EU data rules hobble growth

Europe likes to talk about AI now. But the quieter machine underneath it is the data economy: the business of collecting, processing, sharing, and using data across industries. The European Commission’s own tracking work says the EU data market passed €115 billion in 2025 and could reach €148 billion by 2030. A broader measure, the “data economy,” was projected to hit roughly €500 billion by 2025. That is not a niche sector. It is a large slice of the bloc’s growth story. And it is being slowed by rules that were supposed to make the single market work better. The problem is not that Europe lacks a privacy law. It has one of the world’s most powerful privacy laws in the GDPR. The problem is that the same law does not land the same way in every member state. A company that operates across borders can still face different readings from different national data protection authorities, especially on what counts as personal data and how far data can be reused. The GDPR was built with a “one-stop shop” system to handle cross-border cases through a lead regulator. In practice, that system has often moved slowly, and national procedural differences have made the promise of uniform enforcement look thinner than advertised. That mismatch matters most for the companies least able to absorb it. Big firms can hire lawyers in every major market and fight with regulators for years. Smaller firms cannot. They end up building products around the strictest interpretation they can find, or avoiding certain data uses entirely, or staying domestic when they might otherwise expand. Europe then gets the worst of both worlds: a giant market on paper, and a patchwork in practice. Brussels knows this. Mario Draghi’s 2024 competitiveness report fed directly into the Commission’s 2025 “competitiveness compass,” which was supposed to push the bloc toward simpler, more coherent rules. In November 2025, the Commission unveiled a Digital Omnibus package aimed at doing exactly that across AI, cybersecurity, and data law. The sales pitch was simple: cut administrative drag, save businesses money, and make it easier to scale without gutting core protections. On paper, the package did contain some modest fixes. The Commission said targeted GDPR amendments would harmonize and clarify parts of the regime without lowering standards. It paired that with broader simplification plans, like a single entry point for some cyber incident reporting and practical changes to data rules. The point was not to rewrite European digital law from scratch. It was to sand down the rough edges that make cross-border business harder than it should be. Then the politics arrived. In February 2026, the European Data Protection Board and the European Data Protection Supervisor backed the goal of simplification but warned against some of the GDPR changes, especially any move that would narrow the definition of personal data. They also objected to giving the Commission too much power to decide what falls outside data protection law after pseudonymisation. That is the core of the current stall. Everyone says they want legal certainty. The moment a proposal touches the actual boundary of privacy law, the coalition breaks. There has been one real move toward cleaner enforcement. Regulation (EU) 2025/2518 took effect on January 1, 2026, adding procedural rules for cross-border GDPR cases. It sets deadlines, harmonizes complaint requirements, and tries to stop investigations from dragging on for years. Even that is a fix for process, not substance. It may make disputes move faster. It does not answer the deeper question of how the same data rules should be interpreted across 27 countries. So Europe is left arguing over whether modest simplification is dangerous, while the companies caught in the middle still have to decide which regulator they might anger first.