Summary
The General Data Protection Regulation (“GDPR”) was deemed necessary in order to deal with the speed and scale of technological change. The form of the instrument – a regulation rather than a directive, was meant to create greater harmonisation and strengthen the single market. It was heralded as making Europe the “trust centre of the world”. [1]
Yet the GDPR has been criticised as being too broad to be effective and too complex to comply with. Commentators state that this creates legal uncertainty and disproportionate burdens for Europe’s businesses. In the era of AI, the concepts of controllers (responsible for ensuring fair and lawful outcomes for individuals in the context of the processing of their data), and processors (who bear no such responsibility) appear outdated and create gaps through which data subject rights can fall. In a turbulent world international data transfers are fraught with difficulty and data adequacy is increasingly a legal fiction for some jurisdictions.
The EU’s data protection reforms appear to be insufficient to meet the European Commission’s goals of helping businesses and stimulating competition. Yet the rights in the GDPR, based on the Charter of Fundamental Rights and the European Convention on Human Rights, are more important than ever. The right not to be subject to solely automated decision-making (Article 22 of the GDPR) is likely to be crucial in the coming age of AI.
The answer to the problem of the administrative burdens the GDPR creates may be to simplify the GDPR’s architecture significantly. Streamlining the text could result in greater clarity by exposing the core human rights engine of this crucial piece of legislation. This in turn may make it both better understood and more effective. It could also help us to move away from a pointless tick box culture to meaningful, human consideration of the context and how to balance individuals’ rights with public or commercial interests.
Part 1 – Ambition
Background to the GDPR
The draft GDPR was published in January 2012.[2] The European Commission’s explanatory memorandum set out that “rapid technological developments” had brought “new challenges for the protection of personal data”. The Commission asserted that data sharing was now happening on a much greater scale than previously and that new technologies enabled “both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities”.
These factors required a new instrument to regulate the processing of personal data in order to make protections stronger and build a more coherent framework “backed by strong enforcement”. This would strengthen the single market, “put individuals in control of their own data” and create greater “legal and practical certainty for economic operators and public authorities”.[3]
A harmonised set of rules
The GDPR replaced a directive on data protection. [4] In EU law regulations apply directly in the legal frameworks of EU Member States, creating enforceable rights and binding obligations without the need for domestic law to transpose them. Directives, by contrast, require Member States to legislate for a particular outcome but leave the Member States to set out the relevant rights and obligations in domestic law.[5]
In its proposal for the GDPR the European Commission asserted that the differing transposition of the Directive on data protection in different Member States had resulted in fragmentation and inconsistency. A Regulation was deemed to be the solution because the relevant provisions would apply directly in the law of each Member State, leading to harmonisation in relation to the processing of personal data. Data protection regulators would coordinate more closely through a system of the appointment of lead authorities and consistency mechanisms.[6] This in turn would strengthen the EU’s single market.[7]
Exporting European values
The GDPR has significant extra-territorial scope.[8] Global businesses with an EU establishment are likely to find that the GDPR applies (at least to some extent) to the processing activities of the whole group. [9] Further, organisations targeting EU data subjects by offering them goods or services are required to comply with the rules and to appoint a representative in the EU.[10]
Research by the International Association of Privacy Professionals shows that 144 countries have now enacted data protection laws, many of which use similar concepts and principles to the GDPR.[11] The EU’s ability to influence the regulation of markets globally is significant, with GDPR being a prime example.[12]
Part II – Execution - has the GDPR worked?
How to measure success
Helen Dixon, the former Data Protection Commissioner for Ireland, has pointed out that “valid and reliable” evidence of the impacts of the GDPR remain “elusive”. However, she also comments that the attempts to achieve regulatory cooperation and consistency are far from “nimble” and that the mechanism’s architecture is akin to “a kitchen with very many cooks”. [13]
Despite the lack of evidence on the impacts of GDPR, the European Commission’s explanatory memorandum for the digital omnibus (discussed below) points to a need to “simplify”, “clarify” and “improve the EU acquis”.[14] This suggests that there are indeed problems with GDPR.
