Home IssueArtificial Intelligence The EU Needs to Reform the GDPR To Remain Competitive in the Algorithmic Economy

The EU Needs to Reform the GDPR To Remain Competitive in the Algorithmic Economy

by Eline Chivot
Cover art for report on impact of GDPR on AI


Since the mid-1990s, the digital economy has been evolving in three phases: the “Internet economy” transformed into the “data-driven economy,” which in turn is transforming into the “algorithmic economy,” in which the ability to use artificial intelligence (AI) is proving critical to firms’ success.

AI promises significant social and economic benefits. However, those benefits can be diminished by poor regulations, especially those related to data processing, as data lies at the heart of AI. In particular, the General Data Protection Regulation (GDPR), while establishing a needed EU-wide privacy framework, will unfortunately inhibit the development and use of AI in Europe, putting firms in the EU at a competitive disadvantage to their North American and Asian competitors. The GDPR’s requirement for organizations to obtain user consent to process data, while perhaps being viable, yet expensive, for the Internet economy, and a growing drag on the data-driven economy, will prove exceptionally detrimental to the emerging algorithmic economy.

To address these limitations in the GDPR, several European countries have pursued strategies to facilitate access to personal data by companies in specific industries. These isolated efforts are important but will not be sufficient to fully leverage the value of data and capture growth in the long term. The GDPR, in its current form, puts Europe’s future competitiveness at risk. Europe’s success in the global algorithmic economy requires a regulatory environment that is fit for AI but does not reduce consumer protections.

If the EU wants to thrive in the algorithmic economy, it needs to reform the GDPR, such as by expanding authorized uses of AI in the public interest, allowing repurposing of data that poses only minimal risk, not penalizing automated decision-making, permitting basic explanations of automated decisions, and making fines proportional to harm.

Download the report.


Technological progress has shaped the global economy over the last three decades. From the mid-1990s until the early 2000s, the Internet economy gave rise to a global network that fundamentally changed how firms communicated, collaborated, and delivered products and services. The mid-2000s saw the advent of a data economy, in which public and private organizations increasingly used data and analytics to make better decisions. One of the most visible changes of the data economy has been the rapid growth of cyber-physical systems, or the Internet of Things, which have led to the development of smart homes and smart cities, wearables for fitness and health, and industrial applications such as smart factories. The world is now moving into what is best described as an algorithmic economy wherein the ability of organizations to thrive correlates with their ability to use data through AI.[1]

The EU has made clear it wants global leadership in AI. The EU’s coordinated plan on AI reads, “Overall, the ambition is for Europe to become the world-leading region for developing and deploying cutting-edge, ethical and secure AI.”[2] Given that both access to, and ability to use, data is often a necessary prerequisite for developing and using AI effectively, the importance of data will continue to grow in the algorithmic economy. Indeed, the EU’s coordinated plan on AI states, “AI needs vast amounts of data to be developed … The larger a data set, the better AI can learn and discover even subtle relations in the data.”[3] And the plan calls for the creation of “common European data spaces” in sectors such as manufacturing and energy to support the development and adoption of AI.

Laws and regulations affecting algorithms and data will be key factors in determining how effectively each nation’s firms will be able to compete in the global algorithmic economy. In particular, the GDPR, the EU’s new privacy law, has diminished, and will continue to limit, Europe’s ability to develop and use AI. Perhaps the biggest negative impacts from the GDPR will be on the ability of organizations to use personal data in the algorithmic economy. Given that the GDPR is a new law, some EU policymakers may be skeptical about changing it at this time. However, while the law has created some benefits for both businesses and consumers, by many metrics, it is also clear the GDPR has created a number of unintended consequences. Most notably, the law has imposed, and will continue to impose, significant compliance costs on organizations.[4] In addition, the GDPR has decreased competition in certain sectors, such as online ad markets, and reduced venture capital investment in European start-ups—the latter costing Europe up to 39,000 jobs.[5] The GDPR is thus ripe for improvement.

Indeed, there is growing awareness in Europe of the importance to EU growth and competitiveness of improving commercial data collection and sharing. For example, a report produced on behalf of the European Commission notes that one of the most significant barriers to data sharing is “difficulties in meeting the legal requirements on data protection in a business-to-business context,” and recommends, “The European Commission and national governments should keep a minimal regulatory approach to foster B2B data sharing.”[6] And AI4EU, the European Union’s signature AI project designed to develop a comprehensive European AI ecosystem, has made creating a common platform for sharing data sets a key priority.[7] While EU policymakers should remain committed to the overall goals of improving consumer protection, they should also embrace opportunities for reforming the GDPR to make it more suited to the algorithmic economy.

Specifically, EU policymakers should:

  • Expand data processing in the public interest
  • Allow repurposing of data that poses only minimal risk
  • Not penalize automated decision-making
  • Permit basic explanations of decisions
  • Make fines proportional to harm

These reforms should happen quickly, as time is of the essence. Many nations are moving forward quickly to develop and deploy AI—and businesses in these countries will have an advantage.[8]In particular, EU companies subject to the GDPR will face a regulatory environment that makes it harder to develop and deploy AI, and thus will lose out to competitors in North America and Asia.

