Gamma hit $50M ARR with 52 people while AI peers burn billions. Now at $2.1B valuation, the profitable presentation tool faces its real test: can a purpose-built AI product beat Microsoft and Google's free bundled features?
Good Morning from San Francisco, Germany invented modern privacy law in 1970. Built from surveillance trauma. Today it leads the
Germany wrote Europe's privacy playbook after the Nazis weaponized census data and the Stasi monitored citizens. Now Berlin is leading the charge to gut those protections, handing trillion-dollar AI companies access to European data through regulatory shortcuts.
Germany wrote Europe's privacy playbook after the Nazis weaponized census data and the Stasi monitored citizens. Now Berlin is leading the charge to gut those protections, handing trillion-dollar AI companies access to European data through regulatory shortcuts.
October 23, 2025. Germany sends 19 pages to the European Commission. Changes to the General Data Protection Regulation.
The requests? Rebalance legal bases so consent isn't "first among equals." Firm up anonymization definitions. Curb abusive data-rights requests. And push the Commission to resolve legal uncertainty around AI training. Silicon Valley would applaud, except the author is Berlin.
Germany invented modern data privacy. The state of Hesse's 1970 law came first globally, direct response to Nazi census abuse that identified Jews for extermination. The 1983 Constitutional Court decision made "informational self-determination" fundamental. Stasi surveillance in former East Germany remained vivid. These weren't abstract legal theories.
Defensive fortifications.
Trauma-built. Fifty years of construction. Germany now leads the demolition.
The Breakdown
• Germany's October proposal pushed Commission to create Article 88c allowing AI training under "legitimate interest" without explicit consent
• Commission used fast-track procedure bypassing impact assessments, giving some units just five days to review 180-page GDPR rewrite
• Changes narrow "personal data" definitions and restrict employee/journalist access rights, benefiting trillion-dollar AI companies over SMEs
• Meta resumed EU AI training May 2025 after Irish DPC approval, five months before Commission proposed legalizing the exact approach
November 19: The Commission unveils its "Digital Omnibus" package. Simplification procedure on a tight schedule.
Privacy groups say the process bypasses normal impact assessments and extended review periods. According to noyb, some Commission units had just five working days to comment on 180-plus pages that rewrite core GDPR protections.
What did member states actually ask for? Leaked Council papers show France, Estonia and Slovenia opposed reopening the GDPR. Austria urged a focus on implementation rather than legislative changes. Germany pressed for broader reform, an outlier among those submitting substantive requests.
Max Schrems overturned two EU-US data transfer frameworks with legal challenges. His assessment: "Most Member States asked for tiny changes and no reopening. Germany has traditionally taken an anti-GDPR position in Europe. It seems easier to blame some EU law for German problems with digitisation than to fix matters nationally."
The leaked Commission draft substantially overlaps with Berlin's asks. In places it goes further, including a new Article 88c that lets AI development and operation proceed under legitimate interest with safeguards. Germany didn't just influence the process.
It dictated it.
Death by a thousand cuts. Each change sounds technical when read alone.
Personal data gets redefined. The draft introduces "subjective approach" logic. Data only counts as personal if a specific controller can identify you. Two decades of European Court of Justice precedent? Abandoned. Companies using pseudonyms or random IDs could argue they operate outside GDPR jurisdiction. User12473 isn't personal data. Tracking cookie strings aren't personal data. The online advertising industry might simply exit regulatory reach.
AI training gets explicit permission. The leaked Commission text adds Article 88c, permitting AI development and operation under legitimate interest with safeguards. It narrows Article 9 so protection applies when sensitive traits are directly revealed. Health information, political beliefs, religious affiliation become fair game for training if not "directly revealed." No consent required. Companies offer an opt-out form instead, which assumes three impossible things: users know their data is being used, can identify which companies have it, will individually object to hundreds of AI developers. OpenAI operates at massive scale. Free access to European data for commercial training.
Data rights get purpose restrictions. Germany's proposal limits rights (access, deletion, correction) to "data protection purposes" only. Employee requesting work hours during a wage dispute? Potentially abusive. Journalist seeking information for an investigation? Might face rejection. The right becomes conditional on acceptable motivation, which the Court of Justice explicitly rejected years ago.
