More than 100 groups and individuals banded together today to oppose any changes to the EU’s landmark General Data Protection Regulation (GDPR).
Potential GDPR changes for simplifying the data privacy law’s recordkeeping requirements for small businesses could be unveiled as soon as this week. Michael McGrath, EU Commissioner for Democracy, Justice, the Rule of Law, and Consumer Protection, said in March comments to the Center for Strategic and International Studies (CSIS) that the GDPR will be included in EU simplification efforts.
“GDPR will feature in a future omnibus package, particularly around the recordkeeping for SMEs and other small and medium-sized organizations with less than 500 people,” McGrath told CSIS. “So we will be examining what ways in which we can ease the burden on smaller organizations in relation to the retention of records while at the same preserving the underlying core objective of our GDPR regime.”
Coalition Opposes GDPR Changes
In a letter today to McGrath and Henna Virkkunen, Executive Vice-President of the European Commission for Technological Sovereignty, Security, and Democracy, a broad coalition of groups and individuals said they oppose any changes to GDPR.
“We write as civil society organisations, academics, companies, trade unions, experts and others alarmed by a growing risk: that the most important digital rights law seems set to be quietly unravelled,” they wrote. “… The GDPR is more than a Regulation. It is the backbone of the EU’s digital rulebook, a hard-fought legislative achievement that sets high standards and safeguards people’s dignity in a data-driven world. Its impact reaches far beyond the EU’s borders, influencing digital governance globally.”
The groups, which include Amnesty International, the Electronic Privacy Information Center (EPIC), Mozilla, Proton, Public Citizen, and noyb, the European Center for Digital Rights, said the changes are expected as part of the fourth omnibus package, in addition to “mounting rumours that the GDPR will be further reopened in subsequent initiatives later this year or beyond.”
A European Commission document says the “Fourth Omnibus on small mid-caps” is on the agenda for the May 21 Commission meeting.
While the proposed changes “are good in theory … they could allow some companies to avoid keeping records of data processing (even when handling special categories of data) purely based on staff headcount or turnover,” the groups said.
The changes could undermine the GDPR’s risk-based approach and recognition of personal data protection as a fundamental right, they said.
“Data rights do not become less important when the controller is smaller; and people’s vulnerability to harm does not shrink accordingly,” the groups said. “While competitiveness is important, using it to justify exemptions from core protections sends a worrying message: that people’s rights are expendable when economic interests are at stake.”
Groups Worry Reopening GDPR Could Lead to Broader Changes
The groups are concerned that small business changes could be just the start.
“Once reopened, the GDPR could become vulnerable to broader deregulatory demands,” they said. “Many such pressures are already visible, including calls to weaken rules on consent with no effective safeguards for users, or legitimise invasive uses of personal data for AI training.”
Instead of weakening legal protections, the groups said the EU should “invest in real enforcement of existing rules against repeat offenders, while improving guidance, access to tools, and proportional compliance support for smaller actors.”
A number of reports and commentaries by European officials have highlighted burden on small businesses, inconsistent enforcement among EU members, and the need for data for AI model training and medical research as areas of GDPR that should be revisited.
In a February commentary for the Centre for European Policy Studies (CEPS), European Parliament member Axel Voss said that “legally secure methods for anonymised and pseudonymised data processing should be developed to allow AI training and medical research while preserving privacy.”