The Importance of AI in the Algorithmic Economy

Since the 1950s, computer scientists have worked to develop AI—computer systems that perform tasks characteristic of human intelligence, such as learning and decision-making. But only in the last decade have they had all the technological building blocks necessary to achieve their vision. Advances in hardware, including faster processors and more abundant storage, plus larger data sets and more capable algorithms, have unlocked many more opportunities throughout the economy to use AI, such that AI is now poised to become a key driver of innovation, growth, and societal welfare.[9] In particular, much progress has occurred because of advances in machine learning—a subfield of AI in which algorithms use data to automatically and iteratively build new analytical models—thus allowing them to learn how to solve problems within specific contexts without being explicitly programmed for a particular solution.[10]

Although the exact economic value AI will generate is difficult to predict, it will certainly have a substantial and lasting impact on the economy by increasing the level of automation in virtually every sector, leading to more efficient processes and higher-quality outputs, and boosting productivity and per capita incomes.[11] According to the business consultancy McKinsey, the total annual value of applying advanced AI techniques and analytics across industries is already between $9.5 trillion and $15.4 trillion globally.[12] Recent estimates suggest it will likely provide economic growth equivalent to adding 13 new Australias, 186 times Bill Gates’s net worth, or 10 times Apple’s market capitalization to the global economy.[13]

Some studies suggest AI could significantly increase annual national economic growth rates. Accenture has estimated that, for the 12 countries it surveyed, AI would boost labor productivity rates by 11 to 37 percent by 2035.[14] Specifically, those rates would increase by 37 percent in Sweden, 29 percent in Germany, 27 percent in the Netherlands, and 25 percent in the United Kingdom.[15]

Algorithms power software and mechanical systems that are more productive than humans. By automating repetitive tasks, AI offers the potential to relieve workers from performing tedious manual or administrative tasks.[16] For example, businesses are using AI to automate routine back-office duties such as processing invoices and onboarding new employees. Agricultural firms are using AI to expedite labor-intensive farm work, such as building automated greenhouses and designing robots to harvest fruits and vegetables on traditional farms.[17] And law firms are using AI for time-consuming tasks that involve large volumes of documents, such as electronic discovery, due diligence, and contract review.[18]

Business operations and management processes are becoming more efficient with AI. Businesses use AI to perform, monitor, and optimize manufacturing processes, engage with customers using chatbots, and analyze sensor data to predict when machines need maintenance in order to reduce failures and downtime.[19] Using AI, companies can analyze a variety of data, including historical sales data, advertising campaigns, prices, and weather forecasts, to develop highly accurate supply-chain forecasts, thereby reducing warehousing costs and minimizing sales lost due to products being unavailable.[20]

Besides boosting economic productivity, AI can also help address pressing challenges related to the environment, public health, and transportation, among others. For example, utilities are using AI to optimize wind farms, conservationists are using AI to stop illegal poaching, and government agencies are using AI to stop fraud.[21]

AI is set to boost breakthroughs in health care, with pharmaceutical companies already using AI to discover lifesaving drugs and personalize treatments, and health care providers using AI to diagnose, treat, and monitor patients more effectively.[22] For example, researchers have shown that machine learning algorithms can more reliably detected skin cancer from images than can dermatologists.[23] And start-up Suggestic’s mobile app analyzes medical research publications to deliver personalized recommendations to patients with diabetes on how to improve their diet and better manage their disease.[24]

Indeed, many consumers routinely use AI in their daily lives. Popular online services use AI to reduce spam, suggest movies, prioritize news updates, and help finish sentences in email and text applications.[25] AI can automate repetitive tasks such as sorting and labeling photos, and identifying locations and people who appear in multiple photos.[26] Consumers receive alerts from credit card companies when algorithms detect irregular behavior patterns in their spending habits, thereby reducing fraud.[27] And AI is at the core of personal assistants, such as Siri, Cortana, and Alexa, that can schedule meetings, translate foreign languages, and even make phone calls to book reservations, such as at restaurants or beauty salons.[28]

These examples only scratch the surface of how AI is driving innovation across sectors and has the potential to bring significant benefits to the economy and society.

The GDPR Hurts AI in the EU

Data is a key enabler of AI. In particular, many applications of machine learning algorithms require vast amounts of high-quality training data. However, organizations face a number of barriers limiting their ability to access the data necessary to take advantage of AI effectively. Indeed, a 2017 survey of data scientists found that “access to data” was the top barrier to successful AI projects.[29]

A key barrier to collecting, sharing, and using data in the EU is the GDPR, the new European privacy law that went into effect on May 25, 2018. The GDPR creates specific rules for how individuals may access, rectify, transfer, and delete personal data held by third parties. All organizations doing business in the EU must comply with the GDPR—although many have failed to do so.[30] Given AI’s heavy reliance on data, the GDPR’s rules for data have substantial implications for the development and use of AI—especially applications involving machine learning.[31]

The GDPR has had a number of unintended negative consequences for the EU’s competitiveness in AI. Indeed, it has become clear that because the GDPR was initially drafted in 2014, before awareness of machine learning was widespread, policymakers did not properly consider its impact on AI. In many ways, it would have been better to have delayed the GDPR process by a year or two, as that would have given drafters more insight into the algorithmic economy. Nevertheless, this oversight has made the GDPR unfit for the emerging algorithmic economy. In particular, the GDPR has created artificial scarcity of data by making it more difficult for organizations to collect and share data. In addition, it has made it more difficult for companies to use AI applications that automate decision-making regarding individuals using personal information.[32] As a result, the GDPR has put the EU at a competitive disadvantage in the development and use of AI.

The GDPR Limits Collection and Use of Data

The GDPR generally prohibits organizations from using data for any purposes other than those for which they first collected it. Article 5 requires data be “collected for specified, explicit and legitimate purposes,” and “adequate, relevant and limited to what is necessary.”[33] These two restrictions—purpose specification and data minimization—significantly limit organizations innovating with data by restricting them from both collecting new data before they understand its potential value and reusing existing data for novel purposes. However, it is not always feasible for companies to know what data is most valuable or will yield the most important insights. Indeed, organizations often create new value by combining data sets, which makes it difficult to predict the future value of data sets at the outset.[34] As noted earlier, many machine learning systems benefit from access to large data sets, which allows them to improve their accuracy and efficiency. For example, British company Benevolent AI uses AI to accelerate the discovery, development, and delivery of new drugs. Because the system mines and analyzes medical information, such as from clinical trials and academic papers, limiting availability and access to such data hampers its ability to achieve results.[35] By imposing unnecessary restrictions on the collection and use of data, the GDPR puts firms in the EU at a competitive disadvantage compared with firms in countries such as China, where companies have access to data on hundreds of millions of Internet and mobile phone users.

