The European Data Protection Supervisor has cautioned that political momentum to simplify the General Data Protection Regulation (GDPR) could trigger a deregulatory spiral. According to experts, the central question is whether the simplification agenda pushed by the Commission and its forthcoming digital omnibus package would boost competitiveness or erode users’ privacy rights.
“It’s not an attack yet. But rather the word yet is so important”, Wojciech Wiewiórowski, the European Data Protection Supervisor (EDPS), told the audience at EDRi’s Privacy Camp when asked whether the EU’s data protection law was under threat. “I believe that the discussion will have the dynamic of an avalanche, and we will start from the adjustments, and we will go to the discussion about the principles,” Mr Wiewiórowski added.
His remarks came during a roundtable titled “GDPR under attack: What resists, persists”, moderated by Romain Robert, legal advisor in the Policy and Consultation Unit of the EDPS. In a parallel session, titled “GDPR and ePrivacy at Risk: Resisting Deregulation in the EU’s Digital Rulebook”, academics and civil society voiced similar concerns. Across both debates, the central question was whether the Commission’s simplification agenda and its forthcoming digital omnibus package would boost competitiveness or whether it would rather erode users’ privacy rights.
Simplification can not become deregulation
For the European Data Protection Supervisor, the debate over ’simplifying’ the GDPR is also about the direction of political policy. Mr Wiewiórowski told the Privacy Camp audience that he had heard many of the same arguments before, during the decade-long negotiations that led to the GDPR. “I’m not surprised by the fact that the political arguments are coming back, even the ones that were already discussed at the time when GDPR was under preparation”, he said.
I’m not surprised by the fact that the political arguments are coming back. — Wojciech Wiewiórowski, European Data Protection Supervisor
What worries him is that proposals once dismissed are now resurfacing with renewed momentum, even though, in his words, “there is no real background for the theories that are right now presented to us”, especially the one about the fact that if you do something simple, competitiveness will rise. He warned against letting ’simplification’ become an end in itself. Accountability mechanisms, Mr Wiewiórowski stressed, are what give the GDPR its global credibility. Weakening them risks undermining Europe’s influence. “Simplification cannot be the pretext for deregulation”, he said.
Fewer obligations for small and medium-sized enterprises
One of the central proposals under discussion is the amendment of one of the GDPR provisions to exempt companies with fewer than 750 employees from record-keeping duties. With this change, the exemption that currently applies only to firms with fewer than 250 employees will be extended.
The Commission argues this will reduce administrative burdens on smaller businesses. However, researchers warned it risks stripping out a key compliance mechanism. “Reporting obligations are a toolbox to achieve accountability”, said Maria Magrieska, from Maastricht University. Article 30, she explained, requires companies to keep track of how they process data, a record that allows regulators to verify compliance with the law’s principles.
You might be interested
Magrieska also criticised the lack of a fundamental rights impact assessment for the reform. “GDPR is literally the regulation of a fundamental right to data protection. How can you say there is no impact on fundamental rights?” she asked. For her, dismantling accountability tools without assessing the consequences undermines the very basis of the law.
Predictability as an asset for competitiveness
While the Commission has framed simplification as a tool to help businesses compete with other players, that argument was challenged at the Privacy Camp. Anja Wyrobek, legal policy adviser at the European Parliament, asked business representatives about their experience: “Is it cheaper in Europe, or is it cheaper doing it in the US? Where you are forced to raise your capital limits, where you are forced from one day to another to face the fact that your workers may no longer be able to work in your environment, because these requirements come up overnight?”.
For Ms Wyrobek, the stability of the European legal environment is itself an economic asset. “Is predictability, is legal certainty so horrible, when it is based on values that we have given ourselves for good reason, from historical memory?” she asked. “I’d ten times rather live in Europe with more paperwork and hire seven more lawyers than live in such a reality”.
Nevertheless, Commission President Ursula von der Leyen has recently promised that the reform would cut €8bn a year of bureaucratic costs for European companies. Additionally, Mario Draghi singled out the GDPR as an area in need of “radical simplification” and warned that legal uncertainty had increased the cost of data for EU firms by about 20 per cent compared with their US competitors.
Civil society pushback
Civil society groups warned that the Commission’s reforms amount to a strategic weakening of the GDPR rather than a neutral ’simplification’. “The GDPR is under attack”, said Itxaso Domínguez de Olazábal of European Digital Rights (EDRi). According to her, industries that have resisted compliance are now persuading others to roll back the law. “Industries that haven’t been complying … are convincing other companies of the need to undermine a law that is actually the foundation of the rest of the EU rulebook”.
The GDPR is under attack. — Itxaso Domínguez de Olazábal, European Digital Rights (EDRi)
Mariano delli Santi, of the UK’s Open Rights Group, pointed to Britain’s experience as a warning for Brussels. “We already had the simplification”, he said. The result, in his view, was weaker protections that mostly benefited larger players. “Deregulating data protection rules benefits big tech and is not beneficial for everybody else”, Mr Santi stated.
Concerns extended beyond the substance of the reforms to the process itself. Mozilla Foundation representative Claire Pershan shared that she was worried about how the omnibus regulation would be negotiated. “I’m very concerned about the nature of the omnibus”, she said, “I have questions about who will benefit from negotiations that happen so quickly”. Ms Pershan also questioned which advocacy groups or citizens will be heard.
Enforcement as the missing link
Across both sessions, the consensus was that the GDPR’s weakness lies not in its design but in its enforcement. Ms Domínguez described how the law has been made to appear excessively complex. “GDPR is presented as something very complex,” she said. This narrative, according to her, shifts costs onto small organisations that struggle to navigate compliance, while giving large firms the tools to delay enforcement.
While Ms Pershan underlined that public trust depends on tackling the largest companies. “We should be really talking more about how we do ensure that we have compliance, especially at the biggest players … because that’s really where people start to feel pain,” she said.
Since 2018, EU data protection authorities have imposed more than €6.7bn in GDPR fines. The largest penalty was €1.2bn against Meta, issued by the Irish DPC in 2023. Even so, according to noyb, fines remain rare. Only about 1.3 per cent of cases before DPAs result in a financial sanction. The lack of compliance with GDPR may result in a fine of up to €20m, or up to 4 per cent of the company’s annual worldwide turnover.
The ’Brussels effect’ at risk
The GDPR has stood as one of Europe’s most visible legal frameworks, shaping privacy frameworks from Brazil’s LGPD to California’s CCPA. That global influence, often described as the “Brussels effect”, was repeatedly invoked at Privacy Camp as participants warned that weakening the regulation would damage the EU’s credibility abroad.
We are showing the world that we are actually not that serious with GDPR. — Maria Magrieska, Maastricht University
“Suddenly we are losing it”, said Maria Magrieska, “we are showing the world that we are actually not that serious with GDPR”. She noted how exemptions to accountability rules or procedural shortcuts risk sending the opposite signal to legislators who modelled their own laws on the EU text.
Mr Wiewiórowski delivered a similar warning, though in more cautious terms. He argued that resilience must mean defending the GDPR’s principles, not hollowing them out under the banner of simplification. “Resilience is not compromise. Resilience is to be ready for the things which happen”, he said.
If the GDPR is diluted, speakers argued, Europe risks losing the set global digital standards. The Commission expected to table its omnibus package before the end of the year, and has already launched a call for evidence to collect research and best practices on simplifying EU legislation in the fields of data, cybersecurity, and artificial intelligence.