Device access moves under new rules. Leaked text creates Article 88a with a closed list of device-level purposes: transmission, services explicitly requested, first-party audience measurement, security. Other purposes must use standard GDPR legal bases. Current framework restricts remote access to protect communications privacy. New version creates exceptions that could justify device data access.
The Commission had planned a "Digital Fitness Check" in 2026. Collect evidence first, then propose targeted updates. Civil society groups say it jumped to comprehensive reform instead. Germany's playbook got adopted wholesale.
December 2024. Nick Clegg publishes an op-ed in Le Monde. Meta's President of Global Affairs attacks European data protection authorities for "dragging their feet" on AI decisions. "Snail's pace" blocking "growth and innovation." Mario Draghi's September competitiveness report provided the anxiety. Clegg weaponized it.
Tech companies flooded the Commission's public consultation on digital simplification with GDPR attacks. Google, Meta, Microsoft, Amazon. Same message in different corporate letterhead. Privacy rules block innovation. AI needs data freedom. Europe is falling behind.
Meta tested boundaries through action, not petitions. May 2024: the company announced AI training on European user posts under "legitimate interest" provisions. Irish Data Protection Commission forced a pause in June. Privacy advocates filed complaints. Regulatory concerns mounted.
Then the reversal. Irish DPC conducted extensive review. Sought European Data Protection Board opinions. May 2025 brings approval of Meta's approach, minor safeguards attached. May 27, 2025: Meta resumes AI training on public Facebook and Instagram content across the EU.
Five months later the Commission proposes making that approach explicit GDPR policy. Meta lobbied. Meta proceeded without permission. Meta got caught. Meta is getting its actions legalized retroactively.
Clegg is leaving Meta in 2025, but his infrastructure remains. The competitiveness arguments he deployed, the anxiety he cultivated, they're embedded in Commission proposals now. Former UK Deputy Prime Minister. Years in Brussels. He knows the machine.
Official justification centers on small and medium enterprises. Cut administrative burden by 25% for all companies, 35% for SMEs. Ease record-keeping requirements. Shrink compliance documentation.
Now look at who actually benefits from the GDPR changes.
Narrower personal data definitions help companies operating via pseudonymous tracking. Advertising technology platforms. Not neighborhood bakeries. AI training exemptions serve organizations with computational resources for large language models. OpenAI. Google. Microsoft. Meta. Companies valued in trillions.
Record-keeping simplifications for SMEs amount to raising employee thresholds from 250 to 750 for certain exemptions. Useful for mid-sized companies. Hardly revolutionary. The European Data Protection Board noted in July 2025 that even if changes affect 38,000 companies, "the real question is how much difference the changes will actually make to the overall GDPR compliance burden."
Compare modest administrative relief to what AI companies gain: Access to 450 million Europeans' data for commercial training without explicit consent. Reduced obligations for honoring access requests. Expanded ability to pull information from personal devices.
Big tech wins dressed in SME clothing.
Germany's privacy reversal tracks with economic anxiety. Digital infrastructure lags. Major corporations haven't produced a tech giant rivaling American or Chinese AI leaders. Bureaucracy becomes convenient scapegoat.
But check the diagnosis. Germany's digitalization problems stem from infrastructure investment gaps, fragmented systems, procurement dysfunction. The GDPR didn't prevent Deutsche Telekom from building fiber networks. It didn't stop SAP from developing cloud platforms. Blaming privacy law for structural economic challenges creates permission to weaken protections without fixing actual problems.
European Commission Executive Vice President Henna Virkkunen oversees digital legislation. Reports say she's told US businesses in private meetings the EU will review rules to become more business-friendly. That's diplomacy. Whether those assurances drove policy or policy rationalized assurances remains unclear.
Multiple pressure points. Draghi's September 2025 competitiveness report. Trillion-dollar company lobbying. German industrial anxiety. Trump returns to the US presidency in January 2025, which matters because accommodating American tech giants suddenly carries diplomatic weight. Three years ago these changes would have been politically impossible. Now they have cover.
Brussels insiders describe Virkkunen's unit (DG CONNECT) as attempting to "overrun everyone else" in the Commission, disregarding normal lawmaking procedures. Push through changes before opposition crystallizes. Whether by design or desperation, the process resembles aggressive American executive action more than traditional European consensus-building.