Structural problems in the GDPR’s architecture
Winfried Veil points out in his article “The GDPR: The Emperor’s New Clothes – On the structural shortcomings of both the old and the new data protection law”[15] that the GDPR imposes significant burdens. The GDPR contains 82 balancing tests, including 30 necessity tests, and makes 77 references to the data subject's rights and freedoms. Anecdotal evidence suggests that many organisations find these tests difficult to apply. The references to balancing tests and necessity tests reflect the GDPR’s foundations as a detailed “working out” of Article 8 of the ECHR – the right to a private and family life. [16] But these sorts of rights were first drafted to apply vertically: as between the citizen and the state. Translated into a “horizontal” context under the GDPR – as between the private sector entity and the data subject - these concepts appear poorly understood.[17]
Other commentators have taken a similarly critical approach to the legislation. In 2014, whilst the legislation was still being negotiated, Professor Bert-Jaap Koops wrote that the GDPR was already “dead”. Years later he has asserted that there has been nothing to revive it. Koops pointed to three central problems in the GDPR’s framework:
- The delusion that data protection law can give individuals control over their data. Koops argues that this is false and that the legislation does not achieve this;
- The misconception that the GDPR simplifies the law. On the contrary – it makes it more complex.
- The assumption that data protection law should be comprehensive — which stretches it to the point of breaking, making it "meaningless law in the books."
Continuing fragmentation
The European Commission’s stated ambition that GDPR would end fragmented and divergent approaches to data protection law was always problematic. That is because the GDPR is arguably not truly a Regulation. Instead it blends elements of a Regulation with elements of a Directive. Throughout the GDPR Member States are able to legislate to provide exceptions to the rules set out in the legislation. This is necessary because data protection is a qualified fundamental right. As explained in Article 4 of the GDPR “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
Whilst the need for derogations set out in national law is clear, this means that the GDPR has never resulted in exactly the same legal framework applying across the EU. For example, in areas such as the lawful basis of processing,[18] the processing of special category personal data,[19] exemptions from data subject rights requests[20] and the permissibility of automated decision-making,[21] national law can lead to differing outcomes in one jurisdiction compared with another. This has meant that in many respects, the promised harmonisation has not materialised. Further, there is a lack of clarity as to which jurisdiction’s national law should apply in the context of cross-border processing.[22]
The concepts of controller and processor
The concepts of controller and processor in the GDPR are important because they determine how responsibility for the processing of personal data is distributed between organisations. However, the concepts are increasingly difficult to apply in an age of fast-moving technological change.
The concepts of controller and processor have existed in data protection law for a considerable period of time.[23] In short, the controller has the main responsibility of ensuring that the processing of personal data does not adversely affect the data subject’s rights and freedoms. The processor acts on the controller’s instructions, has no interest in the data, and has no responsibility for considering how the processing impacts on individuals. [24]
This distinction between controller and processor may have worked in a previous age where the personal data held by controllers had no value for the processor. In the age of AI vast amounts of personal data are needed to develop new technologies and to train algorithms. Data has been termed the “new oil”[25] or the “energy” powering new technologies[26]. The idea that entities have no interest in the data they hold is therefore unrealistic. Further, the courts have interpreted the concept of controller broadly in order to ensure that the regime contains no gaps through which the rights of individuals could fall. Where a new technology significantly influences individuals’ fundamental rights, the courts and regulators are likely to determine that the organisation that has developed the technology is a controller rather than a processor of personal data.
However, currently many developers of new technologies take the position that they are simply processors of personal data at the stage at which their tools and systems are deployed.[27] This means that it is left to the business or other organisation using their products and services to discharge the main obligations under the GDPR in ensuring that the technologies result in fair and lawful outcomes. [28] This requires organisations that may have little technical understanding of the systems they have bought attempting to conduct risk assessments, and complying with principles of fairness and transparency, as well as discharging their obligations as regards subject access requests. Although processors are supposed to help with these issues,[29] in practice such assistance can be difficult to obtain.
International data transfers
The GDPR’s processes for transferring data out of the EU are extremely burdensome, unrealistic and in practice often amount to a box-ticking exercise which does little to protect the rights of the individuals whose data is being transferred.
The transfer of data out of the EU under the GDPR is only permissible where the standard of protection of personal data in the third country is essentially equivalent to that in the EU. [30] The two main ways of transferring personal data out of the EU are:
- in reliance on data adequacy decisions made by the European Commission; or
- on the basis of standard contractual clauses issued by the European Commission, together with a risk assessment of the jurisdiction in question, and any relevant supplementary measures to protect the data such as encryption.
Adequacy decisions are the ideal basis on which to transfer data because an adequacy decision enables the free flow of data from the EU to the third country without any further measures being required. This is a considerable saving in terms of resources for the data exporter.
