Simplifying Data Protection to Save It
Why the GDPR (and its Proponents) Needs to Grow Up
European data protection has reached a strange moment. The GDPR remains one of the most influential regulatory instruments in the world; yet, its daily application often feels strained. Citizens click through endless cookie banners. Regulators try to enforce rules against complex data ecosystems using concepts drafted before those ecosystems existed. Universities teach students that “personal data” encompasses a wide range of information, including smartphone telemetry, high-dimensional embeddings, and *checks notes” weather and code. No one benefits from this confusion. It wastes time, energy, and political capital. It also risks undermining public trust in the very right the GDPR seeks to protect.
This is the context in which the European Commission’s leaked proposals to reform the GDPR land. The reactions split into two predictable camps. Some critics view this as a capitulation to corporate interests, a “watering down” of data protection that facilitates the advancement of AI and platform capitalism. Others react with a reflexive defence of the status quo: any change appears as a threat to fundamental rights. Both positions flatten a complex problem. Both risk speaking past the core issue: clarity enables protection. Vagueness does not.
The GDPR is not a sacred text. It is the law. Laws require interpretation, operationalisation, and, crucially, application. If a legal definition becomes so broad that it captures almost everything, the definition stops doing work. When we treat all data as personal data, we dilute the meaning of personal data. When regulators and courts must treat training embeddings, synthetically generated representations, hashed identifiers, or intermediate model weights as “personal data” simply because some hypothetical actor could, in theory, re-identify them, we lose the ability to focus on the harms that actually matter: surveillance, manipulation, discriminatory inference, exclusion, profiling, and coercive design.
The proposal to make the definition of “personal data” entity-relative (identifiability requires assessment from the perspective of the specific controller and the means reasonably available to that controller) seeks to restore a sense of proportion. This is not a reduction of protection. It is a restoration of intelligibility. Current CJEU jurisprudence requires an assessment of identifiability using means likely to be used by controllers or other persons, which has resulted in some overreach. If any imaginable actor anywhere in the ecosystem can re-identify data, then everything becomes personal data. The proposed wording clarifies that responsibility follows capability. A controller can only be responsible for identification acts within their reach.
Critics argue that this invites opportunistic blindness. A controller might “pretend” that they lack means that they in fact possess via partners or subsidiaries. This risk deserves scrutiny. Yet the solution is not to maintain an unworkably expansive definition. The solution is to embed duties of reasonable inquiry, capability assessment, and accountability for wilful ignorance. Simplification need not mean naivety. It can mean sharper enforcement tools targeted at controllers who strategically fragment their processing capabilities to avoid legal obligations.
The same logic applies to special category data. The leaked text proposes that protected categories be limited to data that directly reveals the protected trait. Organisations processing proxy indicators (such as purchase patterns, location histories, and social graph data) may argue that indirect inference no longer counts. Critics warn that this would collapse protection for inference-based discrimination. The principle behind the concern is legitimate. The inference layer drives some of the most harmful uses of data today. Yet, the proposed change, if read carefully, does not necessitate deregulation. It demands that the law distinguish between data that inherently describe a protected trait and analyses or profiling that infer such traits from unrelated signals.
Those are distinct phenomena requiring distinct regulatory responses. The first is about information as such. The second is about what organisations do with the information. The second falls squarely under purpose limitation, fairness obligations, and the anti-manipulation principles that follow from Article 8 of the Charter. Regulation of inference does not require treating every underlying data point as a “special category”. It requires regulating the act of inference itself. Simplification enables that distinction. We stop fighting the data and start regulating the logic.
The leaked proposals on AI training show a similar structural move. They introduce tolerances for residual special category data in training corpora under strict conditions of avoidance, removal where feasible, and robust containment where removal requires disproportionate effort. This acknowledges that large-scale model training does not always allow perfect ex ante filtering of data. The proposal does not sanction free-for-all ingestion of sensitive data. It requires organisational and technical safeguards that prevent models from producing outputs that expose, reconstruct, or weaponise those attributes. It shifts the focus to outcome-level harm: what does the system reveal, infer, extract, or act upon?
This is where the argument often becomes emotional. Some react as if any tolerance for residual special category data represents a betrayal of the GDPR’s values. Yet law cannot operate on magical thinking. The alternative to proportionate tolerance is either
Total bans that collapse innovation in Europe, or
Regulatory fictions in which everyone knows the rules cannot be followed, so enforcement becomes arbitrary.
