Europe’s debate on data protection has become increasingly framed as a binary choice. On one side stand those who insist that innovation and competitiveness do not require any relaxation of data protection standards and that Europe’s future growth and prosperity can be secured simply through stronger enforcement of the rules already in place. On the other side are those who contend that elements of the present framework have begun to constrain innovation, investment, and the effective functioning of the internal market, and that thoughtful reform is both feasible and necessary without diminishing the fundamental right to the protection of personal data.
The challenge is that both these positions are increasingly speaking past each other. One treats any attempt at reform as a threat to fundamental rights. The other sometimes speaks as though the data protection framework is an administrative inconvenience standing in the way of progress. The result is a deeply polarised debate that risks producing neither effective rights protection nor a competitive digital economy, as entrenched positions do not always contextualise their arguments within the EU’s overall constitutional objectives.
The primary constitutional goal of the EU is to create and maintain a well-functioning internal market to support a highly competitive social market economy, thereby increasing well-being and living standards. Data protection entered the EU system with the 1995 Directive. The first appearance of data protection in the primary EU treaties came with the 1997 Treaty of Amsterdam and was further enhanced through inclusion in the Charter of Fundamental Rights and Article 16 TFEU, in 2007.
The EU did not create the right to data protection to subordinate every other treaty objective to it; it must be balanced against the other objectives of the EU. GDPR, in Recital 4, makes this explicit – “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights”. The right exists because individuals deserve protection against arbitrary, unfair and disproportionate uses of personal data. It is an essential constitutional safeguard in a digital society. But over time, data protection has evolved beyond a framework for protecting individuals into something much larger. In the view of some, the GDPR and surrounding constitutional mentions have elevated data protection to an organising principle for an ever-expanding range of economic, scientific, technological and societal questions.
In practice, GDPR is now frequently treated not simply as a regulatory framework governing personal data, but as a form of constitutional master rule through which almost every issue involving technology, information or innovation must be filtered. Questions concerning artificial intelligence, scientific research, public data use, digital health, fraud prevention, cybersecurity, law enforcement cooperation, online advertising, financial services and even industrial policy increasingly become GDPR debates first and sectoral policy debates second, with other relevant objectives often marginalised.
This has significant consequences for the functioning of the EU. As data protection increasingly dominates policy discussions in areas where other societal objectives are arguably equally important, the benefits of those other objectives are impeded or lost entirely. Economic growth, productivity, scientific advancement, public security, healthcare innovation and the functioning of the Single Market cannot be treated as secondary considerations shaped by data protection concerns first. These are all core public interests that need to be recognised as such. An effective system for data protection is essential for realising the EU’s desired objectives but in a supportive role and not as the only end goal.
The EU now finds itself in a position where regulatory caution has become embedded as a default political instinct. Innovation is frequently approached not as something to be responsibly enabled, but as something to be restrained until every conceivable risk can first be eliminated. In fast-moving sectors such as artificial intelligence, this approach risks placing Europe in a structurally defensive position compared with jurisdictions that are more willing to frame risks within appropriate safeguards that provide guidance for pursuing economic and technological leadership.
This matters because technological advancement is not a peripheral policy objective; it is integral to economic growth and development, which in turn underpins the EU’s social model, public services, healthcare systems, security capabilities and long-term political stability. A less innovative Europe is not simply a less profitable Europe. It is potentially a weaker and less resilient Europe.
Yet in parts of the current debate, innovation and competitiveness are presented as ethically inferior objectives to pursue compared with data protection. The challenge for legislators is not whether privacy or innovation should prevail absolutely. It is how both can coexist in a way that is proportionate, workable and strategically coherent. This is what Article 16 TFEU and the GDPR both seek to uphold. But in the current debates, this requires recognising some potentially uncomfortable realities: not every element of the current GDPR framework reflects the essence of the fundamental right to data protection itself, and equally, not all data protection rules must be scuppered to ensure innovation thrives.
Over the years, GDPR has accumulated layers of interpretation, guidance, and compliance expectations that go well beyond the core constitutional requirements set out in Article 8 of the Charter of Fundamental Rights. Many operational rules within GDPR represent legislative choices rather than immutable constitutional necessities. Concepts such as accountability, transparency, data minimisation, compatibility assessments, and restrictive interpretations of lawful bases are often treated as untouchable constitutional principles rather than as policy mechanisms that can be recalibrated.
