Is AI Challenging the Foundations of EU Law?

Author:

Sanna Wong-Toropainen - PhD Candidate at the University of Helsinki, Faculty of Law

Visiting researcher at CodeX, Stanford Center for Legal Informatics

Author of EU Datasääntely – käsikirja viiteen asetukseen

Introduction

The EU’s 2020 Data Strategy imagined a single market for data, where information flows freely, securely, and fairly. Five years later, the narrative has shifted toward artificial intelligence (AI). The Apply AI Strategy seeks now to accelerate responsible AI deployment within Europe, while the Data Governance Act (DGA), Data Act, Digital Services Act (DSA), Digital Markets Act (DMA) and the AI Act remain the core pillars of the EU’s digital regulations -- and a source of growing debate about complexity, competitiveness, and control.

Despite early promises of greater data access, the businesses have described the post-Data Strategy legislative measures as a “regulatory tsunami”. Their concern lies in the sheer volume and complexity of the laws, which they argue pushes innovation outside Europe. Mario Draghi’s 2024 report on EU competitiveness echoed these fears, warning that inconsistent digital regulation risks fragmenting Europe’s internal market. Hence, already in 2025, the European Commission began preparing to simplify the data regulations.

In September 2025, the Commission launched a call for evidence to address the simplification of data, cybersecurity, and AI rules, modelled after the broader Omnibus effort, which has focused, among others, simplifying sustainability reporting. However, privacy rights groups such as EDRi (2025) warn against “simplification” that would weaken Fundamental-Rights safeguards, for example by blurring the line between industrial data and personal data (1). The growing debate over regulatory simplification raises a deeper question: what kind of innovation does the EU want to promote?

Regulating innovation through rights

Since the early 2000s, the Union’s approach has been less about deregulation and more about steering innovation through legal norms and rights protections.

Scholars such as Anu Bradford describe the EU as a “Fundamental-Rights superpower” (2). Rather than seeing regulation and innovation as opposites, the EU has sought to regulate innovation through rights. Through the “Brussels Effect”, as Bradford coined it, the EU has shaped global privacy laws especially through the General Data Protection Regulation (GDPR).

However, the EU’s regulatory ambitions are not driven solely by fundamental rights protection. The Union’s primary goal has been to facilitate the free movement of goods, services, capital, and people -- harmonizing national laws and removing internal trade barriers, like customs (3). This market-building logic continues also with the the AI Act, which aims to ensure that AI systems can circulate freely within the single market.

Balancing the dual objectives, rights protection and market integration, can be challenging. On the one hand, the AI Act embeds human-rights assessments for high-risk AI systems (Article 27), requiring both public bodies to evaluate the impact of their AI systems on fundamental rights such as privacy, non-discrimination, and access to justice. On the other hand, it introduces mechanisms intended to simplify compliance and accelerate market entry, such as regulatory sandboxes and harmonized conformity assessments, which aim to lower administrative barriers and enable cross-border market entry within the Union (4).

Simplifying without hollowing out rights

The Commission’s simplification efforts risk tilting the balance toward market integration. Like EDRi (2025) fears, fewer reporting duties or delayed timelines might reduce transparency and accountability, especially under the AI Act and Digital Services Act. These fears are understandable: the April 2025 sustainability Omnibus exempted about 80 % of companies from mandatory reporting.

Today, European companies navigate a dense web of complementary reporting and compliance duties. Under the Data Governance Act (DGA), data intermediaries must provide detailed transparency reports on their operations, including user complaints and data-sharing statistics (Article 11(2)). The Data Act imposes further obligations on data holders to document access requests, maintain interoperability standards, and report refusals of data sharing (see e.g, Articles 4–8).

The Digital Services Act (DSA) requires, for example, online platforms to publish annual transparency reports detailing their content moderation activities, including the number of notices received, actions taken, and measures to address systemic risks (Article 15). Similarly, the Digital Markets Act (DMA) mandates designated gatekeepers to submit annual compliance reports detailing how they meet obligations on data portability, self-preferencing, and interoperability (Article 11). 

If the upcoming Digital Omnibus succeeds in harmonising these processes by aligning reporting cycles and removing duplication, it could actually strengthen enforcement rather than weaken it.

Since spring 2025, however, the Commission has reportedly considered delaying implementation to allow more time for standardisation and oversight readiness (5). Such quick manoeuvres to relax company obligations raise questions about legal certainty and firms’ capacity to keep pace first with new rules, and then with revisions to them (6).

Conclusion

As Europe moves from regulating data to governing artificial intelligence, its challenge is no longer technical, it is more philosophical. While the General Data Protection Regulation (GDPR) is often celebrated as an export of “European values”, the EU’s notion of privacy as individual control over data actually traces its origins to the US. The concept, articulated by Alan F. Westin in Privacy and Freedom (1967), shaped global privacy thinking long before Europe codified it into law. In this sense, the GDPR represents not a uniquely European invention but a form of regulatory mirroring: Europe translated American privacy theory into enforceable law (e.g., GDPR) and later exported it back across the Atlantic.

As simplification reshapes the regulatory landscape, we might see more Brussels mirroring than an effect. If Europe’s current simplification agenda is misunderstood as deregulation, the Brussels Mirror may reflect others’ ambitions more than Europe’s own values.

References

(1) European Digital Rights (EDRi), Consultation response to the European Commission’s call for evidence on the Digital Omnibus, October 15, 2025;

Available at https://edri.org/our-work/consultation-response-to-the-european-commissions-call-for-evidence-on-the-digital-omnibus/

BITKOM e.V., Digital Omnibus: Position Paper on the Call for Evidence, 2025 (Position paper, noting inter alia that the Data Act applies both to industrial and personal data).

(2) Bradford A., The Brussels Effect: How the European Union Rules the World, Oxford University Press, Oxford, 2020;

Available at https://doi.org/10.1093/oso/9780190088583.001.0001

(3) Wong-Toropainen S., Euroopan unionin datasääntely – käsikirja viiteen asetukseen, Edilex Lakitieto, Helsinki, 2025, ISBN 978-951-37-9302-9.

(4) Articles 43–47 and 53 of Regulation (EU) 2024/1689 (Artificial Intelligence Act).

(5) MLex Market Insight & FEBIS, EU considers “stop-the-clock” delay for the Artificial Intelligence Act implementation, MLex Market Insight, July 18, 2025.

Available at https://mlexmarketinsight.com

(6) See e.g. Arnal J., AI at risk in the EU: It’s not regulation, it’s implementation, in European Journal of Risk Regulation, 2025, pp. 1 ff.;

Available at https://doi.org/10.1017/err.2025.10003

Montagnani M. L., The EU regulatory approach(es) to AI liability, and its implications for legal certainty, in Computer Law & Security Review, vol. 44, 2024.

Available at https://doi.org/10.1016/j.clsr.2024.101815

Biography of the Guest Expert

Sanna Wong-Toropainen is a PhD Candidate at the University of Helsinki, Faculty of Law and a visiting researcher at CodeX, Stanford Center for Legal Informatics. She is an expert in EU data and technology law and the author of EU Datasääntely – käsikirja viiteen asetukseen (Edilex, 2025), a comprehensive handbook on the EU’s five core data regulations, including the EU AI Act, Digital Markets Act and Data Act.