From Compliance to Innovation – Reforming the GDPR for Tomorrow’s Technologies
Abstract
The General Data Protection Regulation (“GDPR”) remains one of Europe’s most visible regulatory achievements, but its future is now debated against the backdrop of a fast-changing geopolitical and technological landscape. The role of the European Union (“EU”) as a global standard-setter is challenged by the United States’ dominance in artificial intelligence (“AI”) development, China’s rapid state-backed advances, and the risk that Europe could turn into a regulatory power without sufficient digital innovation of its own to propel it into the future. At the same time, a growing number of policymakers, regulators, and stakeholders recognise that the current EU digital rulebook — which is complex, overlapping, and often burdensome for small and medium-sized enterprises — may hinder competitiveness. While one could argue that the GDPR’s extraterritorial reach and its global dissemination through the so-called “Brussels effect”mitigate the competitive regulatory disadvantage faced by EU-based companies, such impacts remain partial and uneven in practice. Indeed, neither do they constrain how non-EU companies process data outside the EU context or in inadequate jurisdictions, nor do they offset the structural asymmetry whereby EU-based companies remain subject to GDPR obligations across their global operations. As a result, EU-based firms continue to face a meaningful structural disadvantage in data-driven innovation, even if that disadvantage is nuanced. The sense of urgency has already triggered reform efforts, from the European Commission’s simplification package to high-profile proposals by major stakeholders.
In this context, reforming the GDPR seems not only necessary, but also unavoidable. However, to be successful, the reform should refrain from a wholesale reopening of the GDPR and instead focus on selective and targeted revisions aimed at aligning the GDPR more closely with Europe’s strategic objectives: safeguarding fundamental rights, enabling responsible innovation, and strengthening digital competitiveness.
This paper responds to that challenge in two steps. First, it analyses the reasons why a reform is needed and identifies the key goals that should guide it. Second, it puts forward five pragmatic recommendations for a reform taking into account the Omnibus package released by the European Commission on 19 November 2025: (1) realigning GDPR restrictions with AI-development needs; (2) empowering innovation through sandboxes and Codes of Conduct; (3) streamlining risk assessments across the EU’s digital rulebook; (4) harmonising requirements such as EU incident-reporting obligations; and (5) improving regulatory cooperation. Taken together, these proposals chart a course for the GDPR to uphold trust and strong protection of fundamental rights while actively empowering Europe’s digital tomorrow and ensuring the GDPR remains future proof.