The GDPR Restricts Automated Decision-Making

The GDPR limits how organizations use personal data to make automated decisions about individuals in two ways.

First, Article 22 of the GDPR establishes a right for individuals “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her.”[36] This means whenever companies use AI to make a decision about individuals, such as to decide whether to offer a loan, the data subject has the right to have a human review that decision. This requirement makes it difficult and impractical for companies to use AI to automate many processes because they must develop, and be capable of offering at scale, a redundant and manual process for individuals who opt out of the automated one.[37]

Having humans review automated decisions is costly. One of the primary reasons for using AI is to reduce the amount of time humans spend processing large quantities of data. However, the GDPR’s requirement effectively implies humans are still involved. And these costs only increase with the sophistication of the AI system because more complex systems are more difficult for humans to review, requiring more time and expertise.[38] As the EU’s guidelines make clear, organizations “must ensure that any oversight of the decision is meaningful, rather than just a token gesture. It should be carried out by someone who has the authority and competence to change the decision.”[39] This requirement effectively limits the viability of using AI to automate many processes involving personal data.[40] Moreover, these requirements hold automated decision-making to a standard that does not exist for manual ones. As a result, the GDPR incentivizes companies to use humans to make decisions even when doing so is less effective or efficient.

Second, Articles 13–15 require organizations to provide individuals “meaningful information about the logic involved” in automated decisions. This means firms must be able to explain how an AI system makes decisions that have significant impact on individuals.[41] While the EU’s guidelines have clarified that these requirements do not necessarily require a full disclosure of the algorithm, the information provided should be “sufficiently comprehensive for the data subject to understand the reasons for the decision.”[42] However, it is not always possible to explain why some AI systems, such as those involving neural networks, are behave in a particular way. As explained by Pedro Domingos, author of The Master Algorithm:

The best learning algorithms are these neural network-based ones inspired by what we find in humans and animals. These algorithms are very accurate as they can understand the world based on a lot of data at a much more complex level than we can. But they are completely opaque. Even we, the experts, don’t understand exactly how they work. We only know that they do.[43]

This means organizations cannot always comply with requirements to explain the logic involved in an algorithmic decision-making process.[44] And even when companies can potentially offer an explanation of the logic involved, they may not be able to do so in a way that is concise and uses plain language, as required by the GDPR. As a result, these regulations will force many businesses to not use certain types of AI systems, especially more sophisticated ones, even when they may be more accurate, safe, and efficient than the alternatives.

The GDPR Increases Compliance Costs and Risks

The GDPR subjects organizations using AI to substantial compliance costs and risks. First, organizations must comply with a number of provisions in the GDPR that impose direct costs, such as obtaining affirmative consent from individuals to process their data, and hiring data protection officers. For example, the initial costs of compliance for Fortune Global 500 companies, the biggest firms worldwide by revenue, will amount to $7.8 billion.[45] Second, organizations face substantial compliance risks because of ambiguous provisions in the law, uncertainty about how these provisions will be interpreted by data protection authorities, and steep fines from regulators for violations—whether intentional or not.[46] As noted in a report produced on behalf of EC, “[e]ven larger companies find it sometimes challenging to keep abreast of the various legal rules that govern data collection and governance, the obligations they lay down and the concrete implications for their business.”[47] This risk and uncertainty means companies are going to be increasingly erring on the side of caution and limiting their use of data, even in ways that go beyond the law’s original intent to avoid future entanglements with regulators. Moreover, compliance costs may come at the expense of investments in AI.

While some of these ambiguities may eventually be cleared up in court, businesses not subject to the GDPR, such as those in the United States and China, will be moving ahead quickly without waiting to exit this regulatory limbo.[48] Therefore, unless amended, the GDPR will have a negative impact on the development and use of AI in Europe, putting European firms at risk of a competitive disadvantage in the emerging global algorithmic economy.[49]

EU Member State AI Initiatives

EU member states are pursuing a number of initiatives, including national AI strategies and bilateral partnerships, to promote the development and deployment of AI. In particular, they are pursuing efforts to expand the availability and use of data for AI, including by authorizing data processing in the public interest, establishing data trusts, and promoting government open data. Many of these efforts are useful and necessary in order to expand the EU’s competitiveness in AI. However, they will not be sufficient to overcome the limitations created by the GDPR, or fully leverage the value of data in the long term because they are only occurring in some member states, are limited to some sectors, and cannot overcome all of the limitations in the GDPR.

National AI Strategies

In December 2018, the European Commission released a “Coordinated Plan on Artificial Intelligence,” which encourages all European member states to develop their own national AI strategies by mid-2019, and work with the Commission to develop common metrics to measure AI adoption. While some member states have already created national AI strategies, others have not or have only included dimensions of AI within broader digital strategies. Moreover, every member state is different, so the policies, priorities, and financial commitments in each national AI strategy will vary.

A key focus in many of the national AI strategies is creating greater access to data. However, most of these AI strategies focus on nonpersonal or public sector data. For example, the German AI strategy proposes granting researchers and developers broader access to public data, which is to become “open by default.”[50] Denmark plans to exploit its high-quality public sector data by making five public sector data sets accessible to businesses, researchers, and public authorities as nonpersonal data.[51] Finland’s AI Strategy promotes public-private partnerships to facilitate both the free movement of data between businesses and public services, and the secondary use by data-driven companies of public sector information, as well as the use of data and AI in business-to-business markets.[52] In France, the AI strategy calls for companies in certain sectors to be required to share their data more widely to maximize reuse—so long as it does not impact legitimate business interests.[53] (In cases where there is an impact, only public authorities would then gain access to the data.)

