Band-Aids on Bureaucracy: Why GDPR Reform Isn’t Enough

Seven may be a divine number, but even sacred things deserve scrutiny. It took the EU seven years to begin rethinking its regulatory holy grail: the General Data Protection Regulation (GDPR). Prompted by warnings like those in the Draghi report, that strict GDPR rules choke innovation and competitiveness, Brussels is finally reconsidering.

But tweaking the GDPR alone won’t be enough. Boosting the EU’s competitiveness in today’s innovation economy will require coupling it with broader Single Market reforms.

Launched in 2018 to protect EU citizens’ privacy, the much-debated GDPR is finally getting a makeover. As one of EU’s most recognised regulations, the GDPR has been hailed for its global influence, with large corporations, like Microsoft and Apple, applying its privacy rules worldwide – a phenomenon celebrated by policy wonks as the “Brussels effect”.

However, many European companies have been complaining about the EU’s landmark regulation. They have a point.

Research shows that the GDPR increased compliance costs for European firms, reduced access to innovative apps, dampened demand for web technology services, and curtailed the availability of cloud services such as data storage and processing. It also harmed the EU’s trade in digital services and led to a significant drop in data-related U.S. investment activity in Europe.

While the world treats data as the new oil, European companies became less data-intensive and scaled back on data-driven innovation since the introduction of the GDPR.

That’s now set to change, according to the European Commission. Planned revisions include simplifying record-keeping duties, clarifying impact assessment procedures, and harmonising enforcement rules across EU member states. The GDPR reform is part of the Commission’s broader crusade to boost Europe’s tech competitiveness alongside plans to ease rules in the AI Act, the Cybersecurity Act, and the Data Governance Act.

Mario Draghi’s influential report last year sparked much of this reform push, warning that “the EU’s regulatory stance towards tech companies hampers innovation”.

Yet tinkering at the edges of Europe’s digital rulebook won’t save its economic competitiveness. Fixing laws like the GDPR and the AI Act misses the bigger picture: much of the EU’s innovation today is happening elsewhere – namely, in the Single Market. Without broader sectoral reforms, especially in services, digital revisions won’t deliver.

Take, for example, a small legal start-up in France aiming to offer AI-driven legal services in Germany. After navigating French national regulations to launch, it must comply with GDPR and AI rules, which – due to gold-plating – may differ between the two countries. Even after adopting AI successfully, the firm still runs into Germany’s legal roadblocks. On top of that, other local rules may force a costly redesign of its digital legal services.

Faced with so many regulatory costs piling up in every EU country, the French company will abandon its plan to bring AI into its legal services. By not investing in applied AI technology, this becomes yet another missed opportunity for Europe to boost its competitiveness through innovation.

The point is that easing digital rules only works if matched with broader Single Market reforms in the services where digital innovations are applied.

Sectors like marketing, accounting, and legal contracting see real productivity boosts only when revisions to laws such as the GDPR and the AI Act are paired with market reforms – for example, removing foreign entry barriers in Slovakia’s legal sector, easing restrictions on foreign personnel in Austria’s accountancy industry, or ironing Europe’s fragmented energy market. This is what frees up innovative services.

According to IMF data, European firms active in all these services incur double the costs of firms elsewhere in the economy when scaling across borders within the EU. That’s striking, given that services account for over 75 per cent of the EU’s economy. Ultimately, it’s the adoption of new tech tools by firms across the broader services economy that will drive true competitiveness.

Failing to act delivers a double whammy: it robs the Single Market of incentives for firms to adopt AI and data-driven models, and it stifles scaling, squandering the low marginal costs digital technologies offer for reaching nearly half a billion consumers. The result is slower digital diffusion and a loss of competitiveness among European firms.

GDPR fixes alone won’t suddenly make the bulk of Europe’s economy more data-driven or spur a wave of digital innovation. In the end, it’s European companies like the French start-up that needs to adopt innovative technologies. But that won’t happen until their markets are reformed, too.