Pre-Approval, Not Post-Damage: Regulating High-Risk Data Tools (Part 3)

We urgently need a shift toward a “comply first, deploy later” regime for high-risk technologies

Published: 11 June 2025

Imagine if a pharmaceutical company could release a new drug without proving its safety. The scenario would be deemed reckless. Yet with powerful surveillance and data integration tools like Palantir, governments around the world are doing just that: deploying high-risk technologies with little to no public oversight or formal review before implementation.

While some regions like the EU have GDPR and others like New Zealand have robust privacy legislation, these frameworks are often circumvented through loopholes such as national security exemptions. There is no binding global standard that requires prior approval of such technologies, even when they affect millions of citizens’ data.

We urgently need a shift toward a “comply first, deploy later” regime for high-risk technologies that rely on mass data processing and algorithmic decision-making. Such a regime should include:

1. Mandatory privacy and human rights impact assessments before deployment, reviewed by independent regulatory bodies.

2. Public disclosure of essential information: the technology’s purpose, data sources, governance, and retention policies.

3. National or regional registers for high-risk tools, overseen by data protection authorities with the power to delay or block implementation.

4. Strong penalties for non-compliance, including mandatory suspension or removal of unapproved systems.

This approach would serve all countries equally. The EU has the opportunity to lead with its existing GDPR framework, but nations like New Zealand, Canada, and Australia—who pride themselves on liberal democratic values—can and should act in parallel.

A harmonized international stance is necessary. Otherwise, governments and corporations alike will continue to exploit legislative gaps to roll out powerful, opaque technologies like Palantir with little scrutiny and great consequence. Protecting the privacy and autonomy of citizens is not a regional issue—it’s a global imperative.

By institutionalizing a pre-approval requirement, democracies can reaffirm their commitment to transparency, individual rights, and the rule of law in the digital age.

The author is an independent historian and commentator specializing in European memory, conflict, and reconciliation.