GDPR Brussels Matrix

After the announcement of the Digital Omnibus, which also contains some targeted and much-awaited changes to EU data protection rules, a somewhat expected wave of activist hysteria hit Brussels once again. “Selling Europeans’ rights to Big Tech”, “the biggest GDPR rollback in EU history” – it’s a narrative that brilliantly generates emotions and clicks on social media, but doesn’t hold up well against an honest analysis of the facts. For citizens, these changes do not mean a sudden disappearance of their legal rights, enshrined in the GDPR, such as the right to information, access, objection or complaint to a supervisory authority – those remain firmly in place. The only actual right at stake here is the right of EU researchers and companies to compete with their counterparts in other, less ideologically obsessed, jurisdictions. These changes, while far from creating a level playing field and making Europe competitive, at least offer us a fighting chance to build advanced AI systems here, rather than rely on technology created elsewhere by huge global players. 

The EU’s strict regulatory approach, with the GDPR as its flagship example, has imposed very serious financial and operational burdens on our economy, and SMEs in particular, that are very hard to offset. Impact assessments of GDPR implementation show that the weight of compliance costs hits smaller entities much harder than the largest corporations. Big companies can spend tens of millions of dollars on adapting systems and building legal teams – compliance cost estimates go into the high millions. For cash-strapped SMEs in the CEE region, this translates into ruinous costs often diverting money that, under normal circumstances, would have gone into product development or entering new markets. In practice, GDPR functions as a regulatory tax on data-driven activity, still manageable for a global giant, but for a software house in Warsaw or a fintech in Vilnius, it is often the difference between moving a product forward and freezing it. And this is only the direct cost mentioned in the Draghi report. A much greater tax is being paid in opportunity cost, as many projects and ideas are simply abandoned as legally too risky, given the potential of huge fines mandated by the GDPR. This is why we are falling further and further behind other markets and European competitiveness in a long-lost dream. 

Given the grave economic data, the European Commission has finally woken up to the fact that regulation always comes with tradeoffs and has begun to count the costs to the economy as a whole. Estimates point to billions of euros in potential administrative savings over a few years if procedures can be simplified, incident reporting can be unified, and overlapping requirements between GDPR, NIS2, DORA, and the AI Act can be reduced. This is not just technical fine-tuning, but an attempt to lower the “data tax” that everyone pays today, with the smallest players paying the highest rate in relative terms. In our part of Europe, where many companies operate on thin margins and with limited access to capital, every extra percentage point of compliance costs acts as a brake on innovation.

Against this backdrop, the debate on training AI models needs to be understood properly. The current wording of the rules leaves too much room for uncertainty: many data-driven projects operate “at their own risk”, because in practice, user consent is often impossible to obtain, and relying on legitimate interest is often approached with great caution by lawyers. The GDPR provision is only a part of the problem, with the activist and maximalist approach of the DPAs and EDPB being perhaps the more important factor. The discussion around changes to the GDPR is moving towards a clearer framework for this issue: yes, training and improving models on data should be possible under strictly defined conditions, with data minimisation, strong safeguards, and a meaningful right to object. This is exactly what matters for European companies, having a clear, predictable legal foundation instead of constantly operating in a grey zone of interpretation or, more often, simply deciding it is not worth the risk and moving operations elsewhere

The claim that such clarification amounts to “selling rights to Big Tech” is a deliberate distortion of the facts and an attempt to distract from a simple fact: if we make model training too risky and unprofitable in Europe, Big Tech will train models anyway, they will just do it outside Europe. The models will be built in the US or Asia, offered through APIs and web interfaces, and European citizens will still use them. The difference is whether models will also be developed here, by companies from Tallinn, Warsaw, or Prague, or whether we will reduce ourselves to importing someone else’s solutions while maintaining the most restrictive and expensive regulatory system in the world.

The hysterical attack on the supposed “sale of our rights to Big Tech” therefore does not in reality have in mind the real interests of citizens, but pursues a maximalist ideology of a small, but loud group vested in the status quo. The rights of European citizens will and must continue to be protected through strong transparency guarantees, an effective right to object, strict limits on sensitive data, and tough enforcement of violations. At the same time, we need the courage to admit that the current GDPR model is, in practice, an unnecessary tax on digital innovation in Europe, and that the lack of clear rules on model training pushes their creation outside of Europe. Between fear-mongering about a “rollback of rights” and a thoughtless “data free-for-all”, there is room for a reasonable compromise: changes to GDPR that maintain a high level of individual protection while allowing European companies to truly compete in the AI race, instead of just watching it from the sidelines. Self-appointed digital rights defenders will do well to remember, the data subjects also need and want well-paying jobs and a stable economic outlook that will allow them to look forward to a brighter future for themselves and their children. Without these much-needed adjustments, our economy will continue to stagnate, and with it, our hopes for a better Europe will wither away, putting the whole project at risk. And with it, the very rights we all cherish and wish to protect.