The Cost of Unused Data: GDPR, AI, and Europe’s Privacy Bargain

-

GDPR may be Europe’s most recognizable regulatory export, and one of its most irritating inventions.

It changed how the world talks about personal data. It forced companies to treat information about people as something other than free industrial residue. It gave legal form to a European intuition that had been gathering force for years: that the digital economy had turned too much of ordinary life into something collected, inferred, sold, profiled, optimized, and retained by institutions whose power was growing faster than public understanding.

It also gave us the cookie banner.

That is not a fair summary of GDPR, but it is an honest part of its public memory. For many Europeans, data protection appears less as a constitutional achievement than as a small repetitive nuisance: an interruption, a checkbox, a privacy notice nobody reads, a consent mechanism that teaches people to click away friction. A law designed to restore agency often reaches citizens as paperwork.

But GDPR and AI now collide around a harder question: whether Europe built a privacy regime better at preventing misuse than enabling trustworthy use. GDPR was a necessary rebellion against data extraction. The question now is whether Europe needs a second act: a privacy culture that does not merely say no to abuse, but makes responsible data use easy enough to matter.

That question has become sharper because of artificial intelligence. In an earlier digital economy, limiting data use could look like a straightforward protective act. In the AI economy, data is training material, evaluation material, translation material, medical research material, product-improvement material, fraud-detection material, and institutional memory. Data still exposes people to power. But data also allows societies to learn.

A society can be harmed by data use. It can also be harmed by data non-use.

Europe has been much better at thinking about the first danger than the second.

Data protection is not only about preventing misuse. It is also about deciding what societies are still allowed to learn.

What GDPR Got Right

A cheap critique of GDPR starts with annoyance and never moves beyond it. That critique is not good enough. The law did not emerge because Brussels bureaucrats had nothing better to do. It responded to a real imbalance.

The digital economy had made personal data unnaturally easy to collect and unnaturally hard to understand. People generated location trails, search histories, purchase records, workplace data, social graphs, health signals, political inferences, biometric traces, and behavioral patterns simply by living ordinary modern lives. Companies learned to treat this material as fuel. Consent became fictional. Privacy policies became unreadable. Data brokers turned obscurity into a business model. Platforms learned to extract value from prediction, personalization, manipulation, and attention.

A society that treats personal data as ownerless exhaust has already made a political decision. GDPR was Europe’s refusal of that decision.

That refusal matters. The European Commission describes data protection as a fundamental right in the EU, and GDPR gives that right operational force. Personal data is not just information. It is a way in which institutions make people legible. The more a person is known through data, the more easily they can be classified, priced, targeted, excluded, nudged, surveilled, or administratively processed. Data protection is therefore not a decorative concern added to technology after the important work is done. It is part of the political structure of a digital society.

GDPR’s best principles remain defensible: lawful basis, purpose limitation, data minimization, transparency, security, accountability, access, erasure, portability, and objection. The full GDPR text is not light reading, but its core demand is clear enough: organizations should be able to explain why they collect personal data, what they do with it, how long they keep it, and what rights individuals have in relation to it. This is not trivial. It is one of Europe’s most serious attempts to make technological power answerable to law.

The problem is not that GDPR values privacy. The problem is that privacy has often been operationalized through mechanisms that produce formal control without much real trust.

Compliance Is Not Trust

The cookie banner is the degraded symbol of the problem. It is not the whole problem, but it is a useful emblem because it shows how a moral principle can become a ritual.

The user is asked to choose. The choice is often badly designed, poorly understood, asymmetric, repetitive, or structured to favor acceptance. The website wants legal cover. The user wants to read the page. The regulator wants meaningful consent. The result is a little theatre of agency in which almost nobody becomes wiser.

Consent fatigue is not privacy. It is exhaustion administered through interface design.

This is not entirely GDPR’s fault. The law contains lawful bases beyond consent, including contract, legal obligation, public interest, vital interests, and legitimate interests. In theory, it is more sophisticated than the consent-banner ecosystem suggests. In practice, however, legal uncertainty and institutional fear often push organizations toward visible compliance mechanisms. If a rule is hard to interpret, the safest response is paperwork. If the risks of getting it wrong are large, cautious organizations do less. If the costs of compliance are high, large firms absorb them and small ones hesitate.

