The debate on the future of the EU General Data Protection Regulation has reached a pivotal moment. Once hailed as a global standard-setter in digital regulation, the GDPR now faces a shifting economic and geopolitical landscape. The resulting challenge is significant: to remain robust on compliance while also becoming more supportive of innovation and better aligned with the EU's ambitions in artificial intelligence and digital competitiveness.
The task is all the more urgent as the EU finds itself squeezed between the innovation powerhouses of China and the U.S., both of which are rapidly advancing AI and other data-driven technologies, while Europe risks being perceived as the jurisdiction of overregulation and under-innovation.
Against this backdrop, policymakers, regulators and stakeholders are calling for a recalibration of the GDPR. In the recent past, several developments have injected urgency into this debate. The European Commission has placed competitiveness at the top of its agenda and solicited a comprehensive analysis from Mario Draghi, whose report calls for simplification, coherence, predictability and a less precautionary driven approach as preconditions for European growth and innovation. Meanwhile, proposals to "trim" or "tier" GDPR obligations — most visibly a three-tier layered model promoted by Axel Voss and Max Schrems — have entered mainstream debate. Finally, the Commission has tabled a simplification initiative for the GDPR as part of its Omnibus IV Simplification Package that signals a willingness to reduce administrative burdens, including around GDPR record-keeping and exemptions for smaller entities.
In light of these developments, the following outlines why a reform is urgently needed, offers a critical assessment of size-based simplification proposals, and sets out the goals that should guide any revision. It then provides five recommendations — grounded in regulatory experience, market realities and the need for a more risk-based, innovation-friendly approach to data protection in Europe.
Reasons for reform
Europe's regulatory model — and particularly the GDPR — is well regarded worldwide, but this alone does not create AI champions or global tech leaders. As Mario Draghi and others have warned, Europe risks falling further behind unless regulatory barriers to innovation are lowered. Current GDPR provisions often generate legal uncertainty, impose rigid requirements and create high compliance costs, especially for startups. In fields such as AI, where access to large and diverse datasets is crucial, the existing framework risks constraining rather than enabling innovation.
These challenges are amplified by the thickening of the EU's digital rulebook. When the GDPR was drafted, it was designed as a horizontal framework for personal data. Since then, however, the EU has adopted an array of parallel instruments — the AI Act, the Digital Services Act, the Digital Markets Act, Data Governance Act, Data Act, NIS2 and more. Many of these introduce overlapping obligations on risk assessments, documentation, transparency and incident notifications. For organizations operating across borders, the effect is duplication — similar risks must be assessed multiple times in slightly different formats — as well as uncertainty over which requirements prevail, which authority takes the lead, and how compliance will ultimately be judged.
At the heart of the GDPR, though, lies an important architectural principle: proportionality, e.g., Recital 4 GDPR. Obligations are meant to scale with the actual risks posed by specific processing activities, not with the size or turnover of the controller, e.g., the requirement of data protection impact assessments in Article 35(1) GDPR. This logic is critical. A small start-up working with sensitive health data can pose far greater risks than a large company processing low-risk data.
Proportionality ensures that similar risks are treated alike and that regulatory attention is directed where it matters most — toward the context, sensitivity and potential impact of processing. Yet as the broader regulatory landscape has thickened, the application of this principle has become more fragile. Preserving proportionality and ensuring its clear and consistent application in practice is, thus, essential to both fairness and workability as Europe considers the next phase of GDPR reform.
Taking stock of the reform debate
Recent reform proposals — from the Omnibus IV Package to the Voss/Schrems proposal — are valuable contributions and reflect growing momentum for change, but their size-based approach may fail to capture the real drivers of risk in data processing and may not fully address the current challenges.
The Omnibus IV package's proposed cutting of red tape by extending existing GDPR exemptions from small and medium-sized enterprises to small mid-cap enterprises, such as exemptions from the requirement to maintain records of processing activities, is a modest step forward. However, as it stands, the lack of ambitious reforms and the exclusive focus on a size-based and minimal red tape reduction risks missing the opportunity to align the importance of strong data protection with fostering innovation in the ever-growing competitive digital field.
The idea of lighter obligations for smaller entities and heavier ones for large players has an undeniable intuitive appeal and has constructively jump-started the reform debate. However, its size-based approach may not fully reflect that the risk profile of processing is driven primarily by what is processed such as special categories, inferable traits, how, e.g., novel inference, automated decision-making, at what scale, and with which downstream effects.
