This article is part of Access Partnership’s series ‘The New Privacy Playbook: Adapting to a Shifting Global Landscape’, which explores the evolving landscape of data governance – highlighting both the obstacles and the innovations emerging across sectors and regions.
Brussels has long set the tone for global data regulation. But as generative AI explodes, synthetic data becomes mainstream, and digital environments blur physical boundaries, a question looms: Can anyone – including the EU – keep up?
The answer matters. Because right now, governments worldwide are grappling with data governance laws built for a Web 2.0 world. Most were designed to deal with social media platforms, basic user consent, and advertising models – not AI models trained on billions of data points or IoT systems sending real-time signals across borders.
Yet rather than rethink the foundations, many countries have copied and pasted the European Union’s General Data Protection Regulation (GDPR) with minimal adaptation – creating a slow-moving, fragmented compliance environment that’s rapidly becoming out of sync with the technologies it’s supposed to regulate.
Unless governments course-correct quickly, they will end up with yesterday’s regulation holding back citizens from realising the benefit of today’s technology.
One regulation to rule them all?
GDPR remains the most influential global template for data protection. But it’s showing its age. Even EU officials privately concede that its enforcement regime is creaking under the weight of complexity and that its provisions often lack clarity when applied to AI, real-time data processing, or new types of digital identity.
The problem isn’t the regulation’s intent – it’s the static nature of its design. Technologies are evolving faster than rules can be interpreted. In some jurisdictions, that leads to over-enforcement. In others, to paralysis. For companies – especially small and mid-sized players – the result is a regulatory minefield.
And it’s not just the EU’s model that’s under pressure. India’s new Digital Personal Data Protection Act, Brazil’s LGPD, and various state-level US privacy laws are also struggling with scope creep and ambiguity. The global picture is becoming one of divergence rather than convergence.
What a modern framework needs to deliver
Getting ahead of the problem means designing regulations that can flex with technology – not ones that require constant amendments or emergency guidance.
Call it Data Protection 2.0. It won’t look like a single framework or one global standard. But it will need to share a set of core principles if it’s going to work across borders and withstand the pressures of innovation.
Here’s what that looks like:
- Built-in adaptability: Regulation must be principle-based, not tech-specific. Legislators can’t afford to guess what the next breakthrough will be.
- Outcome-focused rules: Compliance should hinge on whether users understand and control how their data is used – not just on whether the right box was ticked.
- Global interoperability: The lifeblood of the digital economy is data movement. Governments need to avoid fragmentation and invest in mechanisms that allow safe data flows, such as model clauses, certifications, and standard-setting.
- Risk-tiered enforcement: Not every use of data poses equal risk. Treating a voice assistant like a medical diagnostic AI only leads to bottlenecks and overregulation.
- Sectoral and cultural nuance: Frameworks must be responsive to local context without becoming incoherent or duplicative. That means coordinating across regulators and allowing space for sector-specific codes of conduct.
This is achievable. But the clock is ticking.
What happens if we get it wrong
The costs of regulatory stagnation – or misalignment – aren’t hypothetical. If countries continue defaulting to static or misfitted frameworks, several things are likely to happen:
- Innovation will drift to friendlier jurisdictions. Start-ups and mid-size firms in overly restrictive or unclear regimes will find it hard to scale – or may never launch at all.
- Public trust may collapse. Citizens frustrated by weak protections or exploitative practices will disengage from digital platforms, undermining digital government strategies and eroding civic trust.
- Big Tech wins by default. Large incumbents have the legal, technical, and compliance teams to navigate fragmented rules. Smaller players do not. Regulation that aims to check power could instead entrench it.
- Global data flows become collateral damage. Without coordinated interoperability, countries risk walling themselves off from critical research, trade, and AI development ecosystems.
And perhaps most critically: regulators will be stuck playing catch-up, again – forced to react to scandals and headlines rather than steering policy with foresight.
From principles to progress
Technology won’t wait for regulators to catch up. Data is no longer just a by-product of online activity – it’s an active, generative force shaping economies, societies, and public institutions.
Governments serious about digital transformation cannot treat data regulation as a tick-box exercise or a defensive posture. They need modern, flexible, globally compatible laws that balance innovation with trust – and they need them fast.
In a world where AI is developing faster than any policy cycle can match, a structured, scalable, and cooperative approach might be the best shot we have.
A toolkit worth considering
At Access Partnership, we are developing a Data Governance Toolkit. The concept would give governments a modular, principle-based set of tools to update their data protection frameworks for the age of AI and beyond.
Rather than promote deregulation, the toolkit would support governments in aligning core principles, such as user control, transparency, and proportionality, with their own national priorities. It would include templates for model clauses, simplified corporate rules, and risk-based regulatory frameworks, as well as strategies for coordinating sectoral regulators.
The toolkit is a practical attempt to bridge the gap between high-level goals and on-the-ground reform. It reflects a core truth: policymakers need help navigating this next phase. And they need to act now, before the current drift hardens into dysfunction.
To find out more about the toolkit or how Access Partnership can help you, please contact Matthew McDermott at [email protected].