That creates one of GDPR’s uncomfortable paradoxes: a rule designed partly to constrain platform power may sometimes entrench incumbents. Large technology companies can hire lawyers, build consent systems, run compliance departments, litigate, negotiate, absorb fines, and design around constraints. Smaller firms, researchers, public-interest projects, local media, civic organizations, and startups often experience the same legal framework as fog.

A rule can be anti-Big-Tech in spirit and pro-incumbent in effect.

This is not an argument for abolishing the rule. It is an argument for asking whether Europe has built enough institutions to make responsible data use possible without requiring every actor to become a legal department.

AI Changes What Data Is For

Artificial intelligence makes the problem harder because it changes what data is for.

Data is no longer only something used to target advertising, personalize a feed, or profile a consumer. It is also AI training data: the material from which models learn patterns. Medical records can help identify disease earlier. Mobility data can improve transport systems. Public administration data can reveal bottlenecks, fraud, exclusion, or waste. Educational data can help identify students who are falling behind. Multilingual corpora can improve translation for smaller languages. Legal and regulatory documents can train tools that help citizens and officials navigate the state. Industrial data can improve energy efficiency, maintenance, design, logistics, and safety.

None of this makes data harmless. Medical data is intimate. Educational data can stigmatize. Mobility data can become surveillance. Public-sector data can produce bureaucratic cruelty if used badly. AI training can expose people to extraction at scale, especially when datasets contain information gathered for one purpose and reused for another. The lesson is not that AI makes privacy obsolete. The lesson is that privacy can no longer be understood only as restraint.

The European Data Protection Board’s Opinion 28/2024 on AI models illustrates the tension. It does not say that GDPR makes AI training impossible. It discusses when AI models may be considered anonymous, whether legitimate interest can serve as a legal basis for developing or deploying AI models, and what follows if models are trained on unlawfully processed personal data. That is a careful legal conversation, not a simple prohibition.

But careful legal conversations can still produce strategic consequences. If the path to responsible AI training is case-specific, uncertain, expensive, and contestable, the burden does not fall equally. It favors actors with lawyers, capital, infrastructure, and patience. It disadvantages precisely the actors Europe often says it wants to encourage: startups, universities, public-interest technologists, small-language projects, hospitals, research consortia, and public administrations trying to modernize without surrendering everything to foreign platforms.

GDPR is not the reason Europe lacks OpenAI-scale firms. Compute, capital, procurement, market fragmentation, energy, platform absence, and talent all matter. But data governance is one of the places where Europe’s regulatory strength can become a production constraint. The problem is not that GDPR makes AI impossible. The problem is that it can make socially useful AI legally foggy. Fog benefits those with headlights.

The Public Cost of Non-Use

Privacy debates are rightly preoccupied with misuse. Surveillance, manipulation, discrimination, identity theft, profiling, loss of autonomy, breach, and administrative overreach are real harms. But there is another category that receives less attention because it is harder to see: the public cost of non-use.

If medical data cannot be pooled responsibly, diagnosis may improve more slowly. If rare-disease data remains fragmented, patients may wait longer for patterns to become visible. If mobility data cannot be used well, transport remains worse than it needs to be. If educational data is treated only as a risk, struggling students may remain invisible until failure becomes obvious. If public administration data cannot support better AI tools, governments remain slower, more expensive, and more dependent on foreign systems. If European-language data is underused, AI becomes better in English than in smaller European languages. If customer-support data cannot be used responsibly by smaller firms, product improvement becomes easier for incumbents than challengers.

None of these examples settles the case. Every one requires safeguards. But they show why “less data use” is not always the humane answer. Sometimes the humane answer is better data use.

The phrase “data protection” can mislead by making the protected object sound like the data itself. The real object is people. Sometimes people are protected by limiting data use. Sometimes they are helped by permitting it under trustworthy conditions. A privacy regime that cannot distinguish those cases becomes morally less serious than it thinks.

In AI, the cost of non-use is especially acute because data gaps become capability gaps. Models trained primarily on data easiest to gather at global scale will not accidentally embody Europe’s legal traditions, linguistic diversity, administrative needs, or social expectations. If Europe wants AI systems that understand Croatian, Luxembourgish, Swedish, Estonian, Maltese, and Slovene public life as more than translation problems at the edge of an English-speaking model, it needs lawful ways to use European data.

Otherwise Europe will regulate models trained elsewhere on data gathered under other assumptions, then wonder why its own priorities appear as constraints rather than foundations.

Who Benefits from Friction?