In addition, many EU member states are focused on the ethical use of data with AI. France has established an AI ethics committee, the United Kingdom has created a Centre for Data Ethics and Innovation, and Germany has set up two commissions: the Data Ethics Commission and the Enquete-Commission on AI.[54]

Bilateral Agreements on AI

Some member states are establishing bilateral agreements around AI and data. Finland has issued a joint statement with France for cooperation on AI that seeks to share best practices in priority sectors such as health care and future mobility.[55] The United Kingdom’s Alan Turing Institute and France’s DATAIA Institute have reached an agreement to share expertise on AI and innovation, for instance, by engaging in joint projects to design and develop algorithms, and hosting visiting researchers.[56] And two of Europe’s key electronics and nanotechnologies research centers, the Belgian Imec Institute and the French CEA-Leti Institute, have agreed to develop a European center of excellence through a strategic partnership in AI and quantum computing.[57]These initiatives will pave the way for collaborative research in areas of shared interest.

Data Processing in the Public Interest

The GDPR allows for the collection and use of personal data in cases of important public interest—a loophole to the consent requirements in the regulation. National governments can and should use this authority liberally, including in areas such as health care, education, and the environment. France is planning to enact rules to allow companies in specific industries to access and leverage personal data without obtaining user consent to support their domestic AI initiatives. These efforts may play a key role in mitigating the negative impact of the GDPR on access to data in certain sectors.

The recent French AI strategy is an example of how member states can proactively use the clause that grants them the authority to repurpose and share personal data in sectors that are strategic to the public interest—including health care, defense, the environment, and transport. The potential is significant. For example, French state-run hospitals have a goldmine of medical records. The French strategy mentions that “in certain cases, the sharing of data … needs to be encouraged in the interests of security, where solutions using artificial intelligence are concerned.” More broadly, France sets out to “promote the paradigm shift at work in the digital economy and highlight the advantages of free access in the development of AI.”[58]

Data Trusts

Organizations developing and deploying AI need to be able to share data with others working in a particular area, such as health care or transportation. However, the GDPR’s complexity creates significant compliance challenges to doing so. For organizations to exchange data more easily and frequently, the United Kingdom has proposed the creation of “data trusts,” which it defines each as “not a legal entity or institution, but rather a set of relationships underpinned by a repeatable framework, compliant with parties’ obligations, to share data in a fair, safe and equitable way.”[59] The objective is to make it easier for organizations by establishing reusable data sharing agreements endorsed by both industry and government.[60] These agreements would also facilitate the exchange of sensitive and proprietary data that might otherwise not be shared.[61] The importance of business-to-business data sharing, and the need to develop data sharing frameworks, has been noted by the European Commission and the Organization for Economic Co-operation and Development (OECD).[62]

Open Data Practices

EU member states can create and share more government open data—data the government makes freely available without restriction—that supports the development and adoption of AI. As the European Commission noted in its policy on open data, “Allowing public sector data to be re-used for other purposes, including commercial ones, can … become a critical asset for the development of new technologies, such as AI, which require the processing of vast amounts of high-quality data.”[63]

At the EU level, the European Commission has introduced open data initiatives that expand the possibility of reusing more data and facilitate data sharing. Includes with these efforts is a proposal to update the Public Sector Information Directive to increase the availability of public sector data and facilitate its reuse and sharing, such as by limiting charges for reuse.[64]

Many EU member states have their own open data initiatives, but there is a lot of variation in the amount and quality of open data they make available.[65] For instance, few countries have appointed chief data officers to oversee their open data efforts and other strategic initiatives to leverage the value of government data.[66] And despite its solid data quality and release of data for improved governance and innovation, France does not perform strongly ensuring data is usable or creating a policy of openness by default.[67]


The EU finds itself at a critical moment. Member states are increasingly awakening to a better understanding of the value of data and the importance of pursuing national AI strategies to secure national competitiveness, while there is mounting empirical evidence of the barriers and limitations that the GDPR has created toward realizing this future. Mending, not ending, the GDPR should be on the table if the EU plans to seriously pursue its AI ambitions. However, many EU policymakers are resistant to this idea because they consider the GDPR to be an ethical commitment they cannot walk away from, and any attempt at improvement would be seen as an admission of a mistake.

There are at least two problems with this view. First, the choice is not between upholding fundamental rights and ignoring them, but rather of choosing which rights and values to uphold. As noted earlier, there are many applications of AI that will save human lives, reduce worker injuries, protect the environment, and deliver other social goods. Pursuing policies that enable data-driven research that will lead to a cure for a rare childhood illness, for example, is a valid ethical option. When considering reforms to the GDPR, policymakers should understand that they are making a choice about what to prioritize. Second, the EU can make reforms to the GDPR that enable greater data sharing and use of AI, but do not undercut the protection of human dignity, legitimate interests, and other fundamental rights.

Moreover, the pursuit of reforms to the GDPR should not be seen as a potential conflict between government and industry, but rather as a potential collaboration in pursuit of shared goals, such as reducing unnecessary regulatory complexity, protecting consumer welfare, and making Europe more competitive in AI. These types of reforms would likely receive broad support within the EU. Indeed, many European and multinational firms have made their own commitments to upholding fundamental human rights as they manage user data that goes beyond the GDPR.[68]

While EU member states should remain free to develop strategies to promote AI innovation through research and development (R&D) funding, skills and training initiatives, and public sector adoption of AI, they will not be able to overcome the restrictions of the GDPR unless Brussels changes the law. Instead, EU-level reforms to the GDPR and coordinated action on improving European-wide access to data are crucial to putting Europe on a path toward being competitive in the algorithmic economy.[69]

The EU should eventually consider even more substantive changes to the GDPR to make it easier to comply with and less burdensome on organizations. In particular, the EU should drastically simplify the law, which includes over 250 pages of legal text, to make it easier for organizations to understand, as well as refocus its rules on preventing consumer harm, rather than tightly controlling how organizations collect and manage data. However, in the interim, it can and should pursue a smaller set of targeted updates to the GDPR, rather than a complete rewrite of the text, to make the regulation more fit for the purposes of AI.

