This article is part of Access Partnership’s series ‘The New Privacy Playbook: Adapting to a Shifting Global Landscape’, which explores the evolving landscape of data governance – highlighting both the obstacles and the innovations emerging across sectors and regions.
In his recent Forbes article, Access Partnership’s CEO Gregory Francis posed a question that’s keeping C-suite executives awake at night: Are data protection laws now actively harming the innovation they were designed to enable? Greg put it bluntly, stating that ‘[these regulations] often act as a barrier to innovation – at best, imposing additional costs, and at worst, driving investment away’.
He’s right to challenge the status quo. We’re witnessing a global regulatory divergence that’s fragmenting the digital economy along jurisdictional lines. And the price tag for getting this wrong? Enormous.
The creaking machinery of global data regulation
Brussels has long set the tone for global data regulation. But GDPR – that gold standard template – is showing its age. Even EU officials privately concede its enforcement regime is ‘creaking under the weight of complexity’ and that its provisions often lack clarity when applied to AI, real-time data processing, or new types of digital identity.
This isn’t just a European problem. India’s Digital Personal Data Protection Act, Brazil’s LGPD, and various state-level US privacy laws are all struggling with scope creep and ambiguity.
Perhaps most telling is the UK’s introduction of ‘Recognised Legitimate Interests’ in its latest Data Use and Access Bill – predetermined categories that allow organisations to disclose personal data without performing the traditional balancing test that weighs business interests against individual privacy rights.
Why current regulations are failing
The healthcare sector offers perhaps the starkest example of how well-intentioned privacy rules can inadvertently cause harm. In the US, data remains fragmented across Electronic Health Records, insurance claims, wearable devices, and genomic databases – siloed information that should be working together to enhance patient care.
Meanwhile, in the financial sector, the struggle between innovation and privacy has led to a widening digital divide that threatens to leave some regions behind. Financial institutions face difficult choices: build different systems for different markets, restrict innovation to the lowest common denominator, or focus only on the most advanced markets.
Fundamentally, most current data governance frameworks were built for a simpler time – when basic user consent and data breaches were the main hurdles. They weren’t designed with real-time cross-border data flows or data-hungry AI models in mind. The traditional regulatory response of imposing national barriers or repurposing existing privacy frameworks no longer works with today’s rapidly evolving technology.
Rising stakes, record fines
The cost of getting it wrong has never been higher. Recent penalties in Europe illustrate this trend, such as Meta’s EUR 91 million fine for failing to notify authorities of a data breach or Uber’s EUR 290 million fee for collecting sensitive personal data of EU drivers and improperly transferring it to the US.
In addition, the interpretations of what constitutes personal data keep expanding. The European Court of Justice ruled that the TC (transparency & consent) string and associated data should be classified as personal data due to their connection with identifiers like IP addresses. Even more concerning, ‘fear and loss of control’ can now qualify as damage under Article 82 GDPR, potentially leading to financial compensation claims. As one expert noted, while an infringement itself is not sufficient, ‘if fear can be proven, it can amount to damages’ – even nominal amounts like EUR 1 could be sufficient.
Global lessons: alternative approaches that work
Some of the most forward-looking jurisdictions are proving that smarter models for data governance are possible. Estonia’s integrated health data system, launched in 2008, uses blockchain-backed infrastructure and unique digital IDs to ensure citizens can access and manage their own records securely. Meanwhile, the UAE has yet to implement its 2021 data protection law, creating a regulatory grey zone that has inadvertently allowed data-driven businesses to scale with fewer barriers – while still signalling clear ambitions around digital transformation.
The new regulatory frontier: shifting EU priorities
The European Commission has officially withdrawn its long-stalled proposal to update the ePrivacy Directive into a full regulation – an effort that dates back to 2017. The Commission cited ‘no foreseeable agreement’ and noted the proposal is ‘outdated in view of some recent legislation in both the technological and the legislative landscape’.
This withdrawal signals a broader shift in EU priorities. The Commission’s 2025 work programme reveals a pivot toward competitiveness and growth, with an explicit focus on fostering innovation. New initiatives include an Innovation Act to support start-ups and scale-ups and an AI Continent Action Plan – all suggesting a more business-friendly approach.
What organisations should do now
While we advocate for this broader vision, organisations face immediate challenges. Based on our analysis, we recommend that businesses:
- Monitor ongoing changes to regulations, especially concerning new legal bases for processing. As the UK’s Data Use and Access Bill and US Trump tariffs demonstrate, the ground is shifting rapidly.
- Reassess legitimate interest assessments using the European Data Protection Board’s (EDPB) three-step approach: analyse the legitimate interest, assess the necessity of processing, and conduct a rigorous balancing test between interests and rights.
- Review your tracking technologies beyond cookies. Despite the European Commission withdrawing the ePrivacy Regulation proposal, the existing Directive remains in force with significant fines imposed on major companies. The EDPB’s expanded interpretation now covers URL tracking, API processing, and IoT reporting, with impacts extending beyond EU borders.
- Engage, engage, engage. Engage with regulators to help shape more balanced regulatory approaches. As global frameworks continue to evolve, organisations that participate in the dialogue will be better positioned to influence outcomes and prepare for changes.
Looking ahead: our global Data Governance series
In the coming weeks, our in-house experts will be publishing a series of articles to explore specific challenges, opportunities across sectors and regions, and where we can help, including:
- The UK Data Use and Access Bill and its implications for post-Brexit data governance
- Breaking down data silos in the US healthcare sector
- How data privacy rules impact financial services innovation in APAC
- Copyright challenges and the question of “who owns what” in the data economy
- Preparing for Data Regulation 2.0 and future-proofing your data strategy
Follow the series to find out more – or get in touch to learn how we can help your organisation navigate the evolving global data governance landscape with confidence.
