Making the General Data Protection Regulation more effective – a BusinessEurope position paper

Key messages

• Make the GDPR truly risk‑based: The GDPR should truly prioritise real risks over routine low-risk processing, using a proportionate approach that supports innovation, compliance, and respect for fundamental rights and freedoms.
• Enable access to data for Artificial Intelligence (AI) and European innovation: Clarify that pseudonymised and lowrisk data may be used for R&D and AI development, and reduce the barriers created by today’s broad definition of personal data and rigid purpose limitation.
• Cut unnecessary administrative burdens: Excessive documentation and reporting obligations consume vast resources, and are unduly and disproportionately costly, without improving privacy outcomes.
• Make data subject rights compliance workable: Rights remain essential and must be effectively protected. At the same time, their exercise should not be abusive or result in a disproportionate workload. Obligations should be clarified, simplified, and aligned with risk.
• Simplify international data transfers: The EU should take more responsibility at systemic level through additional adequacy decisions and clearer guidance, thus reducing the heavy burden now placed on individual companies.