Why the EU’s GDPR ‘Simplification’ Reforms Could Unravel Hard-Won Protections

Since it came into force almost seven years ago, the European Union (EU)'s General Data Protection Regulation (GDPR) has set the global standard for data protection. It empowers people to control their personal data while holding businesses accountable for how they collect, process, and store that data. It also limits some of the harms caused downstream by such processing, such as unfair profiling and discrimination. By protecting people’s rights, the GDPR mitigates risks like identity theft, unwarranted surveillance, and the exploitation of sensitive personal information for commercial gain.

One would imagine that all of the above would cement the GDPR as the cornerstone of the EU’s digital policy and the need to preserve it, but this crucial law is being threatened by a push for profit at any cost. The first blow is scheduled for May 21, with a second likely to follow in the form of a ‘Digital Package’ expected in the fourth quarter of 2025. Proposals to amend this regulation appear to be part of a broader deregulatory trend within the EU that threatens not only data protection but also a range of other fundamental rights.

These reforms are framed as benefiting small and medium-sized enterprises (SMEs) and improving EU ‘competitiveness’, yet they are rooted in a narrative that demands more data for progress—an agenda that risks undermining both human rights and the very regulatory structures designed to protect them. Moreover, this shift could also weaken the EU’s global standing in the realm of digital rights.

A Broad Deregulatory Trend: The Context of Omnibus Packages

In line with the Draghi Report and an ever-growing obsession with ill-defined competitiveness, the EU has become fixated on ‘simplification’, now encapsulated by the new catch-phrase: ‘omnibus packages’. These are legislative reforms that bundle multiple unrelated measures into a single package to streamline and accelerate the regulatory process. They claim to simplify complex legislation, but this approach can also lead to the dilution of protections and oversight, especially when it prioritizes speed and efficiency over careful consideration of the long-term impacts on rights and accountability.

The first iteration of these packages has already slashed rules around corporate sustainability and due diligence for companies, severely undermining human rights and environmental concerns. The fourth omnibus package is set to chip away at GDPR protections under the banner of simplification. One key change targets Article 30(5), broadening the exemption from record-keeping obligations beyond SMEs to include small mid-cap companies—firms with fewer than 500 employees and a specific turnover.

Under the proposed amendment, these companies would only be required to maintain records of processing if their activities are likely to pose a ‘high risk’ to people’s rights and freedoms. The condition related to ‘occasional processing’ would be scrapped, and the exemption would apply even where special categories of data are processed, unless the processing is done to comply with specific legal obligations in employment, social security, or protection law. In other words, processing so-called ‘sensitive data’ would no longer automatically require documentation.

These changes could carve out wide-ranging exemptions simply based on company size and turnover, ignoring the reality that data-related risks are not necessarily proportionate to employee count. A recent letter from the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS)—the two main bodies responsible for interpreting and enforcing EU data protection rules—expresses ‘preliminary support’ for this initiative but also flags several of the same concerns from the risk of undermining protections to the lack of clarity and evidence about its impacts.

What few are saying—or are too afraid to say—is that this could lead, now or in the future, to a broader reopening of the GDPR, which would be like opening the door to a Pandora’s box to cater to to the varying wish-lists of stakeholders unhappy with the current law, including companies that feel restricted by the obligations to respect human rights. Some appear to be taking simplification as far as following the UK's worrying lead, proposing cookie consent exceptions and weaker safeguards with a straight face, as if Brexit-era deregulation was a blueprint for responsible digital governance.

What makes the current package even more concerning is the potential intention to rely on the urgency procedure, a procedural shortcut introduced in the European Parliament’s current mandate through its internal Rules of Procedure. This mechanism has already been used for other omnibus packages. While it speeds up the legislative process by allowing the Parliament to fast-track proposals, it comes at a cost: MEPs cannot adopt a formal report or propose amendments, nor can they request an impact assessment. In practice, this limits democratic scrutiny and weakens the Parliament’s ability to shape legislation based on evidence and debate. This procedure signals a false sense of urgency and a willingness to bypass regular safeguards, making it a dangerous precedent in the context of a landmark rights-based regulation.

Even if the first attempt at reopening GDPR is indeed constrained to just one or two provisions, the problem runs deeper: the Overton window has shifted from back in 2016 when the law was first adopted. Once the political and regulatory machinery is set in motion and it becomes publicly acceptable—even routine—to tinker with a landmark regulation like GDPR, the threshold for further changes lowers dramatically. What was once politically unthinkable becomes debatable. What was once debatable becomes negotiable. The mere act of revisiting the text, no matter how narrowly framed, signals that the door is no longer locked.

In addition to the proposed changes to GDPR, there seems to be a push for undoing regulatory safeguards in general—an eagerness to eliminate perceived barriers to economic growth, regardless of the potential consequences for social justice and human rights. We already saw this when the Corporate Sustainability Due Diligence Directive (CSDDD)—designed to hold corporations accountable for human rights and environmental violations—was watered down (further undermining the EU’s green ambitions, as detailed below). At the same time, other regulations critical to digital governance, like the Digital Services Act (DSA), Digital Markets Act (DMA), and the AI Act, are all under threat and accused of being too burdensome for businesses.