To reform the GDPR for the algorithmic economy and improve the regulatory environment for AI in Europe, policymakers should take the following steps.

Expand Data Processing in the Public Interest

The GDPR allows member states to exempt certain types of data processing from its requirements when it is in the public interest. However, this requires member states to take legislative action to create these exemptions—which only apply to specific markets—thereby defeating the intent of the GDPR to create a single digital market. Therefore, the EU should amend the GDPR to allow data processing in the public interest that has been authorized by an independent advisory body responsible for promoting data innovation in Europe. This would create EU-wide exemptions to encourage the use of AI in areas such as health care, education, and the environment.

Allow Repurposing of Data That Poses Minimal Risk

The GDPR restricts organizations from repurposing data beyond its original intended use without re-obtaining consent from individuals, thereby limiting the ability of organizations to experiment and innovate with lawfully collected data. But many, if not most, of the likely uses of repurposed data would be beneficial to consumers. The EU should amend the GDPR to permit organizations to repurpose data already collected, as long as doing so poses only minimal risk of harm to individuals and does not involve the transfer of data from one controller to another.

Do Not Penalize Automated Decision-Making

The EU should remove the broad right to human review of algorithmic decisions from the GDPR. This requirement makes it more expensive for organizations to use AI, and forces them to use less accurate AI systems, while also failing to protect consumers from unfair decisions, as human decisions can be even more inscrutable and biased than decisions made by algorithms. The EU should also amend the GDPR to make any requirements for transparency, oversight, or explanation technology-neutral and based on the nature and seriousness of the decisions at hand—such as a right to appeal credit decisions—instead of basing them on whether a particular decision is made by a human or an algorithm.

Permit Basic Explanations of Decisions

As noted, the GDPR should be amended to not distinguish between algorithmic and human decisions. However, wherever it still requires organizations to disclose information about decision-making processes, the GDPR should be amended such that organizations using algorithms need only disclose basic information about how their systems work and the data involved, rather than detailed information about the logic, which may not be available, may be impractical to provide, or would require disclosing proprietary information.

Make Fines Proportional to Harm

The EU should amend the GDPR to make fines for violating GDPR rules proportional to both the level of harm to the data subjects and the company’s level of culpability for the violation. This would minimize the threat of unjustifiably high fines for relatively minor violations of some of the GDPR requirements that are of most concern to organizations using AI, such as providing insufficient disclosures in order to meet explanation and transparency requirements about algorithms.


The emergence of AI as a key driver of innovation has created a significant threat to European competitiveness. While the EU is launching some ambitious efforts to accelerate the adoption of AI, its data protection regulations impede organizations in the EU from both leveraging large volumes of data to develop and deploy machine learning systems and using AI systems involving automated decision-making in many sectors. Without reforms to the GDPR, the EU will be at a structural disadvantage in the global race to adopt AI, and will likely find itself facing fierce global competition in key sectors of its economy as other nations move forward more quickly in using AI to gain a competitive advantage.

AI is rapidly evolving, and the EU needs to ensure the GDPR evolves as well. Unless EU policymakers make some relatively modest but important changes to the GDPR, the EU will be unable to achieve its vision of becoming a leader in the algorithmic economy.


[1] Daniel Castro and Joshua New, “How Policymakers Can Foster Algorithmic Accountability” (Center for Data Innovation, May 21, 2018), http://www2.datainnovation.org/2018-algorithmic-accountability.pdf; Stephen Prentice, “Explore Algorithmic Business to Drive Differentiation” (Gartner, March 9, 2016), https://www.gartner.com/doc/3244517/explore-algorithmic-business-drive-differentiation.

[2] European Commission, “Coordinated Plan on Artificial Intelligence” (The European Commission, December 7, 2018), https://ec.europa.eu/digital-single-market/en/news/coordinated-plan-artificial-intelligence.

[3] Ibid.

[4] Daniel Castro and Michael McLaughlin, “Why the GDPR Will Make Your Online Experience Worse” (Fortune, May 23, 2018), http://fortune.com/2018/05/23/gdpr-compliant-privacy-facebook-google-analytics-policy-deadline/.

[5] Natasha Lomas, “GDPR Has Cut Ad Trackers in Europe but Helped Google, Study Suggests,” (Techcrunch, October 10, 2018), https://techcrunch.com/2018/10/09/gdpr-has-cut-ad-trackers-in-europe-but-helped-google-study-suggests/; Simon Constable, “How Data Protection Laws Cost Europe 40,000 Tech Jobs” (Forbes, November 26, 2018), https://www.forbes.com/sites/simonconstable/2018/11/26/how-gdpr-became-europes-tech-job-killer/.

[6] Directorate-General for Communications Networks, Content and Technology of The European Commission, “Study on Data Sharing Between Companies in Europe” (The European Commission, April 24, 2018), https://publications.europa.eu/en/publication-detail/-/publication/8b8776ff-4834-11e8-be1d-01aa75ed71a1/language-en.

[7] François Manens, “EU Presents Its Collaborative AI Platform With a Strong French Influence” (Euractiv, April 23, 2019), https://www.euractiv.com/section/digital/news/eu-presents-its-collaborative-ai-platform-with-a-strong-french-influence/.

[8] Joshua New, “Why the United States Needs a National Artificial Intelligence Strategy and What it Should Look Like,” (December 4, 2018), http://www2.datainnovation.org/2018-national-ai-strategy.pdf.

[9] Nick Wallace and Daniel Castro, “The Impact of the EU’s New Data Protection Regulation on AI,” (Center for Data Innovation, March 27, 2018), http://www2.datainnovation.org/2018-impact-gdpr-ai.pdf.

