The question arises, as to whether the numerous procedural rules of the GDPR, the Digital Services Act and the AI Act are tailor-made for large (US) companies, while they are perceived as a bureaucratic burden by smaller companies and NGOs which struggle to achieve compliance with the GDPR. Meanwhile “internet giants” have coped better with the new rules than expected as they have the necessary resources when it comes to compliance. At the same time, these regulations avoid prohibitions and ”red lines”, and the legislator avoids making the corresponding (difficult) decisions. By relying on procedural rules rather than clear red lines, legislators are avoiding value decisions. Do future legislators need to be more courageous? Or would it lead to over-regulation if governments did not only set rules for digital business models but declare business models as simply illegal.
