Europe changed the world in 2018, not with a product or innovation but with a privacy law. The General Data Protection Regulation (GDPR) was a bold declaration of European values. For the first time, individuals were granted enforceable rights over how their personal information was collected and shared in a new era of digital accountability.
It rewired global thinking and acted as a blueprint for similar legislation in places like California (CCPA) and Brazil (LGPD), forcing tech giants to reconsider long-unchallenged data practices.
But six years on, that win for privacy may now be detrimental to Europe’s prosperity. Real-time data is now the primary engine of economic growth, from AI training to cross-border service delivery. The question is not about the legitimacy of GDPR, but whether a law built for protection can still make an impact in the age of AI.
GDPR reframed privacy as a fundamental right, codifying principles like consent and data minimisation, and created mechanisms for enforcement that grounded previously abstract values and ideals. It forced countries and companies to think differently about data. It was no longer a resource to be harvested indiscriminately, but as something that had to be earned and handled responsibly.
The challenge comes in that GDPR was not built for an era of AI augmentation or real-time analytics. Its broad definitions of “personal data,” “consent,” and “automated decision-making” leave too much ambiguity for fast-moving sectors. For early-stage ventures without the compliance budgets of a multinational, GDPR can feel like a firewall against experimentation, innovation and growth.
AI models trained on user-generated content, or healthcare breakthroughs that rely on anonymised patient records and similar cross-border digital services all face mind-boggling complexity under GDPR. Even when data is pseudonymised or aggregated, the regulatory scope can pull it back into the personal data category, creating an effect where organisations default to underutilisation rather than risk exposure.
As data becomes the lifeblood of economic and geopolitical power, three distinct models have emerged. In the US, regulation remains fragmented, but the ecosystem favours rapid deployment and experimentation. In China, on the other hand, the approach is tightly coordinated, with data governance deeply entwined with state strategy.
Europe sits between these extremes of principled but cautious. It lends itself to rights and regulation but lags in platform creation and AI deployment. The question now facing policymakers is whether ethical leadership is compatible with the pace and ambition required to compete on the global stage.
As Europe accelerates its push into strategic technologies, calls to adapt GDPR are growing louder. Suggestions range from clearer guidance on how GDPR applies to AI training, to proposals like differentiated rules for pseudonymised data, regulatory sandboxes, and context-based consent models.
One camp argues that Europe’s commitment to privacy is its greatest long-term advantage. That trust, once lost, is hard to recover. The other warns of a growing “GDPR chill,” where ambiguity and legal risk push startups, researchers, and multinationals to innovate elsewhere. Both are right in their own way. Trust and innovation don’t need to be opposing forces, but without clearer pathways Europe risks preserving its ideals while losing its influence and economic vitality.
A middle path is emerging. Initiatives like the European Health Data Space, the AI Act’s tiered risk framework, and the rise of privacy-preserving technologies, such as “federated learning” to preserve anonymity, point to a future where compliance and competitiveness can coexist.
Europe doesn’t need to abandon GDPR; it needs to modernise it. A law built to protect citizens must now also promote ethical innovation and growth. GDPR was a declaration of principle; the next declaration must be one of purpose, protecting privacy without sacrificing progress.
Ben Schilz is is an entrepreneur and data protection expert with experience growing technology companies globally. Before becoming CEO of Wire, a communication software company, he founded Acorus Networks.
