The European Union stands at a critical juncture in its digital policy, with leaked documents revealing plans to significantly weaken the General Data Protection Regulation (GDPR), Europe's flagship data protection law. This comes amid growing concerns that the EU has allowed US technology giants to operate with minimal restraint, potentially cementing their dominance across European markets.
The Threat to Europe's Digital Sovereignty
Under the leadership of European Commission President Ursula von der Leyen, EU legislation designed to regulate major technology companies has faced either delayed implementation or complete non-enforcement. Critics suggest this reluctance stems from fears of provoking former US President Donald Trump. The proposed dilution of GDPR represents a significant shift in Europe's approach to digital governance that could have far-reaching consequences.
Johnny Ryan of the Irish Council for Civil Liberties and Georg Riekeles of the European Policy Centre warn that these changes would effectively hand control of Europe's technological future to American corporations. The GDPR, once celebrated as Europe's most ambitious digital legislation, now faces being systematically undermined by powerful forces within the European Commission, with support from the German government.
Enforcement Failure and Cascading Monopolies
Europe's fundamental problem isn't excessive regulation but chronic under-enforcement of existing laws. Documents revealed in US court proceedings expose a widespread data free-for-all within Meta, where information provided for one service is routinely used to support unrelated business operations, including highly invasive advertising targeting.
This practice directly violates GDPR's purpose limitation principle, which states that data collected for one specific purpose cannot be automatically repurposed for unrelated activities. Proper enforcement of this single principle could effectively dismantle the operational models of major US tech firms operating in Europe.
The persistent failure to enforce GDPR has allowed companies like Google, Meta, and Microsoft to establish cascading monopolies, dominating successive market sectors and leaving no space for European innovators to scale their offerings.
Proposed Changes and Their Consequences
The commission's proposed amendments would introduce significant vulnerabilities. One change would permit companies to declare their AI training data legal without meeting GDPR's rigorous verification requirements. This would effectively legitimise years of potentially ill-gotten data accumulated by firms like Google, Meta, OpenAI, and Microsoft, making it impossible for European competitors to catch up.
Another concerning proposal would weaken protections for sensitive personal data, including information about race, political opinions, and health. Since social media algorithms frequently misuse this special category data, the changes could leave children across Europe more exposed to dangerous content promoting self-harm and suicide on platforms like TikTok, Snapchat, and YouTube.
The commission's concerns about excessive consent pop-ups are valid, but the solution lies in proper enforcement rather than deregulation. Applying GDPR effectively against online advertising technology firms would address the fundamental data breach at the industry's core, rendering most consent pop-ups unnecessary.
Legal and Democratic Concerns
The proposed changes face significant legal challenges, with much of the commission's plan appearing contrary to the EU's Charter of Fundamental Rights and rulings from the European Court of Justice. The commission intends to use an inappropriate procedural manoeuvre to bypass required impact assessments and avoid democratic scrutiny in the European Parliament.
Ireland's enforcement record has been particularly disappointing, compounded by the recent appointment of a former Meta lobbyist as a data protection commissioner. However, mechanisms exist to compel action, including votes at the European Data Protection Board that could force Ireland to apply GDPR fully and proportionately to major tech firms headquartered there.
The Path Forward for European Innovation
Proper enforcement of Europe's data regulations would not only protect democracies and children from harmful algorithms but also disrupt big tech's cascading monopolies. This would create essential space for European tech SMEs and startups to scale across the continent.
Recent developments should give policymakers pause. Seventy-three scientists have written to von der Leyen challenging her statement that AI would achieve human reasoning by 2026. Large language models remain deeply unprofitable, generating an estimated $235 billion last year while costing approximately $1.5 trillion to develop and operate.
Policy should not be driven by dogmatic faith in deregulation. Instead, Europe should enforce its existing laws, defend its digital sovereignty, create space for innovation, and demonstrate that democracy can effectively regulate Silicon Valley. The GDPR remains Europe's most powerful weapon against digital oligarchy, child harm, and foreign political interference – weakening it now would confirm Europe's status as a digital vassal to US interests.