This matter has been exacerbated by the uncertainty created by the data protection framework itself. With varying levels of involvement of institutions in interpretation, guidance, and compliance, almost every aspect of the GDPR has been framed as inseparable from the fundamental right itself. In turn, meaningful democratic debate about reform becomes almost impossible. Any attempt to simplify rules, reduce administrative burdens or facilitate responsible data use is being portrayed as an attack on fundamental rights. The debate becomes moralised rather than practical. This dynamic has contributed to a climate in which policymakers increasingly struggle to discuss reform openly. Even modest proposals aimed at reducing legal uncertainty or facilitating innovation are often met with claims that this risks dismantling data protections altogether. The result is paralysis in the debate about how best to build the future.
Meanwhile, businesses operating across the European Union continue to face profound uncertainty regarding how some GDPR provisions should be interpreted and applied, and the intensity of their application. Diverging regulatory approaches between supervisory authorities, evolving guidance documents, and highly particular interpretations have created an environment in which compliance is often less about clear legal rules and more about predicting future regulatory expectations. This is particularly problematic for smaller businesses and start-ups that lack the resources to navigate constantly shifting interpretations. Large multinational companies may absorb regulatory complexity through vast legal and compliance teams. Smaller innovators often cannot. The irony is that this complexity can ultimately undermine respect for the law itself. A legal framework that becomes excessively unpredictable risks losing legitimacy among those expected to comply with it.
The uncertainty and unpredictability of the EU’s data protection framework appear to be increasing during the current Digital Omnibus process that is seeking to simplify. Not only are the EU’s elaborate and at times arduous legislative processes creating ambiguity and indecision, but the European Data Protection Board’s increasingly influential role is also raising further questions about the overall efficacy of the framework. The EDPB was created by secondary legislation to promote consistency in the application of the GDPR across the EU through coordination. That is an important and legitimate function, as consistency is necessary for all stakeholders.
Over time, however, the EDPB’s influence has expanded far beyond coordination alone. Through guidelines, opinions, recommendations and public interventions, the EDPB increasingly shapes the interpretation and application of existing law. The influence of the Board has taken on enormous practical and political weight despite the fact that it is an independent regulatory body operating outside the democratic legislative process and does not itself bear political responsibility for broader societal outcomes such as economic growth, industrial competitiveness or scientific advancement.
More recently, there is a perception that the EDPB is not merely ensuring coordination and consistency in the application of GDPR, but increasingly the institution appears to be trying to shape the boundaries of permissible legislative reform. For example, the Digital Omnibus was published in November 2025 and contains proposals for defining the application of GDPR to scientific research. The EDPB, with the EDPS, have issued their views on the proposed legislative package, including the matter of scientific research. However, the EDPB also issued its Guidance on the processing of personal data for scientific research in April 2026. The issuing of guidelines while the legislative process is occurring raises serious questions about institutional balance.
The European Commission, the Council and the European Parliament are the political institutions of the EU designed to balance competing societal interests in the creation of EU law. They are empowered by the Treaties and are accountable for their decisions through varying mechanisms. In their roles related to law-making and reform, they are required to assess the various objectives and priorities in the Treaties and ensure decisions support the overall EU project. The EDPB is, by contrast, structurally designed to prioritise data protection. That is their mandate. Issuing guidelines while the legislative process is ongoing suggests that the EDPB is attempting to shape the boundaries of permissible legislative reform.
Actions of this nature by an independent supervisory body risk distorting the broader political balancing exercise inherent in democratic law-making. While the EDPB can claim to have accounted for the EU’s broader objectives, such an assessment would fall outside its competence. A functioning constitutional system depends on independent regulators operating within clear institutional boundaries, while the institutions that hold a democratic mandate retain ultimate authority over broader societal objectives and the trade-offs required to realise them. If regulatory bodies strive to shape policy outcomes beyond their core mandate, the democratic process itself can become constrained.
None of this means that data protection or fundamental rights should be sacrificed in pursuit of economic growth or innovation. The EU is the third-largest market in the world, making it attractive for business. At the same time, the EU places fundamental rights as a defining strength of the Single Market, and businesses need to respect this. Citizens should not be forced to choose between technological progress and basic rights protections. But neither should citizens accept a future in which data protection considerations consistently override all other strategic objectives, regardless of context, proportionality, or economic consequences.
A mature digital society should be capable of acknowledging that data protection matters deeply while also recognising that innovation, scientific progress, competitiveness and prosperity are themselves essential public goods. These objectives are not inherently incompatible. The challenge is to construct governance frameworks that balance them intelligently rather than treating them as mutually exclusive.
This requires the institutions involved in governance to respect their roles and not attempt to confine the constitutional obligations of others. This means respecting the democratic space for legislators to recalibrate rules where necessary and ensure that regulatory institutions support rather than seek to direct the political process. Most importantly, it means rejecting the idea that the EU must choose between protecting rights and building prosperity. If the current polarisation continues unchecked, Europe risks achieving neither.
05 June 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