However, adequacy decisions are increasingly problematic. Jurisdictions with partial or full EU adequacy decisions have been criticised for breaches of the rule of law and of international law. The free flow of EU data to these jurisdictions continues on the basis that their standards as regards the rule of law and respect for fundamental rights is essentially equivalent to that in the EU, notwithstanding evidence to the contrary.[31]
For jurisdictions which do not benefit from data adequacy decisions, data exporters have to expend significant resources putting in place standard clauses and conducting “mini adequacy assessments” of the country to which the data is being exported. Analysis must be conducted into the third country’s adherence to the rule of law, data protection laws etc. Most organisations are ill-equipped to carry out such assessments and the exercise is largely a box-ticking process.
Part III - Reform
In the report, "The Future of European Competitiveness," [32]Mario Draghi, the former President of the European Central Bank and Prime Minister of Italy warned that Europe was facing "slowing growth". He highlighted the fact that "only four of the world's top 50 tech companies are European."
Draghi singled out "regulatory burdens" as "self-defeating," noting that "more than half of SMEs in Europe flag regulatory obstacles and the administrative burden as their greatest challenge."
As a response to Draghi’s report the European Commission has proposed a package of measures known as the “Digital Omnibus”.[33] The aim of the reforms is to "optimise the application of the digital rulebook" through "technical amendments… selected to bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness."
Changes to the GDPR proposed under the Digital Omnibus
The reforms to the GDPR proposed under the Digital Omnibus include changes to the definition of personal data; changes to the legal basis for processing and to the derogations for processing special category personal data for the development of AI systems or models; changes to the right of subject access; and clarifications of the provisions on automated decision-making.[34]
None of the problems with data protection law raised above are addressed in the European Commission’s proposal. Some of the changes proposed may well not become law because the European Parliament and Member States may not approve them.[35] Even if they are approved they are unlikely to provide the necessary simplification or to stimulate competitiveness.
Change to the definition of personal data
The Omnibus proposal seeks to add a new paragraph to the definition of personal data. The new provision would state that information will not be deemed to be personal data in the hands of an organisation that cannot identify a person from that information (taking into account the means reasonably likely to be used by that entity). The relevant information does not become personal data in the hands of that entity merely because a potential subsequent recipient could identify an individual using that information.[36] This proposal has been criticised by the European Data Protection Board (“EDPB”)[37] and the European Data Protection Supervisor (“EDPS”)[38] in their joint opinion on the Digital Omnibus.[39] They point out that this approach to the definition of personal data conflicts with CJEU jurisprudence which confirms that “in such cases, those data are personal data for both the recipient and, indirectly, for the entity making the data available to the latter”. They state that the new definition constitutes a significant “narrowing” of the definition of personal data and could create loopholes which organisations could use to try to get round the protections.
These criticisms mean that the proposed changes are unlikely to be accepted by the European Parliament and the Member States and therefore may not ultimately become law.
Changes to the right of subject access
The proposal is that a controller should be able to charge for or refuse subject access requests[40] where the request is “made for purposes unrelated to the protection of the requester’s data” on the basis that such a request is (by its very nature) unfounded or excessive.[41] This proposal has been criticised by the EDPB and the EDPS. Case law of the Court of Justice of the European Union (“CJEU”) has confirmed that it is permissible for data subjects to exercise their right of subject access for reasons “other than that of becoming aware of the processing of data and verifying [its] lawfulness”. The CJEU has also confirmed that no particular reason for exercising the right of subject access need be given. [42] This suggests that this proposed change is also unlikely to become law.
Changes to facilitate the development of AI models and systems
There is a proposal to add a new Article to the GDPR confirming that the legitimate interests legal basis may be available as a legal basis for the development or operation of an AI system.[43] This provision has been criticised as unnecessary given that this is currently the case (even in the absence of this supplementary wording). The EDPB and the EDPS therefore take the view that the proposed measure will serve to “decrease rather than increase legal certainty”.
A further change aimed at facilitating the development and operation of AI models and systems is a derogation which would allow incidental and residual special category personal data to be processed within the system or model.[44] The EDPB and EDPS are supportive of this proposal, commenting that it is “not always possible” for controllers to avoid residual and incidental special category personal data when collecting data for the training, testing and validation of certain AI systems or models.
Automated decision-making
The Digital Omnibus contains a proposal to clarify the provisions on solely automated decision-making (“ADM”). [45] The suggested change is to add further text to confirm that processing can still be “necessary for entering into a contract with the data subject” even where the decision could have been taken by a human. This addition seems superfluous if “necessary” is read in the normal way under the GDPR. The inclusion of the term “necessary” simply means that the processing is legitimate and proportionate.[46] The reading of the term “necessary” as meaning “indispensable” is a misunderstanding of its use throughout the GDPR. Clarity on this point could be obtained in other ways (such as guidance from the EDPB) rather than making textual amendments to the legislation.
