This weekend, I read a few articles and opinion pieces about the potential softening of the GDPR, amid threats from the U.S. government targeting what they see as excessive regulations in other countries, including those related to privacy.

Saturday morning, there I was, coffee cup in hand, watching Donald Trump rant on youtube. As usual, the U.S. president was once again attacking the European Union and its privacy laws, especially the GDPR (General Data Protection Regulation). In typical Trump fashion, he portrayed the European regulation as the villain: an unfair barrier that stifles American businesses. In that moment, I felt a mix of concern and déjà vu. Is privacy once again becoming a target in the international political arena?

Here we go again...

I'm not a Trump critic. In fact, I've read one of his books, "The Art of the Deal," and it seems to me that's exactly what he's doing.

It wasn’t the first time Trump or his allies had openly criticized the GDPR. One of his top advisors even compared European fines and requirements to “fees” targeting U.S. companies, as if personal data protection were just a pretext to harm Silicon Valley giants. In fact, the Trump administration went so far as to classify European digital regulations as disguised trade barriers, he called them “non-tariff barriers” that should be fought just like import taxes.

“I’m very suspicious of laws written to go after our companies abroad,” once declared Andrew Ferguson, appointed by Trump to lead the antitrust agency FTC, hinting that Brussels was being too harsh on Google, Apple, Meta, and others. This confrontational rhetoric made one thing clear: in the Trump worldview, regulations like the GDPR are obstacles to free trade and to America’s leadership in technology.

Trump’s return to power in 2025 only escalated this clash. In the first few days of his new term, fulfilling his promise of “total deregulation,” he repealed several policies from the previous administration , including a fragile AI governance framework created by Joe Biden. He also signaled that he would review data transfer agreements between Europe and the U.S. For privacy activists like Max Schrems, the message was clear: if Washington fails to uphold the agreed protections, thousands of European companies could be blocked from using American cloud services without violating the law.

And to think that here in Brazil we’re only now starting to regulate international data transfers…

Imagine the chaos if an EU-based multinational had to shut down Google Cloud or Microsoft Azure overnight just to avoid violating the GDPR.

Meanwhile, on the other side of the Atlantic, something curious was happening. The same European Union that Trump accuses of building regulatory “walls” started questioning whether those walls might actually be too high. In Brussels, debates began to surface about softening the GDPR to boost the competitiveness of European companies in the AI race.

As a privacy professional, I wasn’t thrilled by the news suggesting that the European Commission might loosen parts of the very privacy law it created in 2018. Why? The answer lies in economic pragmatism: there’s growing fear that Europe could fall behind in an era driven by big data and AI algorithms if it doesn’t ease some legal constraints. Caught between China’s state control and Silicon Valley’s freedom, Europe doesn’t want to become irrelevant, but will it?

PS: Mistral is a French model, and it’s done a great job so far.

European Commission President Ursula von der Leyen has been advocating for measures to make the business environment more dynamic, and that includes rethinking digital rules. In early 2025, her team indicated it would present proposals to simplify the GDPR, focusing especially on small and medium-sized businesses. The idea is to reduce burdens such as extensive recordkeeping and impact assessments, which currently drain resources from those least equipped to handle them, startups and small businesses. It would be a sort of “GDPR light” for smaller players, without abandoning the core principles of the law. This move aligns with von der Leyen’s broader agenda to boost European competitiveness: Brussels has already eased requirements in other areas, and now the GDPR is next in line for adjustments.

If it stays in that direction, it’s not a bad move. Here in Brazil, for example, the ANPD (National Data Protection Authority) has already established reduced requirements for micro and small businesses and startups based on the level of risk to data subjects.

Critics within the EU have been warning that, despite being exemplary, the GDPR has become so complex in practice that it’s choking innovation. In other words, it may be having the unintended side effect of weakening the very European companies it was meant to protect. I remember reading a strong statement from Axel Voss, a key figure in the digital agenda in Brussels, saying that the current regulation has become a barrier to Europe’s technological potential.

According to Voss, either we revise the GDPR to reconcile innovation and privacy, or we risk stagnation and growing dependence on foreign technologies. In his view, modernizing the law is a matter of competitive survival.