A better path for reform seems to be to keep the focus where the drafters of the GDPR placed it: the risk and context of the processing operation. Indeed, in light of the compliance costs incurred by companies for the implementation of the GDPR, a general re-opening of the GDPR could be seen as the opening of Pandora's box. Therefore, any call for a reform should be selective in order to be effective.
Goals for reform: A coherent, ambitious, risk-based agenda
As the reform conversations gather momentum, it is essential to clarify the goals that should guide the process. A future-proof GDPR should be anchored in a coherent, ambitious and future-oriented vision: one that safeguards fundamental rights while enabling responsible innovation, reducing fragmentation and enhancing Europe’s global competitiveness. Drawing on stakeholder consultations, the European Commission's assessment, and comparative reforms such as the U.K. Data (Use and Access) Act, several guiding principles emerge:
- Reaffirm proportionality and support innovation through risk-based accountability. Compliance should scale with the actual risks to individuals' rights, not simply with company size. By making this principle more explicit and predictable, the GDPR can both safeguard fundamental rights and create space for responsible innovation.
- Cut red tape where it adds little value. Streamlined procedures and model templates can reduce unnecessary burdens on companies — especially SMEs and cross-border digital service providers — without weakening protection.
- Align the GDPR with the wider digital rulebook. The GDPR should not be reformed in a silo. Coherence with the AI Act, the DSA, the Data Act, the Data Governance Act, NIS2 and other frameworks is essential to eliminate duplication and provide clarity across regimes.
- Boost Europe's digital competitiveness without eroding safeguards. Simplification should reinforce, not diminish, the GDPR's core achievements in transparency, accountability and user empowerment, while making the framework more innovation friendly.
- Avoid over-engineering the reform. Fundamental rewrites or institutional overhauls risk fragmenting the framework and undermining legal certainty. Targeted, implementation-oriented adjustments are more likely to deliver real benefits in practice.
Five recommendations for reform
Based on the above goals and principles, the following five recommendations are pragmatic, implementation-oriented suggestions on how to modernize the GDPR for Europe’s digital future.
1. Foster innovation through balancing GDPR restrictions with AI development needs
The first recommendation is to recalibrate the GDPR to support the responsible development and deployment of general-purpose AI and similar data-driven research. To that end, a GDPR reform could take inspiration from the recent reform in the U.K. with the Data (Use and Access) Act and address the following issues.
Clarify the reliance on legal bases for limited use of special-category data
The GDPR already provides for exemptions and opening clauses in Article 9 to allow for the processing of special-category data under narrow circumstances. However, the reliance on these exemptions is currently hindered by a lack of clarity on their scope, which is further exacerbated by diverging interpretations by EU data protection authorities, and a highly diverging practice among EU member states in making use of such opening clauses.
As a result, a targeted GDPR reform could address these uncertainties by providing clear opening clauses at an EU level and by encouraging a more consistent and innovation friendly implementation of opening clauses among member states. In addition, the applicability of existing Court of the Justice of the European Union case law, providing a pragmatic and innovation friendly framework for the assessment of GDPR obligations, including Article 9, for providers of search engines by applying the obligations "within the framework of (their) responsibilities, powers and capabilities," per the Grand Chamber and others, paras. 37 et. seqq. and TU v Google LLC, para. 51, could be recognized for other providers such as providers of GPAI.
Underline and operationalize the principle of proportionality
The GDPR already recognizes the principle of proportionality, but its application in practice is often unequal and unclear. A targeted reform could make this principle more explicit and clearer to ensure compliance obligations are proportionate to the actual privacy risks involved. For example, a reform could soften accountability requirements and afford controllers more discretion when processing personal data under legitimate interests in genuinely low-risk contexts. Similarly, a clearer and consistent rule on when controllers may limit responses to data-subject requests in cases of disproportionate efforts could be adopted, reducing today's patchwork of national approaches and related legal uncertainty.
Modernize purpose and storage limitation
A targeted reform could draw on the recent U.K. Data (Use and Access) Act to clarify that further processing for research or AI development purposes is presumed compatible with the original purpose of collecting data and permit extended data retention for bona fide research purposes.