[10] Daniel Castro and Joshua New, “The Promise of Artificial Intelligence,” (Center for Data Innovation, October 2016), http://www2.datainnovation.org/2016-promise-of-ai.pdf.

[11] Productivity is the most important determinant of a region’s overall per-capita income. It is the measure of economic output per unit of input. The unit of input can either be labor hours (i.e., labor productivity) or all factors affecting production, such as labor, materials, and energy (i.e., total factor productivity). Robert D. Atkinson, “Competitiveness, Innovation and Productivity: Clearing Up the Confusion,” (ITIF, August 2013), http://www2.itif.org/2013-competitiveness-innovation-productivity-clearing-up-confusion.pdf. Alan McQuinn, Robert D. Atkinson, Amber Laxton, and Daniel Castro, “Driving the Next Wave of IT-Enabled State Government Productivity,” (ITIF, October 2015), http://www2.itif.org/2015-next-wave-it-state-government.pdf.

[12] McKinsey Analytics, “The Executive’s AI Playbook” (McKinsey & Company, 2018), https://www.mckinsey.com/business-functions/mckinsey-analytics/our-insights/the-executives-ai-playbook?page=industries/.

[13] Jeff Desjardins, “AI Will Have an Enormous Impact on the Future Economy,” citing estimates from NASDAQ and Forbes (Business Insider UK, August 22, 2017), http://uk.businessinsider.com/infographic-ai-effect-on-economy-2017-8?r=US&IR=T; PwC, “AI To Drive GDP Gains of $15.7 Trillion With Productivity, Personalisation Improvements” (PriceWaterhouse Coopers, June 27, 2017), https://press.pwc.com/News-releases/ai-to-drive-gdp-gains-of–15.7-trillion-with-productivity–personalisation-improvements/s/3cc702e4-9cac-4a17-85b9-71769fba82a6.

[14] Mark Purdy and Paul Daugherty, “Why Artificial Intelligence Is the Future of Growth” (Accenture, September 28, 2016), https://www.accenture.com/t20170524T055435__w__/ca-en/_acnmedia/PDF-52/Accenture-Why-AI-is-the-Future-of-Growth.pdf.

[15] Accenture, “Artificial Intelligence is the Future of Growth,” https://www.accenture.com/us-en/insight-artificial-intelligence-future-growth.

[16] Adam Winfield, “AI Won’t Save Us From Pointless Jobs Unless We Let It” (Forbes, December 13, 2017), https://www.forbes.com/sites/sap/2017/12/13/ai-wont-save-us-from-pointless-jobs-unless-we-let-it/ (accessed November 23, 2018).

[17] Hiawatha Bray, “Robotic Farming: It Looks To Be a Growth Industry” (Boston Globe, March 28, 2019), https://www.bostonglobe.com/business/2019/03/28/robotic-farming-looks-growth-industry/tNZmrGTSyavCn98tRaMseK/story.html.

[18] Steve Lohr, “A.I. Is Doing Legal Work, But It Won’t Replace Lawyers, Yet” (The New York Times, March 19, 2017), https://www.nytimes.com/2017/03/19/technology/lawyers-artificial-intelligence.html; Greg Nichols, “Lawyers on the Automation Chopping Block as AI Gets Its JD,” (ZDNet, September 18, 2018) https://www.zdnet.com/article/lawyers-on-the-automation-chopping-block-as-ai-gets-jd/.

[19] Javier Jimenez, “5 Ways Artificial Intelligence Can Boost Productivity” (IndustryWeek, May 22, 2018), https://www.industryweek.com/technology-and-iiot/5-ways-artificial-intelligence-can-boost-productivity.

[20] “Smartening up with Artificial Intelligence (AI)—What’s in It for Germany and Its Industrial Sector?” (McKinsey & Company, Inc., April 2017).

[21] Daniel Castro and Joshua New, “The Promise of Artificial Intelligence” (Center for Data Innovation, October 2016), http://www2.datainnovation.org/2016-promise-of-ai.pdf.

[22] Ibid.

[23] H. A. Haenssle et al., “Man Against Machine: Diagnostic Performance of a Deep Learning Convolutional Neural Network for Dermoscopic Melanoma Recognition in Comparison to 58 Dermatologists,” (Annals of Oncology, August 2018), https://academic.oup.com/annonc/article/29/8/1836/5004443.

[24] Lucy Gunn, “Translating Science Into Suggestion: Start-Up on Personalized Nutrition App” (Nutrition Insight, July 26, 2018), https://www.nutritioninsight.com/news/translating-science-into-advice-suggestic-on-personalized-nutrtion-app.html (accessed November 23, 2018).

[25] Dani Deahl, “Here’s How to Use Gmail’s New Smart Compose” (The Verge, May 10, 2018), https://www.theverge.com/2018/5/10/17340224/google-gmail-how-to-use-smart-compose-io-2018; Allison Toh, “Are You Still Watching? How Netflix Uses AI to Find Your Next Binge-Worthy Show” (Nvidia Blogs, June 1, 2018), https://blogs.nvidia.com/blog/2018/06/01/how-netflix-uses-ai/ (accessed November 23, 2018).

[26] JR Raphael, “33 Incredibly Useful Things You Didn’t Know Google Photos Could Do” (Fast Company, December 14, 2017), https://www.fastcompany.com/40504886/33-amazing-things-you-didnt-know-google-photos-could-do (accessed January 18, 2019).

[27] Vian Chinner, “Artificial Intelligence and The Future Of Financial Fraud Detection,” (Forbes, June 4, 2018), https://www.forbes.com/sites/theyec/2018/06/04/artificial-intelligence-and-the-future-of-financial-fraud-detection/#44fdced9127a (accessed November 23, 2018).

[28] Guadalupe Gonzales, “A.I. Assistants, Brain Games, Virtual Clinics: Meet the Hottest NYC Startups to Watch in 2019” (Inc., November 20, 2018),https://www.inc.com/guadalupe-gonzalez/ny-startups-watch-2019.html (accessed November 23, 2018).