Strict privacy rules do not automatically harm the powerful. Sometimes they help them.

Large incumbents often hold vast first-party datasets. They can ask for consent at scale. They can build privacy dashboards, negotiate with regulators, redesign processing flows, and pay for compliance. They can buy datasets, acquire companies, hire counsel, and absorb uncertainty as a cost of doing business. Even when they lose a case, they may have gained years of market advantage while the dispute moved through institutions.

Smaller actors live differently. A startup may not know whether its planned training use is lawful. A university project may lack legal support. A local public authority may abandon a useful idea because the data protection impact assessment looks intimidating. A hospital may have data that could improve care but no governance structure to share it safely. A language community may lack the institutional machinery to turn its texts and speech into training material. A public-interest project may discover that good intentions are not a lawful basis.

This is the hard European pattern: rules designed to discipline power can become navigable mainly by the powerful.

Europe has not ignored the problem. The Commission’s work on Common European Data Spaces and the Data Governance Act is explicitly meant to support more trustworthy data sharing across sectors. These initiatives matter because they move beyond the idea that data use is simply a private bargain between collector and subject. They point toward institutions that can govern access, purpose, security, and accountability.

The point is not that Europe has done nothing. The point is that the everyday experience of lawful data use remains too often one of uncertainty, delay, and defensive interpretation.

If Europe wants sovereign AI, or even merely competent public-sector AI, it cannot treat every data question as if the safest answer were always the best answer. Safety matters. But safety without use can become stagnation with better paperwork.

The Wrong Lesson

The wrong lesson would be to abolish privacy.

That is the lazy caricature of the problem: Europe is slow because it cares too much about rights, so the answer is to let companies scrape first and apologize later. This is unserious. Training data can contain private messages, photographs of children, health information, inferred sexuality, political views, workplace conflicts, location histories, intimate searches, and material created in contexts that did not remotely imply future ingestion into a machine-learning system. The fact that data is useful does not make it ownerless. The fact that AI is powerful does not make extraction virtuous.

Europe’s suspicion of data hunger is not irrational. It is one of the things that may prevent AI from becoming a system of casual institutional trespass.

But refusing the crude deregulatory answer does not make the current settlement adequate. Europe does not need less privacy. It needs better pathways for legitimate use. It needs a privacy regime that can say no firmly where power is abusive, while saying yes clearly where use is low-risk, accountable, socially beneficial, and technically protected.

The phrase “socially beneficial” cannot be left to whoever wants the data. Advertising networks, insurers, employers, platforms, police authorities, and governments can all describe their preferred data use as useful. A serious test must ask harder questions: Is the use necessary? Is it proportionate? Can it be audited? Can affected people contest it? Is retention limited? Is the data secure? Who benefits? Who bears the risk? What would be lost if the use were forbidden?

The opposite of data extraction is not data paralysis. It is trustworthy data use.

Privacy as Capacity

A better European privacy settlement would not begin by asking how to weaken GDPR. It would ask how to reduce the gap between legal permission and practical confidence.

For AI training and deployment, that means clearer pathways for legitimate interest where the data is low-risk, the safeguards are strong, the benefit is real, and opt-out rights are meaningful. It means sharper distinctions between sensitive personal data, ordinary personal data, pseudonymized data, anonymized data, public data, and data whose use produces no plausible individual harm. It also means admitting that anonymization and pseudonymization are not magic words. Rich datasets can sometimes be re-identified or linked with other sources. The solution is not to pretend those risks vanish, but to govern access, purpose, security, retention, and auditability with more seriousness than a checkbox can provide.

Europe needs more trusted data intermediaries, public-interest data spaces, sectoral governance, and model-development environments where researchers, startups, hospitals, and public bodies can work without improvising legal theory from scratch. It also needs enforcement priorities that target real abuse rather than paperwork failure. A company secretly profiling vulnerable people for manipulation is not in the same moral category as a civic project trying to build a better local-language model and getting lost in uncertainty. A hospital research consortium is not the same as an advertising network. A public administration using data to reduce fraud or improve services is not the same as a broker building shadow profiles for sale.

The law can recognize such differences. The question is whether institutions can make them usable.

Europe should also be more ambitious about privacy-preserving technology: federated learning, differential privacy, secure enclaves, synthetic data where appropriate, trusted research environments, audit trails, and strong governance for access rather than crude release. These are not magic either. They do not eliminate political judgment. But they offer a way out of the sterile opposition between hoarding data and exploiting it.

