In recent months, we’ve been hearing about the European Commission’s call for simplification of regulations—an agenda championed by President Ursula von der Leyen. She rightly noted that businesses are overwhelmed by regulations that are “too complex and costly to comply with.” She echoed the seminal Draghi report, which underscored that a lighter and clearer regulatory hand can spur innovation and growth that Europe desperately needs.

Yet there’s one regulatory domain where complexity and unpredictability are on full display: data protection. Under the current GDPR enforcement regime, data protection authorities (DPAs) hold enormous power to impose huge fines, but they do so through an essentially privacy-maximalist lens. This has left businesses unsure of where the lines really are, has sown confusion across EU borders, and worst of all, has arguably placed an absolutist interpretation of one fundamental right—privacy—above everything else. What we do need instead is balanced protection of all Europeans’ vital interests, including innovation, economic security, freedom of expression, and more.

This is why I was surprised to see that the European Commission has not yet withdrawn its proposal for the GDPR Procedural Regulation. The Proposal does little to reduce the complexity in GDPR enforcement and nothing to address the most pressing problem of the lack of balance in GDPR enforcement. The best course of action would be to quickly go back to the drawing board and seriously think about fixing GDPR enforcement, so that it genuinely contributes to the protection of fundamental rights and vital interests of Europeans, including our economic interests. Here, I propose one path for potential reform, hoping to spur a debate.

Why the Current Regime Needs an Overhaul

The key substantive provisions of the GDPR aren’t the problem. The GDPR was intended to protect personal data while acknowledging the need to balance privacy with other fundamental rights and societal goals. But in practice, the enforcement structure has produced a disproportionate, absolutist interpretation of privacy. We see it in how the European Data Protection Board (EDPB) issues opinions that preserve enormous enforcement “flexibility” for DPAs without offering genuinely reliable guidance for compliance. The result is a chilling effect on innovation and a sense that privacy concerns trump everything else, which is neither reflective of European values nor truly mandated by EU law.

The much-hyped EDPB Opinion on AI models exemplifies this phenomenon. It’s a laundry list of action items without any firm commitment that, if followed, will keep you on the safe side of enforcement. In effect, it grants regulators near-limitless discretion while offering minimal practical guidance to those trying to innovate responsibly. That fundamental disconnect from everyday economic realities means a startup or business simply can’t count on any consistent interpretation of what “compliance” looks like once it’s actually tested in a DPA enforcement proceeding.

Some privacy regulators will say they aren’t trying to ban AI or hamper innovation; they merely “keep options open” so that they are never constrained from imposing what they see as the most privacy-preserving interpretation. But in practice, uncertainty can be as chilling as an outright prohibition—especially when regulators have the power to levy fines that could cripple many businesses. Many potential entrepreneurs won’t chance building an ambitious AI tool here if they suspect a DPA might retroactively decide their GDPR efforts weren’t good enough.

What drives this outcome? It’s the political economy of GDPR enforcement. Post-GDPR, privacy authorities gained sweeping powers but haven’t faced a proportionate obligation to weigh the broader societal and economic impacts of their choices. In reality, they’re incentivized to adopt a mindset that maximizing privacy is the sole end, with any consideration of non-privacy interests treated as a burden for businesses (and occasionally other regulators) to defend.

This outcome stands in direct conflict with the EU’s broader ambitions. With the Draghi report and the stated goals of the new EU Commission, the status quo of GDPR enforcement feels increasingly out of sync with where Europe wants to be. Giving more powers to the EDPB as proposed in the draft GDPR Procedural Regulation does not address the real issue.

My vision for a new tribunal to make GDPR enforcement decisions

The problem with GDPR enforcement is structural, and thus my suggested solution is also structural. What if we could end the practice of leaving DPAs as both prosecutor and judge—and instead entrust the most consequential and cross-border decisions to an independent EU tribunal? Here’s how I see this could work:

DPAs keep investigative powers. DPAs would remain responsible for uncovering facts and building cases. It may be worth considering whether for cross-border cases there should be a new DPA on the EU level, but I leave this issue for another day.

An independent, multi-disciplinary tribunal decides. When a cross-border case or similarly significant enforcement action is on the table, the DPA must present its findings to a specialized tribunal. This body would issue binding decisions (including fines). Crucially, it would not be stacked with privacy lawyers. Instead, a diverse panel—including economists, business experts, generalist judges—would weigh privacy alongside other fundamental rights and Europe’s need for innovation and growth.

Formal balancing of all interests. The tribunal’s legal framework would require it to articulate how each decision balances data protection against other fundamental rights and economic realities. Instead of mere lip service, there would be a written record ensuring that privacy isn’t automatically placed above, say, the freedom to do research with AI or the freedom to conduct a business.

“Advocates general” for non-data protection interests. Drawing inspiration from the EU Court of Justice, we could empower judicial officers—“advocates general”—who act specifically to highlight and defend non-data-protection interests. Their role would be to ensure that the tribunal never loses sight of broader vital considerations like free expression or economic development. 

Transparency and harmonization. All parties—DPAs, investigated parties, and possibly third-party interveners—could submit arguments (or amicus curiae briefs). Because this tribunal speaks with a single EU-level voice, we’d see much less fragmentation and more consistent decision-making. Over time, the decisions would build a coherent framework, streamlining compliance efforts across the Union—a direct answer to the calls for simplification and legal certainty.

Review of EDPB opinions, and guidelines. Another possible refinement would be to require that the tribunal reviews any EDPB guidelines or opinions before they become final. This way, if the EDPB produces an imbalanced document like its infamous “cookie law” opinion, the tribunal could refuse to approve it. Regarding documents already produced by the EDPB, many of which call for radical overhaul, there could be a procedure for the tribunal to review them too. Some bodies could be given a right to request a review (e.g., a majority of the EDPB, a group of Members of the European Parliament, a Member State, the Commission, a tribunal panel, or one of the tribunal’s “advocates general”).

Conclusion

Such a reform would complement the Commission’s “simplification” drive. It would reduce regulatory burden by offering better and likely more predictable outcomes, ending the constant second-guessing about whether a new technology might suddenly get crushed by a surprising DPA crackdown that doesn’t take economic and technological reality into account. And it upholds the plurality of rights enshrined in EU law, preventing privacy from overshadowing everything else.

This proposal is not about changing substantive GDPR rules, but about refining enforcement so that it delivers on all European values—privacy, yes, but also innovation, free expression, and economic security. Instead of leaving DPAs to shape the entire digital future of Europe on their own, it would aim to establish a more measured and balanced process.

Reforming GDPR enforcement is not trivial. There is a significant risk of ideological capture of any new mechanism, as it happened with the existing framework. However, it is a worthwhile task and now may be the right time to undertake it. The currently proposed GDPR Procedural Regulation does not address the key problems. Thus I think it would be best for the Commission to withdraw the proposal and replace it with one based on a realistic assessment of the failings of the current enforcement framework. With this text, I hope to provoke some debate about serious reform of GDPR enforcement, a debate that we need but currently lack.