But any mention of “relaxing” data protection triggers anxiety.

After all, the EU takes pride in leading the world in privacy, and I personally take pride in being the founder of Privacy Tools, one of the world’s leading privacy governance platforms. Any move in the opposite direction makes me want to both defend and understand the motivations behind it.

Since the GDPR came into force in 2018, European citizens have gained clear rights over their personal data, and companies worldwide have had to adapt. Since then, nearly 200 countries have passed federal privacy laws (except the U.S.…). That’s why many fear that tinkering with the law could open up unwanted loopholes on a global scale.

Consumer advocacy organizations warn that reopening the GDPR could dilute key safeguards that took years of effort to build. There will certainly be intense lobbying: on one side, tech giants pushing for softer rules; on the other, activists demanding that the “heart” of the regulation remains untouched. A delicate balance will need to be found.

On one hand, there’s no denying that fully complying with all GDPR obligations can be challenging, especially for smaller players. I’ve heard stories of startups spending a fortune on legal consultants just to navigate consent requirements, data storage, and sharing rules. It’s like there’s an invisible tax on innovation in Europe, a kind of bureaucratic quicksand entrepreneurs have to wade through before reaching the market.

It’s no surprise, then, that voices within the continent are calling for common sense. “Privacy is necessary, but we don’t need to regulate stupidly,” said Denmark’s digital minister bluntly while advocating for a course correction. That strong statement reflects the feeling that it’s possible to protect data subjects without drowning businesses in paperwork. Simplifying certain requirements,without eliminating rights, could indeed give Europe the breathing room to create its own AI champions instead of constantly playing catch-up with foreign platforms.

On the other hand, we can’t forget why the GDPR exists. It was created to fix a power imbalance between individuals and corporations in the digital age. Before it, personal data was freely extracted and exploited, often without people even knowing or having any control. The GDPR changed that: it forced companies to get explicit consent (among other legal bases…), to explain how they use our data, and to respect basic rights like deleting or transferring it. It brought more transparency and security for us, the everyday users, and established a new level of trust in the European digital market. In short, privacy became part of Europe’s brand.

Dismantling regulation to the point of undoing it would be self-defeating, it would sacrifice citizen protections without any guarantee of real gains in innovation.

Conclusion

Personally, I believe we won’t go to that extreme. Rather than an all-or-nothing war, Trump “winning” and tearing down the GDPR, or Europe digging in and refusing any changes, I see the potential for a middle ground in this game.

Current pressures might actually help push for updates and improvements in privacy policies, not their abandonment. We could see a GDPR 2.0: lighter on red tape, clearer for businesses of all sizes, but with its core intact, still ensuring that individuals remain protected when their data is used. European leaders themselves have made it clear that the law’s fundamental principles (transparency, consent, accountability) will remain untouched. Even Max Schrems acknowledges that the “hard core” of the GDPR cannot be removed, and that any extreme attempts to do so would be blocked by European courts. That reassures me: there are safeguards in place to ensure that the pursuit of competitiveness doesn’t completely derail privacy protection.

In the end, I believe this whole debate is healthy. It forces us to rethink and find a new balance between innovation and individual rights. Technology evolves fast, and laws need to keep up, without losing sight of our values. Privacy won’t be thrown out in the name of artificial intelligence, nor will innovation be crushed by fear of privacy.

References

JONES, Mared Gwyn; NILSSON-JULIEN, Estelle. Fact check: Are Donald Trump’s tariffs on the EU really reciprocal? Euronews, 03 abr. 2025.

KIM SING, Evie. EU eases GDPR burdens on businesses. Identity Week, 03 abr. 2025.

KROET, Cynthia. Trump rollback jeopardises EU-US data transfers, key privacy activist says. Euronews, 23 jan. 2025.

MICHELETTI, Francesca. Trump’s antitrust agency chief blasts EU digital rules as “taxes on American firms”. Politico, 02 abr. 2025.

VOSS, Axel. We should revise the GDPR to unlock Europe’s digital future. CEPS, 03 abr. 2025.