Brussels scales back landmark privacy laws whilst leaving the real compliance burdens untouched
Europe's GDPR rollback targets protections that worked whilst ignoring enforcement fragmentation that didn't
Seven years after declaring Europe the world's toughest data protection jurisdiction, Brussels is quietly dismantling the protections that worked. The justification arrives via Mario Draghi's September 2024 competitiveness report, which supposedly proves overregulation is strangling European innovation.
There's one problem: Draghi's 400-page report mentions GDPR exactly twice, offering no evidence it hampers competitiveness. Meanwhile, seven years of implementation data tell a different story entirely. The regulation hammered small European firms whilst barely touching the American tech giants it supposedly targeted. Enforcement generated billions in fines but changed little about how companies handle data. And now Brussels proposes weakening protections whilst leaving the actual compliance nightmares—27 conflicting national interpretations, years-long investigations, fragmented enforcement—completely intact.
This isn't regulatory reform. It's regulatory capture with a competitiveness narrative attached.
The costs landed precisely backwards
Oxford economists examining thousands of firms globally found European businesses exposed to GDPR saw profits drop 8.1 per cent on average. Small and medium enterprises took the harder hit: 8.5 per cent. Small IT companies suffered worst of all, losing 12.5 per cent of profits.
Large European firms fared better at 7.9 per cent declines. But Meta, Google, Apple, and Facebook—the tech giants GDPR supposedly constrained? No measurable impact on sales or profits, according to research published in Economic Inquiry.
The mechanism was brutally simple. Compliance meant hiring data protection officers, upgrading IT systems, navigating complex legal requirements. PwC found some companies spent over €10 million annually. Small firms lacked resources to absorb these costs. Large incumbents added them to existing legal budgets without breaking stride. The regulation functioned as a moat protecting established players.
MIT researchers found GDPR worked like a 25 per cent tax on smaller companies. For Big Tech? Barely a rounding error.
Europe's data economy shrank in response. EU firms cut data storage by 26 per cent in two years, whilst computation dropped 15 per cent, according to confidential cloud computing data. Investment in European tech companies fell 26 per cent. One study found a third of apps vanished from the Google Store after GDPR launched.
The regulation meant to protect European digital sovereignty instead weakened European digital capacity. American tech giants continued largely unimpeded.
How companies weaponised user annoyance
GDPR's most visible legacy: cookie consent banners. Those ubiquitous pop-ups demanding users navigate labyrinths of toggles and "partners." Europeans encounter 1,020 annually, collectively wasting 575 million hours. Seventy-two per cent deploy at least one dark pattern designed to manipulate acceptance.
Here's what gets buried: GDPR never mandated this nightmare.
The regulation requires informed, freely given consent for non-essential data processing. It explicitly prohibits making rejection harder than acceptance. Companies could have implemented simple "accept/reject" choices. GitHub operates without cookie banners by simply not tracking users unnecessarily.
Instead, companies chose maximum annoyance. "Accept all" buttons loom large. "Reject all" requires drilling through multiple screens—if it exists at all. Some banners list hundreds of "partners" with individual toggles. Others bury "legitimate interest" categories that reset even after users opt out.
This wasn't incompetence. It was strategy.
Make cookie banners sufficiently maddening and users would demand regulatory change. Weaponise citizen frustration against the regulation itself. The November 2025 proposals moving consent to browsers suggest the strategy succeeded.
The proposed changes are sensible: set preferences once in your browser, websites respect choices for six months minimum, anonymous visitor counting exempted from consent entirely. But here's the thing—none of this required regulatory rollback. Browser-based consent mechanisms like Global Privacy Control have existed for years. GDPR never prevented their adoption.
Companies simply chose not to, preferring to make compliance so painful that Brussels would eventually cave. Seven years later, Brussels is caving.
Who's actually driving simplification
The rollback's timing tells you everything. Ursula von der Leyen commissioned Draghi's report shortly after beginning her second term. The report's September 2024 release provided convenient cover for changes already planned through her "Digital Omnibus" packages—fast-track legislative bundles designed to bypass normal consultation.
Tech industry response was immediate and enthusiastic. Elon Musk, whose companies face multiple EU regulatory challenges, endorsed Draghi's critique within hours. DigitalEurope, the leading tech trade association, praised the vision "to break Europe free from the vicious cycle of low innovation."
Then there's Aura Salla. Previously headed Meta's Brussels lobbying office. Now sits in the European Parliament pushing for GDPR reopening. Meta itself submitted comments calling for changes "beyond easing administrative burdens"—seeking a complete "pause in AI Act enforcement and sweeping reform of EU data protection law."
The companies lobbying hardest faced minimal GDPR impact. Those who bore disproportionate costs—European SMEs—had no comparable lobbying infrastructure. Four member states recognised this: Estonia, France, Austria, and Slovenia formally opposed reopening GDPR, arguing changes should focus on harmonising enforcement rather than weakening protections.