[29] CrowdFlower, “Data Scientist Report 2017” (CrowdFlower, 2017), https://visit.figure-eight.com/rs/416-ZBE-142/images/CrowdFlower_DataScienceReport.pdf.

[30] International Association of Privacy Professionals and Ernst & Young, “Annual Privacy Governance Report 2018” (IAPP and Ernst & Young, October 18, 2018), https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/.

[31] Kees Groeneveld, “Four Ways How GDPR Impacts AI” (LinkedIn, March 12, 2018), https://www.linkedin.com/pulse/four-ways-how-gdpr-impacts-ai-kees-groeneveld/.

[32] Nick Wallace and Daniel Castro, “The Impact of the EU’s New Data Protection Regulation on AI” (Center for Data Innovation, March 27, 2018), http://www2.datainnovation.org/2018-impact-gdpr-ai.pdf.

[33] EUR-Lex, Regulation 2016/679 (General Data Protection Regulation), Article 5, (see page 6), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN.

[34] Wendy C.Y. Li, Makoto Nirei, and Kazufumi Yamana, “Value of Data: There’s No Such Thing as a Free Lunch in the Digital Economy” (U.S. Bureau of Economic Analysis, latest revised on February 21, 2019), https://www.bea.gov/system/files/papers/20190220ValueofDataLiNireiYamanaforBEAworkingpaper.pdf.

[35] Eva Grey, “BenevolentAI: Using Artificial Intelligence to Speed Up Drug Discovery” (Pharmaceutical Technology, February 6, 2017), https://www.pharmaceutical-technology.com/features/featurebenevolentai-using-artificial-intelligence-to-speed-up-drug-discovery-5731295/.

[36] EUR-Lex, Regulation 2016/679 (General Data Protection Regulation), Article 22, (see page 21), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN.

[37] Nick Wallace and Daniel Castro, “The Impact of the EU’s New Data Protection Regulation on AI” (Center for Data Innovation, March 27, 2018), http://www2.datainnovation.org/2018-impact-gdpr-ai.pdf.

[38] Bryce Goodman and Seth Flaxman, “European Union Regulations on Algorithmic Decision-Making and a ‘Right to Explanation,’” presented at ICML Workshop on Human Interpretability in Machine Learning (WHI, New York, NY, June 2016), http://adsabs.harvard.edu/cgi-bin/bib_query?arXiv:1606.08813 (accessed December 15, 2017).

[39] Article 29 Data Protection Working Party, “Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679” (Working Party 29, Last updated on February 6, 2018), https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49826.

[40] Nick Wallace and Daniel Castro, “The Impact of the EU’s New Data Protection Regulation on AI” (Center for Data Innovation, March 27, 2018), http://www2.datainnovation.org/2018-impact-gdpr-ai.pdf.

[41] There has been some debate about whether the GDPR establishes a “right to explanation.” While it is not legally binding, Recital 71 states that data subjects should be able “to obtain an explanation of the decision reached.” In addition, the Information Commissioner’s Office (ICO, United Kingdom’s independent data protection authority) emphasized that data processors must be able to ensure individuals can “obtain an explanation of the decision” (See ICO, “Rights Related to Automated Decision-Making, Including Profiling,” https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling). This makes it difficult to establish what might be required in the future.

[42] Article 29 Data Protection Working Party, “Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679” (Working Party 29, Last updated on February 6, 2018), https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49826.

[43] Christoph Scheuermann and Bernhard Zand, “Pedro Domingos on the Arms Race in Artificial Intelligence” (Spiegel Online, April 16, 2018), https://www.spiegel.de/international/world/pedro-domingos-on-the-arms-race-in-artificial-intelligence-a-1203132.html.

[44] Allen & Overy, “Preparing for the General Data Protection Regulation” (Allen & Overy, January 2018), http://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf.

[45] Daniel Castro and Michael McLaughlin, “Why the GDPR Will Make Your Online Experience Worse” (Fortune, May 23, 2018), http://fortune.com/2018/05/23/gdpr-compliant-privacy-facebook-google-analytics-policy-deadline/.

[46] Natasha Lomas, “Covert Data-Scrapping on Watch as EU DPA Lays Down ‘Radical’ GDPR Red-Line” (TechCrunch, March 30, 2019), https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/.

[47] Directorate-General for Communications Networks, Content and Technology of The European Commission, “Study on Data Sharing Between Companies in Europe” (The European Commission, April 24, 2018), https://publications.europa.eu/en/publication-detail/-/publication/8b8776ff-4834-11e8-be1d-01aa75ed71a1/language-en; OECD and the Danish Business Authority, “OECD Expert Workshop: Enhanced Access to Data: Reconciling Risks and Benefits of Data Re-Use” (OECD and the Danish Business Authority, October 2–3, 2017), https://www.oecd.org/internet/ieconomy/oecd-expert-workshop-enhanced-access-to-data-copenhagen-programme.pdf.

[48] Kees Groeneveld, “Four Ways How GDPR Impacts AI” (LinkedIn, March 12, 2018), https://www.linkedin.com/pulse/four-ways-how-gdpr-impacts-ai-kees-groeneveld/.

[49] Kevin Koerner, “GDPR—Boosting or Choking Europe’s Data Economy?” (Deutsche Bank, June 13, 2018), https://www.dbresearch.com/servlet/reweb2.ReWEB?rwsite=RPS_EN-PROD&rwobj=ReDisplay.Start.class&document=PROD0000000000470381.

