EU's Proposed GDPR Weakening: How Deregulation Could Cement US Tech Dominance in Europe

"Europe is hurtling toward digital vassalage. Under Ursula von der Leyen, the European Commission president, EU laws to tackle tech giants have been either not applied or delayed, for fear of offending Donald Trump. Now leaked documents reveal that the European Commission plans to gut a central part of Europe's digital rulebook."

Once Europe's most celebrated legislative achievement, the General Data Protection Regulation (GDPR) now faces a critical juncture. Leaked documents reveal plans by the European Commission to significantly weaken this cornerstone of European digital rights, potentially handing even greater market dominance to US tech giants while stifling European innovation.

The GDPR: Europe's Defense Against Digital Oligarchy

Enacted in 2018, the GDPR was designed to protect European citizens' personal data while establishing clear rules for how companies can collect, process, and utilize this information. The regulation introduced principles like "purpose limitation"—the commonsense notion that data collected for one purpose cannot be automatically repurposed for another without explicit consent.

This principle, in particular, poses a direct threat to the business models of companies like Meta, Google, and Microsoft, which have built cascading monopolies by repurposing user data across their various services. As documents revealed in a US court case show, Meta operates in a "vast free-for-all of data," using information provided for social media to power unrelated business lines, particularly its invasive ad targeting system.

Proposed Changes and Their Implications

The European Commission's proposed changes to GDPR would significantly weaken these protections:

1. AI Training Data Legitimization: One proposal would allow companies to claim their AI training data is legal, freeing them from GDPR's rigorous requirements to prove proper consent. This would effectively legitimize years of questionable data collection practices by Google, Meta, OpenAI, and Microsoft, making it nearly impossible for European competitors to catch up.

2. Weakened Protections for Special Category Data: Another change would reduce protections for "special category" data—our most intimate personal information. Since social media algorithms rely heavily on this data, this change would leave children more exposed to dangerous algorithms on platforms like TikTok, Snapchat, and YouTube, which can push harmful content including self-hate and suicide ideation.

3. Nuisance Consent Pop-ups: While the Commission correctly identifies that Europeans are plagued by consent pop-ups, the solution isn't deregulation but enforcement. Proper application of GDPR against online advertising technology firms would address the root cause of these pop-ups—the vast data breach at the heart of the industry.

Enforcement vs. Deregulation: The European Conundrum

The argument that deregulation will spur European innovation, particularly in AI, fundamentally misunderstands the relationship between regulation and innovation. China's DeepSeek, which has stunned the AI world over the past year, emerged under a legal regime far stricter than Europe's. China's rigorous pre-deployment rules appear to have done its world-beating AI innovation no harm.

Europe's problem isn't that it has too many rules, but that it hypes these rules and then neglects to enforce them. Chronic under-enforcement has allowed US tech giants to entrench their domination, leaving no space for European innovators to scale up.

The solution isn't to weaken GDPR but to enforce it. Enforcing just the "purpose limitation principle" would effectively break up every giant US tech firm. The regulation contains many other principles with the power to upend these firms' operations.

The Enforcement Challenge: Ireland's Role

The most critical battleground for GDPR enforcement is Ireland, where the largest US tech firms have their European headquarters (except for Amazon, which is based in Luxembourg). Ireland's enforcement record has been dismal, and its recent appointment of an ex-Meta lobbyist as data protection commissioner raises serious concerns.

However, there is a pathway to force Ireland to comply: through a vote at the European Data Protection Board. This could compel Ireland to start applying GDPR to these firms fully and proportionately.

The Legal and Democratic Concerns

The proposed changes themselves are legally fraught. Much of what the Commission plans is contrary to the EU's charter of fundamental rights and rulings from Europe's top court. The Commission also intends to use an inappropriate procedural maneuver to skip required impact assessments and skirt democratic scrutiny at the European Parliament.

Beyond GDPR: Europe's Digital Sovereignty

GDPR represents Europe's greatest weapon against digital oligarchy, child harm, and foreign political interference. Diluting it now, in the shadow of renewed US political pressure, would confirm Europe as a "digital vassal" of the US—a playground where US firms remain unassailably dominant and where US interests override European standards and values.

The Commission's approach to AI also raises concerns. This week, 73 scientists wrote to von der Leyen demanding that she retract her budget speech statement that AI would achieve human reasoning by 2026. Large language models remain deeply unprofitable, generating an estimated $235 billion in the last year while costing an estimated $1.5 trillion to develop and run.

Policy should not be driven by a dogmatic faith that deregulation will inevitably liberate innovation. Enforcement against giant US firms is the solution to the problems identified by the Commission.

Creating Space for European Innovation

Enforcing Europe's data rules would not only protect democracies and children from harmful algorithms but would also disrupt big tech's cascading monopolies across Europe. Crucially for Europe's competitiveness, this is what would create the space for European tech SMEs and startups to scale up everywhere in Europe.

When considering the future of Europe's privacy laws, the Commission would do well to treat big tech's claims about AI and its requests for deregulation with more skepticism. Europe should defend its sovereignty, enforce its laws, and prove that democracy can effectively tame Silicon Valley.

This article is based on commentary by Johnny Ryan, director of Enforce at the Irish Council for Civil Liberties, and Georg Riekeles, associate director of the European Policy Center, originally published in The Guardian.