The old question was: who is allowed to collect personal data?

The new question is harder: under what institutions can data be used so that people are protected not only from misuse, but also from the failures caused by non-use?

The Data Europe Cannot Learn From

GDPR has often been discussed as if it were mainly a shield. That metaphor is understandable. Shields matter. A person standing before a platform, a state, an employer, an insurer, or a data broker may need protection more than they need innovation.

But a society cannot be only shield. It also has to learn, build, diagnose, improve, translate, govern, and discover. If privacy is designed only as resistance to use, then Europe will struggle to produce the very systems it says should reflect European values.

This is another form of Europe’s broader slow emergency: the continent often sees danger clearly, then builds procedures faster than capacity. It also connects directly to the problem of Europe renting its intelligence. A continent that wants sovereign AI needs data, compute, models, capital, talent, and institutions capable of turning lawful use into public value. If it has values but no capacity, those values become instructions sent to systems built elsewhere.

The issue is not whether Europeans should have privacy. They should. The issue is whether privacy can be designed as a condition for trustworthy use rather than as a polite name for paralysis.

GDPR was Europe’s refusal to let the digital economy treat human beings as raw material. That refusal remains necessary. But the next question is whether Europe can also refuse a second fate: becoming so careful with data that it cannot use its own social knowledge to build.

Data is not only danger. It is also memory, evidence, pattern, language, diagnosis, coordination, and learning. A society that protects data so completely that it cannot learn from it has not escaped power. It has merely ensured that others will build the systems from which it later rents intelligence.

Comments

Post a Comment

Popular posts from this blog

Wheel of Time, Season One – Looking Back Now That the Wheel Has Stopped Turning

-
Image
Back in the late 90s, long before streaming giants ruled the world, fans of Robert Jordan’s Wheel of Time spent countless hours dream-casting our hypothetical TV series. I imagine it was a fun exercise precisely because no one genuinely believed it would happen. The sheer scale of the world, the sprawling cast, and a plot that twisted and meandered for fourteen books made it seem almost impossible to adapt in any satisfying way. Then A Game of Thrones arrived and rewrote the rules. Suddenly every fantasy property with even a hint of brand recognition was being eyed for adaptation. The Witcher , Shannara Chronicles , and The Wheel of Time all rode that wave—each one an attempt, to varying degrees, to capture their own version of HBO’s lightning in a bottle. Now, with the Wheel of Time show apparently dead after its third season, I find myself revisiting that first season with mixed feelings. The show had started to find its footing—even while diverging more and mor...
Read more

Rediscovering Hard Science Fiction – and Why “Fantasy in Space” Doesn’t Quite Scratch the Same Itch

-
Image
For a long time I drifted away from hard science fiction—at least the kind of SF driven by ideas rather than space wizards, space empires, or fantasy tropes wearing chrome-plated armour. Then last year I picked up Greg Egan’s Permutation City , and something clicked back into place. The same part of my brain that lit up as a kid reading Arthur C. Clarke’s 2001 or Rendezvous with Rama suddenly woke up again. There’s nothing quite like that particular flavour of SF: the big-idea, mind-bending, concept-driven storytelling where the central engine of wonder is thought itself. And yet, over the past decade, only a handful of books scratched that itch. Charles Stross’s Glasshouse did it. Hannu Rajaniemi’s The Quantum Thief did it. But many other “SF” titles I picked up turned out to be… something else entirely. Fantasy in Space – And Why It Sometimes Works (and Sometimes Doesn’t) A lot of modern...
Read more

Young Sherlock: When Holmes and Moriarty Were Friends

-
Image
I just watched the first episodes of Young Sherlock , and while it is still far too early for a full review, the show left me with enough impressions to justify a few reflections. Sherlock Holmes has been adapted so many times that any new interpretation inevitably invites comparison. Even a promising first episode must stand in the shadow of more than a century of adaptations. The premise of the series is simple but potentially very interesting. Instead of presenting the already legendary consulting detective, the show explores Sherlock during his youth, before he becomes the figure we recognize from the stories of Arthur Conan Doyle . The series follows a teenage Sherlock navigating school, friendships, and the first mysteries that begin shaping his analytical mind. It is loosely inspired by earlier “young Holmes” interpretations, which similarly imagine his formative years and early adventures. In this version, the focus is less on the famous detective solving in...
Read more