Part IV – Future developments
Given the lack of ambition of the GDPR reforms in the Omnibus, it seems inevitable that none of the relevant changes will do much to stimulate growth or competitiveness. However, the foundations of the GDPR, based as they are in fundamental rights, are essential in the age of AI. Further, the human rights balancing test is sufficiently flexible to work, whatever new technology appears over the next few years. The challenge is to move organisations away from a tick-box approach to proper engagement with the impacts of new technologies on individuals. Data protection law with its concepts of fairness, transparency and accountability offers effective protections if it could be stripped back and the flaws corrected.
The protections against ADM are powerful and important and this centrality is likely to increase as ADM becomes more common. Commentators point out that Article 22 of the GDPR which deals with ADM is potentially more protective of the individual than related provisions of the EU AI Act.[47] Further, as the world becomes more unstable the EU’s values and the European project are more important than ever.
This article was first published by the International Data Law Forum for their annual conference which took place in Vienna in July 2026.
[1] This comment is attributed to Paul Nemitz who led the European Commission’s negotiating team on the GDPR. See Veil, W. (2018) ‘The GDPR: The Emperor’s New Clothes – On the structural shortcomings of both the old and the new data protection law’, SSRN Electronic Journal. Available at: https://ssrn.com/abstract=3305056
[2] See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52012PC0011.
[3] Ibid, section 1 – context of the proposal.
[4] Directive 95/46/EC. The author is not aware that any area of fundamental rights was regulated in the EU legal order using a regulation prior to the GDPR. Regulations tended to be used in areas where the need for precision in standards was required. One example discussed during the negotiations was that regulations were appropriate for regulating specific standards eg. the appropriate size of chicken coops, as an example. Since the GDPR many of the instruments in the digital space have been regulations rather than directives.
[5] For a summary on the different types of EU law see Brusselstimes.com. (2026). The Brussels Times. [online] Available at: https://www.brusselstimes.com/eu-affairs/1797601/how-the-eu-decides-which-law-to-use [Accessed 8 Jun. 2026].
[8] See Article 3 and the EDPB’s guidance on territorial scope - Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) Version 2.1. (2019). Available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.
[9] The other establishments in the global group can fall within the scope of the GDPR for the processing they do where there is an “inextricable link” between the processing taking place in the EU and the activities of the non-EU establishments. This link can exist even where the EU establishment is taking no part in the processing of the data. See the EDPB’s guidance here, citing case Case C-131/12 Google Spain [2014] ECLI:EU:C:2014:317.
[10] See Article 3(2) and Article 27 of the GDPR.
[11] See here. This means that “approximately 6.64 billion people or 82% of the world's population under the protection of some form of national data privacy legislation”.
[12] For further discussion of this issue see Bradford, A. (2020). The Brussels effect : how the European Union rules the world. Uitgever: New York, Ny Oxford University Press.
[13] See Dixon, H. (2025). GDPR is not loved, but does it work? International Data Privacy Law. doi:https://doi.org/10.1093/idpl/ipaf019.
[14] See EUR-Lex - 52025PC0837 - EN - EUR-Lex at paragraph 1.
[15] See Veil, W. (2018) ‘The GDPR: The Emperor’s New Clothes – On the structural shortcomings of both the old and the new data protection law’, SSRN Electronic Journal. Available at: https://ssrn.com/abstract=3305056.
[16] See for example the case of RTM v Bonne Terre Ltd & Hestview Ltd [2025] EWHC 111 (KB) where Mrs Justice Collins-Rice explains data protection law as requiring organisations to strike a balance between “the freedom and flourishing of public life and modern business and trade… and, on the other hand, the rights of individuals to privacy, ultimately derived from Art. 8 ECHR”. See also the explanationsto Article 8 of the EU’s Charter of Fundamental rights which set out the link between Article 8 of the Charter and Article 8 of the ECHR. Note that the legal basis in the Treaty on the Functioning of the European Union for data protection (Article 16) is drafted in a similar way to Article 8 of the Charter. This underscores the human rights basis of the GDPR.
[17] For a useful summary of the importance of the horizontal application of fundamental rights see Any of our business? Human Rights and the UK private sector - Human Rights Joint Committee.
[18] See Article 6(2) and (3).
[19] See for example Article 10(2)(g).
[20] See for example Article 23.
[21] See for example Article 22(2)(b).
