borders. This inconsistency results in massive compliance costs and administrative hurdles, particularly for start-ups and SMEs that lack the resources to navigate 27 different legal landscapes.
A uniform interpretation of the GDPR, applied consistently across all Member States, is thus necessary to ensure a functional, streamlined regulatory environment.
Moreover, the approval of a business’s data processing practices in one Member State should be recognised EU-wide, eliminating the need for redundant approvals in each jurisdiction. Germany, with its federal structure, should lead by example and implement similar recognition principles across its states. If we are to foster a truly unified digital market, regulatory harmonisation must be a top priority.
Not all data processors should be treated equally. It’s illogical to impose the same stringent requirements on small businesses as on global tech giants. GDPR reforms must introduce a risk-based approach, differentiating obligations based on company size and the volume of data processed. This will ensure that SMEs are not disproportionately burdened by compliance requirements while still maintaining strong privacy protections for individuals.
Similarly, the GDPR should facilitate – rather than hinder – AI development. AI models require large and diverse datasets to function effectively. Current GDPR provisions make training AI within Europe highly challenging, forcing companies to seek alternatives outside the EU. This not only puts European businesses at a disadvantage but also increases dependence on foreign technologies, essentially turning Europe into a digital colony rather than a digital leader.
Rethinking data protection – from absolute control to balanced privacy
There’s a deeper philosophical question that also needs to be addressed, namely is the GDPR’s rigid structure still fit for purpose? Should we continue to prioritise the control of personal data over its responsible use? The objective of data protection should be to safeguard individuals’ privacy, not to create insurmountable barriers to progress. A shift in perspective is urgently needed – one that recognises that privacy and innovation are not mutually exclusive but can be achieved together.
For instance, legally secure methods for anonymised and pseudonymised data processing should be developed to allow AI training and medical research while preserving privacy. The ability to use personal data in a controlled, transparent, and accountable manner would enable Europe to lead in AI development while ensuring individuals’ rights remain protected.
The GDPR, in its current form, is an outdated regulatory framework that is hindering Europe’s digital potential. A modernisation effort within the European Commission has already faltered due to bureaucratic inertia and a reluctance to challenge the status quo. However, the stakes are too high for inaction.
Europe has a choice – either we revise the GDPR to enable digital innovation while safeguarding privacy or we continue down a path that leads to stagnation and increasing reliance on foreign technology. A change of perspective is urgently needed to ensure that Europe remains a competitive and sovereign digital power.
The future of our data-driven world depends on it.
This CEPS Expert Commentary is part of a special series being published prior to the CEPS Ideas Lab on 3-4 March 2025 to showcase some of the most innovative ideas we’ll be rigorously debating with our participants. More info can be found on the official Ideas Lab 2025 website.