Â鶹ÒùÔº

," "," "." While EU communiqués often find creative ways to avoid uttering the word "deregulation," this new European Commission is all about boosting the bloc's competitiveness by "." The intention to stimulate the continent's economy might be laudable, but there is a real risk of throwing the baby out with the bathwater.

The , presented in September 2024, laid the foundation for a shake-up of one of the EU's crown jewels in digital regulation—the General Data Protection Regulation (GDPR). According to the report, certain regulations present "overlaps and inconsistencies," leading to fragmentation.

Draghi pinpointed GDPR as a particular source of headaches, thanks largely to its complexity, burdensome national implementation, inconsistent local enforcement, and disproportionately high compliance costs for small and medium enterprises compared to larger corporations. Now the whispers are over: for the chop, much like before it.

Yet the world has changed dramatically in recent months, meaning many of Draghi's proposals are tailor-made for a context that no longer exists. Additionally, the US' disastrous DOGE experiment offers a of deregulation leading to chaos rather than efficiency. Legal institutions, after all, are complex systems designed for the critical purpose of protecting people's rights.

Regulation is not the problem

Robust rules are essential to guaranteeing clarity and transparency. Especially in the digital sector, setting clear guardrails is vital to containing both the excesses of tech oligarchs and the . Far from slashing red tape, the EU would be wise to take this opportunity to refocus its energies on delivering and enforcing better regulations.

EU regulations are often cast as stifling the continent's innovation, but EU trade law professor Anu Bradford argues that this narrative is, at best, oversimplified. Europe's sluggish dynamism can instead be , including a fragmented digital single market, underdeveloped capital markets, and harsh bankruptcy laws that punish failure rather than encourage experimentation.

Looking beyond the fiscal level, European cultural attitudes tend to be more risk-averse, and the bloc lacks the proactive immigration policies needed to attract international tech talent.

that if fragmentation truly impedes innovation, trimming regulation without serious harmonization of domestic frameworks will achieve little.

Where the GDPR falls short: AI at work

While regulation like the GDPR is often unfairly scapegoated for the continent's woes, it is not exempt from criticism.

Consider the algorithmic management (AM) and AI systems that have steadily infiltrated workplaces in recent years. reveal that in France, Germany, Italy, and Spain, around 79% of managers across diverse sectors report that their firms already use AM software to hire, organize and monitor their workforces.

Algorithms and AI are not just assisting managers either—in some cases they are replacing them altogether. This ushers in new risks, and such as unfairness, opacity, incontestability, dysfunctionality and distrust.

The boom in decision-making digital tools perfectly illustrates the GDPR's ambivalent role. On paper, it remains a gold-standard shield for personal data, including the data used to fuel . Yet in practice, the GDPR struggles to fully address the challenges posed by machines making decisions, either independently or on behalf of human managers.

In one commissioned by the EU Directorate-General for Employment, Social Affairs and Inclusion, data protection frameworks were put under the microscope to see whether they can tame AM systems. The verdict was mixed, leaning towards pessimistic. While it is undeniable that the GDPR can be mobilized to limit data processing and avoid repurposing, most of its headline provisions have wide gaps when it comes to the workplace.

The study flags the indeterminacy, ambiguity, and open-textured nature of the rules on automated decision-making, among other things. For instance, semi-automated decisions—hybrid systems with human intervention at the last stage of the executive chain—often slip beneath the radar, reducing the chances for workers to be informed about their existence and reasoning, or to have a real shot at contesting and changing their outcomes.

In a similar vein, uncertainty about the interpretation of grounds for lawful processing and the application of the proportionality principle is leading to a patchwork of discordant decisions made by Data Protection Authorities. As the case law on data controllers' "" shows, compliance risks becoming a postcode lottery.

Fine-tuning the GDPR

None of this should come as a surprise, as the GDPR was designed to be general, not workplace-specific. Nevertheless, its exceptions and loopholes disadvantage workers, and create uncertainties that affect companies.

In a , institutions were contemplating the introduction of a work-specific instrument to govern algorithms, a proposition that was also included in the , Executive Vice-President for Social Rights and Skills, Quality Jobs and Preparedness. The current deregulatory drumbeat, stimulated by the US fury against EU powers, has cooled that talk, but the idea is not dead.

Workplace technologies are still largely governed by , even though employment contexts differ profoundly. Employers routinely collect sensitive data that extends managerial control into workers' emotional domains, and AM systems intensify these dynamics by automating decisions and generating detailed profiles.

The persistent and asymmetrical nature of workplace surveillance undermines autonomy and erodes mutual trust. Unlike consumers, workers cannot meaningfully refuse these intrusive practices, making power imbalances more acute. Moreover, , threatening solidarity and enabling anti-union practices.

The Platform Work Directive (PWD) offers a ready-made compass to reorient action on workers' digital rights. Indeed, a whole chapter is devoted to fine-tuning the GDPR to better govern AM at work. As argued in a , several PWD provisions appear to be deliberately drafted to fill the gaps left by the omnibus framework.

The PWD covers "decisions supported by" algorithms (not just fully automated ones), extends workers' information and access rights, re-establishes a right to explanation, and bans outright.

It is, however, crucially limited, as its sectoral scope , leaving everyone else in the open. If the GDPR is not good enough for delivery couriers and click-workers, why is it still being applied to all other workers?

Put the chainsaw away

Blaming the GDPR for Europe's growth woes makes for great clickbait, LinkedIn memes and after-dinner quips, but it . Looser privacy rules will not fix our problems. On the contrary, a smarter framework for workers' digital rights could serve as a robust counterbalance, ensuring that AM operates as a tool for efficiency rather than .

By all means, critique the GDPR, but aim at the right target. Its abstract, transactional, individualistic DNA is ill-suited to the collective, lopsided reality of modern workplaces where employees' data is fed into black-box AI systems.

In those environments, the answer is not to prune protections, but to by clarifying legal bases, establishing red lines, hard-wiring collective rights, and closing enforcement loopholes. Reform, yes. Regression, no.