But harmonisation is precisely what the omnibus doesn't address. GDPR's real nightmare stems from 27 different national authorities interpreting requirements inconsistently. German regulators define age of consent differently from French ones. Irish authorities—responsible for most Big Tech oversight because companies locate EU headquarters there—have issued over €3.5 billion in fines but take years completing investigations whilst alleged violations continue.
This fragmentation creates genuine compliance difficulty. A company operating across Europe navigates dozens of interpretations whilst facing penalties from multiple jurisdictions. Fixing this requires difficult negotiations about centralised enforcement and reduced national sovereignty.
Much easier to weaken the underlying protections instead.
The competitiveness argument collapses under examination
Draghi's report argues regulatory burden prevents European innovation. Yet his own analysis undermines this when examining actual competitive weaknesses.
Europe's productivity gap with the United States is "largely explained by the technology sector," Draghi writes. But European tech underperformance predates GDPR by decades. Only four European companies rank among the world's top 50 tech firms. European venture capital investment remains far behind America. The continent's fragmented markets, risk-averse business culture, and linguistic barriers present obstacles no privacy rollback addresses.
Energy costs dwarf data protection concerns. European electricity prices run two to three times higher than American ones. Natural gas costs four to five times more. These differentials eclipse GDPR compliance costs and directly impact every manufacturer and data centre. Draghi acknowledges this but it attracted far less attention than his brief GDPR mentions.
Then there's everything else hampering European innovation: labour market rigidities, inadequate capital formation and educational systems failing to produce enough technical graduates.
The real competitive gaps require politically difficult solutions: genuine single market completion, reduced bureaucracy at national and local levels, reformed labour laws, deeper capital markets, massive infrastructure investment. Data protection simplification offers the appearance of action whilst avoiding hard choices.
What enforcement actually achieved
GDPR did accomplish something. €5.88 billion in fines since 2018 demonstrated European regulators could penalise powerful actors. Meta paid €1.2 billion for unlawfully transferring European data to the United States. TikTok faced €345 million for failing to protect children's privacy. LinkedIn paid €310 million for mishandling user data.
These penalties reflected genuine violations, not regulatory overreach. But examine the pattern: nearly all major fines hit American companies—Meta, Google, TikTok, WhatsApp, LinkedIn. European regulators weren't protecting European citizens from American tech giants so much as generating revenue from them.
Meanwhile, 363 data breaches get reported daily. GDPR hasn't fundamentally altered how companies handle data security. It created a penalty system for getting caught, not genuine protection.
The proposed rollback weakens even this limited achievement. Moving consent to browsers reduces friction in data collection. Expanding "legitimate interest" exemptions opens exploitable loopholes. Reducing documentation requirements makes violations harder to detect and prosecute.
Privacy advocates warn that once GDPR reopens, even for targeted amendments, powerful interests will push broader changes. The leaked omnibus draft already suggests redefining personal and sensitive data to narrow protections. The pattern repeats across European policymaking: urgent reform packages pushed through without adequate consultation, driven by industry complaints rather than evidence.
What Brussels chose not to fix
The fundamental question was never whether GDPR was perfect—obviously it wasn't—but whether its flaws warranted weakening protections or demanded better enforcement.
The answer was clear: harmonise enforcement across member states, provide clear guidance on ambiguous provisions, create streamlined mechanisms for legitimate data uses, focus penalties on actual harms rather than documentation failures. These changes would genuinely help business whilst maintaining strong privacy protections.
Brussels chose differently. Blame regulation for deep-rooted competitive weaknesses. Promise simplification. Deliver changes primarily benefiting tech giants who needed GDPR least and were harmed by it least.
The episode reveals something uncomfortable about European governance. When policies create unintended burdens, the response isn't fixing implementation but abandoning principles. When powerful interests complain loudly enough, political leaders find ways to grant relief. When citizens lack comparable lobbying resources, their interests get traded away for "competitiveness."
Europe faces genuine competitive challenges: aging population, energy dependence, fragmented markets, inadequate innovation investment. Addressing these requires political courage and difficult choices.
Weakening privacy protections is neither courageous nor difficult. It's simply convenient.
The most revealing aspect is that weakening GDPR won't achieve its stated purpose. European tech companies will remain uncompetitive because compliance costs weren't their real problem. American tech giants will continue dominating European markets because they possessed resources to navigate GDPR from the start. European citizens will have weaker privacy protections whilst still confronting enforcement fragmentation and inconsistent implementation.
The cookie banners will become less annoying. That's something. But it's progress on the problem companies deliberately created, not the problems that actually mattered. And it comes at the price of weakening protections that, however imperfectly, occasionally forced powerful companies to face consequences for mishandling people's data.
Seven years to build something imperfect but meaningful. Seven months to tear it down in the name of competitiveness that won't arrive.