[22] This has been discussed in the area of clinical trials. See Colcelli, V., Cippitani, R., Christoph Brochhausen-Delius and Arnold, R. (2024). GDPR Requirements for Biobanking Activities Across Europe. Springer Nature at p 39-49.
[23] See for example Article 2(d) and (e) of Directive 95/46/EC and the concept of the “Controller of the file” in the Council of Europe’s Convention 108 dating from 1981 (see Article 2(d)).
[24] For further discussion see Post | LinkedIn.
[26] Elizabeth Denham in her response to the government’s consultation Data: a new direction said that “The energy powering these new technologies is our data: about our behaviour, our interests, our spending patterns, our loves and likes, our beliefs, our health, sometimes even our DNA – the very building blocks that make us who we are.”
[27] See for example the position of developers of new technologies and relevant trade bodies in the UK ICO’s consultation here Allocating controllership across the generative AI supply chain | ICO.
[28] Whilst the EU AI Act may help to mitigate this risk, the majority of the provisions will now not come into force until December 2027.
[29] See the obligations on processors in Article 28 of the GDPR.
[30] The exception to this is where transfers are made on the basis of derogations which are exceptions from these rules. The use of derogations is only permitted in narrow circumstances (for example for one-off transfers) so they are only relied on rarely.
[31] Examples of countries where the finding of essential equivalence appear problematic and where there is evidence that points to the test in Article 45 of the GDPR not being met are the US and Israel. See Israel’s assault on the foundations of international law must have consequences: UN experts. [online] Available at: https://www.ohchr.org/en/press-releases/2024/12/israels-assault-foundations-international-law-must-have-consequences-un and European Digital Rights (EDRi). (2025). Civil society urges EU to reassess Israel’s adequacy status - European Digital Rights (EDRi)
Ibanet.org. (2025). IBA expresses deep concern over the ongoing erosion of the rule of law in the United States. [online] Available at: https://www.ibanet.org/A-message-from-the-IBA [Accessed 7 Jun. 2026].
[32] Draghi, M. (2024). The future of European competitiveness Part A | A competitiveness strategy for Europe. [online] Available at: https://commission.europa.eu/document/download/97e481fd-2dc3-412d-be4c-f152a8232961_en?filename=The%20future%20of%20European%20competitiveness%20_%20A%20competitiveness%20strategy%20for%20Europe.pdf.
[33] Shaping Europe’s digital future. (2025). Digital Omnibus Regulation Proposal. [online] Available at: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal.
[34] Further changes proposed include changes in the framework for reporting personal data breaches, standardising data protection impact assessments processes and making some changes relating to the provision of privacy notices for the benefit of clubs or small businesses.
[35] Data Protection Law is subject to the Ordinary Legislative Procedure (see Article 16(2) of the Treaty on the Functioning of the European Union). For an explanation of the procedure see Overview | Ordinary legislative procedure | Ordinary Legislative Procedure | European Parliament.
[36] See recital 27 to the Omnibus and the proposed additions to Article 4 to the GDPR.
[39] See Europa.eu. (2026). EDPB-EDPS Joint opinion 2/2026 on the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus) | European Data Protection Board. [online] Available at: https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22026-proposal_en.
[40] See Article 15 of the GDPR.
[41] See recital 35 of the Omnibus proposal and the amendments to Article 12 and 14(5) of the GDPR.
[42] See the judgment of the CJEU of 26 October 2023, Case C-307/22, ECLI:EU:C:2023:811, paragraphs 38 and 43. The CJEU’s reasoning is consistent with the recitals to the GDPR which clarify that the framework applies broadly as part of the architecture of fundamental rights. In particular recital 4 states “This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
[43] See recitals 30 and 31 of the Omnibus and new Article 88(c) of the GDPR.
[44] This change would be added to the Article 9 GDPR derogations.
[45] See Article 22 of the GDPR and recital 38 of the Omnibus.
[46] See for example the case of Stone v South East Coast SHA (formerly Kent and Medway SHA) [2006] EWHC166 (Admin) at paragraph 60. Davis J stated “It is common ground that the word “necessary”, as used in [data protection law], carries with it the connotations of the European Convention on Human Rights: those include the proposition that a pressing social need is involved and that the measure employed is proportionate to the legitimate aim being pursued.”
[47] See the discussion in Sarra, C. (2025) ‘Artificial Intelligence in Decision‑making: A Test of Consistency between the “EU AI Act” and the “General Data Protection Regulation”’, Athens Journal of Law, 11(1), pp. 45–62.
Subscribe to receive more articles like this here.