[50] German Federal Ministry of Education and Research, the Federal Ministry for Economic Affairs and Energy, and the Federal Ministry of Labour and Social Affairs, “‘Made in Germany.’ Artificial Intelligence Strategy” (Federal Government of Germany, November 2018), https://www.ki-strategie-deutschland.de/home.html?file=files/downloads/Nationale_KI-Strategie_engl.pdf

[51] Danish Ministry of Finance and Ministry of Industry, Business and Financial Affairs, “National Strategy for Artificial Intelligence” (The Danish Government, March 2019), https://investindk.com/-/media/invest-in-denmark/files/danish_national_strategy_for_ai2019.ashx.

[52] Ministry of Economic Affairs and Employment, Government of Finland, “Pioneer in Artificial Intelligence. Final Report of the Artificial Intelligence Program” (March 14, 2019), https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/161447/23_19_Tekoalyraportti.pdf?sequence=4; Ministry of Economic Affairs and Employment, Government of Finland, Press Release: “Turning Finland Into a Leading Country in the Age of Artificial Intelligence” (Government of Finland, March 15, 2019), https://tem.fi/en/article/-/asset_publisher/raportti-suomi-ponnistaa-tekoalyajan-karkimaaksi; AI Finland, “Finland’s Age of Artificial Intelligence” (Ministry of Economic Affairs and Employment of Finland, October 23, 2017), https://www.tekoalyaika.fi/en/reports/finlands-age-of-artificial-intelligence/.

[53] Nick Wallace, “Countries Can Learn from France’s Plan for Public Interest Data and AI” (Center for Data Innovation, August 14, 2018), https://www.datainnovation.org/2018/08/countries-can-learn-from-frances-plan-for-public-interest-dataand-ai/.

[54] Bundestag, Enquete-Kommission, “Künstliche Intelligenz—Gesellschaftliche Verantwortung und Wirtschaftliche, Soziale und Ökologische Potenziale” (German Government, 2018), https://www.bundestag.de/ausschuesse/weitere_gremien/enquete_ki.

[55] France Diplomatie, “French-Finnish Joint Statement for Cooperation on Artificial Intelligence” (Ministère de l’Europe et des Affaires étrangères, August 30, 2018), https://www.diplomatie.gouv.fr/IMG/pdf/fr_fi_statement_ai_final_30082018_cle8b9389.pdf.

[56] U.K. Department for Digital, Culture, Media & Sport and The Rt Hon Matt Hancock MP, “UK and France to Strengthen Ties in AI and Data” (U.K. Government, July 5, 2018), https://www.gov.uk/government/news/uk-and-france-to-strengthen-ties-in-ai-and-data.

[57] Imec press release, “Imec and CEA-Leti Join Forces on Artificial Intelligence and Quantum Computing” (Imec, November 19, 2018), https://www.imec-int.com/en/articles/imec-and-cea-leti-join-forces-on-artificial-intelligence-and-quantum-computing.

[58] Cédric Villani, “For a Meaningful Artificial Intelligence. Towards a French and European Strategy” (AI for Humanity, commissioned by the French Government, March 8, 2018), https://www.aiforhumanity.fr/pdfs/MissionVillani_Report_ENG-VF.pdf.

[59] Dame Wendy Hall and Jérôme Pesenti, “Growing the Artificial Intelligence Industry in the UK,” (London: Independent Report, October 2017), https://www.gov.uk/government/publications/growing-the-artificial-intelligence-industry-in-the-uk.

[60] Jack Hardinges, “What is a Data Trust,” (The Open Data Institute, July 10, 2018), https://theodi.org/article/what-is-a-data-trust/.

[61] Joshua New, “Comments to NITRD on Updates to the 2016 National AI R&D Strategic Plan,” (Center for Data Innovation, October 25, 2018), http://www2.datainnovation.org/2018-nitrd-ai-r%26d.pdf. Financial Times, “Would you donate your data for the collective good?,” (Financial Times, October 30, 2017), https://www.ft.com/content/00390a76-bd4a-11e7-9836-b25f8adaa111.

[62] Directorate-General for Communications Networks, Content and Technology of The European Commission, “Study on Data Sharing Between Companies in Europe,” (The European Commission, April 24, 2018), https://publications.europa.eu/en/publication-detail/-/publication/8b8776ff-4834-11e8-be1d-01aa75ed71a1/language-en.

[63] Data Policy and Innovation (Unit G.1) of The European Commission, “Policy – Open Data,” (The European Commission, last updated on June 8, 2018), https://ec.europa.eu/digital-single-market/en/open-data.

[64] Nick Wallace, “The Commission’s Proposal on Public Sector Data Is Good, But Could Be Better,” (Center for Data Innovation, May 9, 2018), https://www.datainnovation.org/2018/05/the-commissions-proposal-on-public-sector-data-is-good-but-could-be-better/.

[65] World Wide Web Foundation, “Open Data Barometer—Leaders Edition: From Promise to Progress,” (World Wide Web Foundation, September 2018), https://opendatabarometer.org/leadersedition/report/.

[66] Daniel Castro and Travis Korte, “Open Data in the G8: A Review of Progress on the Open Data Charter” (Center for Data Innovation, March 2015), http://www2.datainnovation.org/2015-open-data-g8.pdf; “Ranking the G8 Countries on Open Data” (Information Technology and Innovation Foundation, March 17, 2015), https://itif.org/publications/2015/03/17/ranking-g8-countries-open-data.

[67] Daniel Castro and Travis Korte, “Open Data in the G8: A Review of Progress on the Open Data Charter” (Center for Data Innovation, March 2015), http://www2.datainnovation.org/2015-open-data-g8.pdf.

[68] SAP AI Ethics Steering Committee, “Guiding Principles for Artificial Intelligence” (SAP, September 2018), https://d.dam.sap.com/m/zKaSxze/59552_GB_59552_enUS.pdf.

[69] Nick Wallace and Daniel Castro, “The Impact of the EU’s New Data Protection Regulation on AI” (Center for Data Innovation, March 27, 2018), http://www2.datainnovation.org/2018-impact-gdpr-ai.pdf.

You may also like

Show Buttons
Hide Buttons