Neither outcome protects rights. A world in which only U.S. or Chinese firms can train models at scale is a world in which European citizens lose both the benefits of innovation and regulatory leverage.
Simplification also plays a role in resolving the “cookie banner hell” that every European user encounters on a daily basis. The leaked proposal to unify cookie/ePrivacy consent into browser-level machine-readable preference signals offers a clean regulatory logic. If a user sets a global preference (i.e., not being tracked for advertising across services), that preference should follow them. A banner becomes unnecessary. Consent becomes meaningful because it is expressed once and respected everywhere. Enforcement becomes automatic because refusal becomes a protocol-level action.
For the privacy community, this is the moment to recall why the GDPR exists. It exists to secure the conditions under which people can exercise their autonomy, dignity, and democratic agency within digital environments. It does not exist to punish businesses. It does not exist to impose ritualised compliance. It does not exist to generate paperwork. The Charter recognises the fundamental right to conduct a business. Regulation must enable a functioning market for privacy-preserving design, not smother it.
Clarity empowers regulators. If the scope of personal data becomes proportionate and intelligible, enforcement can focus on practices that actually harm people. Dark patterns that coerce consent. Manipulative recommendation architectures. Profiling schemes that assign risk or worth based on opaque behavioural scoring. AI systems that infer vulnerabilities to exploit them. These are not hypothetical harms. These are live issues in advertising, gaming, political micro-targeting, recruitment, insurance, and platform governance. Narrowing definitions helps target them. It does not weaken the framework. It strengthens it.
The same applies to business. Compliance becomes clearer. Organisations can structure their data governance with confidence. Innovation ecosystems thrive when rules are predictable and consistent. If European firms must litigate basic definitional questions every time they attempt to build, deploy, or audit a model, they will build elsewhere. If the GDPR evolves to match contemporary architectures and workflows, innovation can occur within European jurisdiction, under European oversight, and subject to European accountability norms.
We often forget that complexity itself can function as a deregulatory force. When a rule becomes so complex that no ordinary actor can follow it, enforcement becomes discretionary. Power accrues to the sophisticated, the well-resourced, and the well-advised. Small organisations drown. Public institutions fall behind. Citizens give up on the idea that law can protect them. Simplification is not surrender. Simplification is a redistribution of power, away from those who navigate complexity best, and towards those who need explicit guarantees.
The GDPR succeeded globally because it articulated a principled vision of data governance anchored in autonomy, fairness, and accountability. For that vision to endure, the framework must adapt to the realities of the systems now shaping lived experience. Models do not “process personal data” in the same sense that a CRM system does. The architecture of inference has changed. The logic of digital surveillance has shifted from data collection to behavioural prediction. If the law attempts to cling to outdated conceptual categories, it will fail to regulate the things that truly matter.
This is not a call for deregulation. It is a call for maturity. European data protection needs to improve at distinguishing between data, use, and impact. We must regulate harms, not metaphors. We must preserve rights, not rituals. We must ensure that the law remains legible, enforceable, and aligned with democratic values in a technological landscape characterised by machine learning inference, platform ecosystems, and ambient computation.
Simplification is not the enemy of data protection. It may be the only way to save it.
You and I are arguing on the same wavelength. I wrote a very similar (but slightly broader) version of this here: https://insights.priva.cat/p/privacy-nihilism-is-pervasive-and
The laws (especially the overly abstract interpretations by some regulators and especially the EDPB) have done little to protect personal data because they are overly complicated, lack clarity of implementation, and inconsistently applied.
While I share sympathies with some advocates (particularly about that last bit), I think it is woefully naive to assume that the existing law if only it was applied more rigorously would get us there, because as you mention, the only people who can succeed at ‘compliance’ with the law are those who have buckets of money, resources, time, and lawyers available to argue over nuance.
But SMEs need clarity and rationality; they shouldn’t need an arsenal of lawyers to do TIAs. Engineers and technologists need details on the how — not just the why. And there needs to be far more grace and acceptance of newer PETs and technological measures, rather than just assuming everyone can make everything anonymous.
Thank you for writing this, and I look forward to reading the more permanent version of the omnibus proposal — I long ago decided that reading a 152-page draft isn’t worth my time when it will absolutely change.