2. Foster innovation through institutionalizing sandboxes and revitalizing Codes of Conduct
Today, experimentation with innovative data use cases often stalls because companies face legal uncertainty and supervisory authorities have limited tools to provide structured, risk-managed flexibility and guidance. As a result, a second recommendation for a targeted GDPR reform is to foster innovation by encouraging responsible experimentation under close regulatory supervision. For example, sandboxes could be made a first-class instrument within the GDPR framework, mirroring their treatment in the AI Act (Article 57). This requires clear participation criteria, active supervisory engagement and calibrated derogations that preserve the essence of fundamental rights.
Similarly, the currently dormant Codes of Conduct should be revitalized by streamlining approval procedures, setting out tangible incentives such as simplified reporting for adherents and encouraging the development of sector-specific codes where practice can evolve quickly.
3. Cut red tape by harmonizing risk-assessment tools across the EU’s digital rulebook
Companies currently face duplicative and sometimes inconsistent requirements when complying with accountability requirements such as risk assessments under different EU laws — for example when conducting data protection impact assessments under the GDPR (Article 35) and risk assessments under the AI Act (Article 9(2)). This duplication creates unnecessary compliance costs and uncertainty, especially for smaller organizations. A targeted reform could streamline similar requirements by introducing a modular assessment backbone so that DPIAs and AI risk assessments rely on shared building blocks such as risk taxonomies, impact levels and mitigation categories.
4. Create a single EU incident-reporting entry point
The proliferation of notification requirements for incidents across the GDPR, NIS2, and other sectoral regimes has led to fragmented processes and multiple reporting channels — often for the same underlying incident. This increases administrative burdens and delays timely supervisory responses. A targeted reform could introduce or at least support a streamlined and more consistent incident notification framework by establishing a centralized incident reporting platform and a unified incident reporting template to allow organizations to meet all obligations through a single coherent pathway. In addition, further simplification without adverse impact on fundamental rights could be achieved by harmonizing incident definitions and reporting timelines.
5. Strengthen inter-authority cooperation and case allocation
Overlapping mandates among data protection, platform governance, cybersecurity and AI regulators create the risk of inconsistent interpretations of similar or identical rules and, at times, parallel investigations of the same conduct. This threatens to undermine predictability for organizations and strain scarce supervisory resources. A targeted reform should address these issues by strengthening cooperation between different regulators on an EU and national level to ensure a consistent interpretation of related legal provisions in the GDPR and other EU laws. In doing so, a reform could draw on existing proposals such as the suggestion of the European Data Protection Supervisor on establishing a formalized inter-authority forum such as the Digital Clearinghouse or the U.K. Digital Regulation Cooperation Forum.
Conclusion
There is a temptation to cast the GDPR reform as a zero-sum trade-off between protecting rights and fostering growth. That is a false binary. Europe can sustain high standards of fundamental rights while cutting through procedural complexity, aligning overlapping regimes, and calibrating accountability to actual risk.
At the same time, a reform should not become an institutional overhaul or a doctrinal free-for-all. Reopening the entire GDPR would inject years of uncertainty — undermining both investment and the steady protection of rights. The pragmatic middle ground lies elsewhere: selective, implementation-oriented adjustments that reduce friction where it is greatest, strengthen coordination where it is weakest, and sharpen the proportionality lens already embedded in the GDPR's DNA.
The Omnibus IV Package is an important contribution to the reform process, but the structural framework — rooted in a proportionality and innovation friendly approach — and the core focus areas of a reform — particularly cutting red tape, ensuring alignment across the EU's digital rulebook, and enhanced enforcement cooperation — remain unfinished. Comparative experience, such as the U.K. Data (Use and Access) Act, shows that targeted reforms can modernize data protection without eroding core safeguards.
It's worth remembering that the GDPR is, at its heart, a success story in the protection of fundamental rights. The challenge for the coming decade is to ensure that success continues in a landscape increasingly shaped by AI, dense layers of digital regulation and geopolitical competition. Europe does not need to choose between a "regulatory supertanker" and a "deregulatory vacuum." Instead, it can choose the middle ground: a GDPR that remains principled and predictable, while becoming more proportionate, coherent and innovation ready.
The path forward may be long and challenging, but it is realistic and worth pursuing sharpening proportionality, aligning the GDPR with adjacent legislation to eliminate duplication, reducing administrative burdens without touching the rights baseline, stabilizing enforcement through cooperation, and creating space for supervised experimentation and practical codes. With such an approach, the GDPR can remain both a guardian of European values and an enabler of European digital ambition.
Yann Padova is IAPP Country Leader, France, and partner and Sebastian Thess is an associate at Wilson Sonsini Goodrich & Rosati.
