In a Bitkom survey from 2025, 81 percent of the companies surveyed said that the GDPR made their business processes more complicated. In 2016, only a quarter (25 percent) held this opinion. In 2025, 97 percent rated the effort for data protection as high, of which 44 percent rated it as very high.
There are many reasons for the discontent. 82 percent of the companies surveyed by Bitkom cite uncertainty regarding the exact data protection requirements as a challenge in 2025. At the same time, 86 percent are of the opinion that implementation is never completely completed because companies have to continuously react to technical and legal developments. Data protection is perceived as a particularly challenging, ongoing compliance task.
Bitkom
AI – the new test
Data-driven projects are particularly affected. In 2025, 59 percent of study participants reported that the creation of data pools had failed or was not even attempted due to data protection regulations. Values also remain high when it comes to data analysis tools, AI applications and the digitalization of business processes. Data protection requirements are therefore perceived as a hurdle especially where – as is particularly the case with AI – innovations rely on large amounts of data.
The result: According to Bitkom, six out of ten companies (59 percent) generally see European data protection as an advantage for AI development in Germany and Europe when compared internationally. However, in practice they experience the opposite. In 2025, two thirds (69 percent) of those surveyed said that data protection made it difficult to train AI models with enough data.
“The reality is: AI is not developed in Europe because of our data protection practices, but the models are still used here,” said Bitkom President Ralf Wintergerst, commenting on the results. “Nothing has been gained in terms of protecting the data of European citizens, but a lot has been lost for Europe as a business location.”
Bitkom is therefore calling for a reform that strengthens data protection where real risks arise for people – and relieves the burden on companies where formal obligations do not provide additional protection. Specifically, this means a consistent risk orientation of the GDPR and a uniform understanding that the training and operation of AI systems must also be possible in Europe, said Wintergerst.