Privacy advocates face gutted enforcement. According to noyb's analysis of European Data Protection Board statistics, only 1.3% of GDPR complaints result in fines. Irish media report the DPC has collected just 0.6% of penalties levied against companies under its jurisdiction. These changes make even successful cases harder to win. Employee data protections weaken. Journalistic investigations face new obstacles. Sensitive data about health, religion, political beliefs gets processed for AI with minimal restrictions.
European tech companies outside the US lose their advantage. The changes primarily benefit incumbents with existing data troves and computational resources. European AI startups won't suddenly compete with OpenAI because the GDPR loosens. They lack scale, investment, data moats that established players built. Meanwhile their competitive advantage disappears. Operating in a high-trust regulatory environment where users know their rights are protected? Gone.
EU lawmaking legitimacy takes a hit. Fast-tracking comprehensive reform through a simplification package, bypassing impact assessments and stakeholder consultation, creates precedent. The Commission can rewrite fundamental rights protections under time pressure and procedural shortcuts. What other core regulations become vulnerable to similar treatment?
The proposal still must pass through European Parliament and Council. Opposition is forming. Czech Pirate Party MEP Markéta Gregorová (Greens/EFA) warned that "Europeans' fundamental rights must carry more weight than financial interests." EPP MEP Aura Salla, formerly Meta's EU affairs lead, has argued for GDPR simplification in general terms.
Germany built European data privacy from surveillance state ashes. Now it's leading the dismantling. The reasons are economic anxiety, corporate lobbying, competitiveness panic. The method is procedural bypass and regulatory capture. The beneficiaries are exactly the trillion-dollar companies whose dominance European policymakers claim to fear.
Q: What's "legitimate interest" and why does it matter for AI training?
A: "Legitimate interest" is a GDPR legal basis that lets companies process data without asking permission first, as long as their business needs outweigh privacy risks. Currently, AI training's legal status is unclear. The proposed Article 88c would explicitly allow it, meaning Meta, Google, and OpenAI could train on European data by default with just an opt-out form, not requiring opt-in consent.
Q: How would the opt-out process actually work for users?
A: Users would need to find and submit individual objection forms to each AI company using their data. The problem: companies often don't know which specific user data they've scraped from the public web, making it nearly impossible to match objections to training datasets. Meta's current approach requires users to submit forms through privacy settings, but for companies scraping public websites, there's no practical enforcement mechanism.
Q: When would these changes actually take effect?
A: The Commission presents the Digital Omnibus on November 19, 2025. It must then pass through European Parliament and Council negotiations, typically taking 12-24 months. Implementation would follow 6-12 months after final approval. Realistically, changes wouldn't affect companies until late 2026 or 2027, assuming the proposal survives political opposition from France, Estonia, Slovenia, and privacy advocates.
Q: What was Germany's 1983 Constitutional Court ruling about?
A: Germany's Constitutional Court established "informational self-determination" as a fundamental right after proposed census questions alarmed citizens who remembered how Nazis used census data to identify Jews. The ruling said individuals have authority to decide when and how their personal data is disclosed and used. This became the philosophical foundation for EU data protection law and eventually the GDPR.
Q: How much GDPR enforcement actually happens now?
A: According to noyb's analysis of European Data Protection Board statistics, only 1.3% of GDPR complaints result in fines. In Ireland, which oversees Meta, Google, and other tech giants, the DPC has collected just 0.6% of penalties it imposed. The proposed changes would make enforcement even harder by narrowing what counts as "personal data" and limiting when employees and journalists can request their own information.
Marcus Schuler
Robert Brown
Marcus Schuler
Seven families sue OpenAI, claiming ChatGPT drove four people to suicide after a May 2024 design change prioritized engagement over safety. The cases test whether AI chatbots qualify as products under liability law.
OpenAI's CFO floated a federal backstop for AI infrastructure, then reversed within hours after White House rejection. The whiplash exposed the core problem: OpenAI needs $1.4 trillion while generating $20 billion. The math doesn't work.
OpenAI's CFO suggested federal backing for AI infrastructure at WSJ conference, as company seeks taxpayer support for $1.4 trillion buildout against $13B revenue. The ask arrives amid circular tech deals and shutdown-era austerity.
China slashes data center power bills by half—but only for domestic chips. Trump blocks Nvidia's Blackwell exports. Two governments, two subsidy strategies, one question: who can afford their industrial policy longer?
Get the 5-minute Silicon Valley AI briefing, every weekday morning — free.