This greed for deregulation is driven by the belief that fewer regulations will unleash economic growth, without questioning the fact that the competitive agenda only benefits the big players. What is also left unspoken is the consequence of this deregulatory push—it could very well create a race to the bottom in corporate accountability, leaving people and collectives even more exposed to exploitation and discrimination. This isn’t just a risk for people in the EU; it sets a dangerous global precedent, where other countries could weaken data protection and human rights safeguards as well.

The Deregulatory Push: More Data, More Risk

The Commission’s broader Digital Package, expected for Q4, will apparently list the GDPR among several laws targeted for possible amendment, signaling a broader deregulatory trend that extends beyond the SME framing. A key argument driving this push is the belief that ‘we need more data’ to drive technological innovation, especially in areas like AI and data-driven profiling and advertising. The rhetoric of unlimited data is framed as essential for global competitiveness, and that businesses, particularly SMEs, are burdened by the data protection requirements set by GDPR. But this argument is just a smokescreen for prioritizing profit over ethics and human rights.

This drive for more data also rarely considers the environmental impact of processing and storing vast amounts of personal data. The EU’s deregulation agenda not only ignores the social and ethical consequences but also disregards the carbon footprint of data processing.

Two False Dichotomies

The deregulatory greed is sustained by two false dichotomies, each rooted in blinkered thinking that ignores the broader impacts of deregulation.

First, there’s the false dichotomy that data protection laws, like GDPR, hinder growth given today’s technological advancements. In reality, data protection is technologically neutral and ultimately aims to minimize risks to individuals' rights, which is critical for long-term sustainable growth. Rather than stifling competition, GDPR ensures that all companies, big or small, are held to the same standards. This creates a level playing field and builds trust between businesses and individuals, fostering a sustainable digital economy.

GDPR is also about proportionality. Data protection enforcement trends over the past five years reveal that most fines have been directed at large, well-established entities. These include major tech giants, large telecom and ad tech companies, and some large public institutions. In contrast, early-stage startups rarely face fines, and when they do, it is typically for clear, easily avoidable violations.

It is deeply problematic that many stakeholders, including institutional ones, increasingly frame the GDPR as a ‘risk-based’ regulation, rather than recognizing it as what it is: a rights-based law that uses risk assessment as a means to uphold fundamental rights. This shift is not neutral. It repositions rights as negotiable, to be weighed and balanced against organisational interests, rather than treated as non-negotiable obligations. In doing so, it opens the door to a logic where harm is tolerated as long as it is deemed manageable, undermining the GDPR’s core purpose and enabling regulatory weakening through seemingly technical reforms.

Speaking of risk, what is surely not coincidentally left out is that it’s not the size of businesses that matters, but the risks tied to unchecked data collection and processing. The risks of data exploitation and breaches depend on the manner and purpose of data collection. Even small businesses can cause significant harm to individuals if they fail to implement proper safeguards.

Second, there’s the false dichotomy between regulation and innovation. The narrative that regulation stifles technological progress is misleading. In truth, strong data protection laws encourage ethical innovation. When people trust that their data is handled responsibly, they are more likely to engage with businesses, thus driving innovation that respects human rights. The false greed for more data ignores this balance, pushing for unchecked data collection at the expense of social responsibility and privacy.

The Need for Stronger Regulation and Actual Enforcement

Rather than weakening GDPR to meet the demands of corporate interests, the EU should strengthen it to ensure that the digital economy evolves in ways that protect people’s rights and foster rights-respecting innovation. By upholding and strengthening GDPR, the EU could ensure that businesses are held accountable for their data practices and that people’s rights are respected. The same goes for other laws, notably the AI Act, the DSA, and the DMA. They may not be perfect, but they are useful mechanisms for protecting people, particularly minoritised communities.

Efficient enforcement of these laws should be a top priority for the EU, but that is clearly not the case. No matter how flashy (and very much welcome) the big fines against tech giants may be, like the last one against TikTok for data transfers to China, the reality is that GDPR enforcement procedures (especially cross-border cases, which typically involve the most powerful actors) remain tortuous and excessively slow.

Moreover, the focus of enforcement must shift away from the checkbox compliance approach many companies adopt (where compliance is reduced to little more than a line item in their budget) and towards genuine adherence to the spirit of the law. It is crucial to recognize that the friction created by reporting and compliance exercises is often essential for the effective enforcement of the law.

It is also vital to acknowledge that while compliance is necessary, it is not enough. Respecting rights and upholding the law should be the true driving force behind digital regulation. Yet, regrettably, that is not the case today. Take, for example, the ongoing negotiations for a regulation on cross-border GDPR enforcement: despite the persistent obsession with simplification, the emerging law will likely fail to streamline procedures or make them more effective. The irony here is hard to overlook.

This failure to prioritize genuine enforcement undermines the EU’s leadership in digital rights. Weakening these laws would not only harm people’s rights but also undermine the EU’s role as a global leader in digital governance. The EU must continue to champion robust laws, ensuring that the digital economy works for everyone: individuals, communities, businesses, society at large, and eventually, the planet.