Europe’s GDPR privacy law is headed for red tape bonfire within ‘weeks’

BRUSSELS — Europe’s most famous technology law, the GDPR, is next on the hit list as the European Union pushes ahead with its regulatory killing spree to slash laws it reckons are weighing down its businesses.

The European Commission plans to present a proposal to cut back the General Data Protection Regulation, or GDPR for short, in the next couple of weeks. Slashing regulation is a key focus for Commission President Ursula von der Leyen, as part of an attempt to make businesses in Europe more competitive with rivals in the United States, China and elsewhere. 

The EU’s executive arm has already unveiled packages to simplify rules around sustainability reporting and accessing EU investment. The aim is for companies to waste less time and money on complying with complex legal and regulatory requirements imposed by EU laws.

The GDPR is seen as one of Europe’s most complex pieces of legislation by the technology sector — and by businesses far and wide beyond tech — for how it forces companies doing business in Europe to manage their data and to handle the requests and rights of data subjects to that personal data. Its introduction in 2018 drew a deluge of desperate emails from firms asking for people’s consent to use their data.

Seven years later, Brussels is taking out the scissors to give its (in)famous privacy law a trim.

There are “a lot of good things about GDPR, [and] privacy is completely necessary. But we don’t need to regulate in a stupid way. We need to make it easy for businesses and for companies to comply,” Danish Digital Minister Caroline Stage Olsen told reporters last week. Denmark will chair the work in the EU Council in the second half of 2025 as part of its rotating presidency.

The criticism of the GDPR echoes the views of former Italian Prime Minister Mario Draghi, who released a landmark economic report last September warning that Europe’s complex laws were preventing its economy from catching up with the United States and China. “The EU’s regulatory stance towards tech companies hampers innovation,” Draghi wrote, singling out the Artificial Intelligence Act and the GDPR.

For small and cash-strapped businesses, the reams of documentation the GDPR asks companies to produce has long been a gripe. Justice Commissioner Michael McGrath said the key takeaway from a review of the GDPR last summer “is the need for greater support [for] businesses, especially SMEs, in their compliance efforts.” 

McGrath confirmed last week that a proposal to simplify the GDPR is due in the “coming weeks.” The Commission had planned to agree on a so-called simplification package for small and medium-sized businesses on April 16, according to the Commission’s diary, but that date has since been bumped to May 21.

A Commission official, granted anonymity to discuss ongoing planning, told POLITICO that the date is “only indicative” and that it has not been decided whether the GDPR will feature in the package — but that the proposal to simplify privacy rules will definitely be delivered “by June.”

Justice Commissioner Michael McGrath said the key takeaway from a review of the GDPR last summer “is the need for greater support [for] businesses, especially SMEs, in their compliance efforts.” | Martin Bertrand/Hans Lucas/AFP via Getty Images

The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people, but will not touch the “underlying core objective of [the] GDPR regime.” 

Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements — two rules seen as overly cumbersome to smaller firms.

Pandora’s box of lobbying

The GDPR was a landmark piece of legislation when it took effect in 2018 and has been heralded as an example of the Brussels Effect, having set an international standard for the protection of personal data.  

Negotiations on the privacy law triggered one of the biggest lobbying efforts Brussels had ever seen. Tech companies beefed up their Brussels operations and poured millions into trying to influence the rules during the drafting process. The proposal drew over 3,000 amendments in the European Parliament — a record.

The danger in the EU’s revising the law is that it could start a lobbying war between Big Tech companies and privacy advocates, two of the strongest public affairs forces in Brussels.

Some fear that if the GDPR is called into question, the law could crumble under the lobbying pressure. “Reopening the GDPR for simplification is risky, no matter how well-intentioned and targeted the proposal may seem,” said Itxaso Domínguez de Olazábal, policy advisor at digital rights group EDRi.  

The EU is already finalizing a new law on the procedural rules for privacy regulators to coordinate on major GDPR cases.

According to Austrian privacy activist Max Schrems, the GDPR is still a “huge target” for lobbyists, but its core rules can’t easily be scrapped since the protection of personal data is enshrined in the EU’s Charter of Fundamental Rights as an inalienable freedom.  

“A Court of Justice would annul a GDPR that doesn’t have these core elements,” Schrems said. “So if it’s where [lobbyists] want to spend their energy, be my guest, but they’re not going to get there.”  

Pieter Haeck contributed reporting.