The European Commission is set to ease data protection obligations for small- and mid-sized companies under its upcoming omnibus simplification package. But not everyone is on board.
Seven years after the General Data Protection Regulation, or GDPR, took effect, the European Commission is seeking to revise the landmark privacy law, citing “simplification”. But what some see as overdue regulatory relief could be the first domino in a cascade of deregulatory moves, others warn.
The GDPR has long stood as a global standard in digital privacy. But new proposals from Brussels, presented as part of the broader “omnibus” package, would ease some obligations for small and mid-sized enterprises (SMEs). While the European Commission argues the changes offer relief for the companies, critics say they represent a dangerous precedent.
Gold standard faces reform
Stay focused on what matters most: strong, effective GDPR enforcement and protecting people’s fundamental rights. Access Now
The GDPR was adopted in 2016 and entered into force in 2018 after years of contentious debate. It empowered individuals with unprecedented rights over their data and imposed rigorous obligations on organisations, from transparency and consent to data minimisation and breach notifications. Fines of up to €20m or four per cent of global turnover gave the law real teeth. One of the most significant penalties so far was issued to Meta in 2023, when the Irish Data Protection Authority fined the tech giant €1.2bn for unlawful data transfers.
But GDPR’s implementation was not without political and economic turbulence. The years leading up to its adoption saw a fierce lobbying battle in Brussels, with U.S. tech giants pouring resources into influencing the legislation.
You might be interested
What is in the GDPR reform proposal?
The current reform proposal the Commission introduced in late May focuses primarily on Article 30(5) “Records of processing activities”. The section exempts small businesses (fewer than 250 employees) from maintaining detailed internal records of data processing activities unless those activities are high risk.
Under the Commission’s proposed amendment, this exemption would be expanded to small- to mid-sized companies, with up to 500 employees, provided they stay below certain revenue thresholds. Non-profits with fewer than 500 staff would also benefit. Crucially, these organisations would only need to keep records if their data processing is considered high risk, such as processing biometric or health data.
The change is part of a broader legislative initiative, the so-called omnibus package, intended to streamline compliance across multiple EU regulations. The Commission claims this will boost competitiveness without compromising core rights. But not everyone agrees.
Institutional endorsement—with caveats
On 8 May 2025, both the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion expressing “preliminary support” for the proposal. They acknowledged the intent to ease the burden on SMEs, but urged that any simplification must preserve the risk-based approach at the heart of GDPR. “Even very small companies can still engage in high-risk processing”; in other words, exemptions may seem procedural, but they could also lead to lower compliance levels in contexts where data misuse could cause real harm.
Deregulation in disguise?
For many civil society groups and digital rights organisations, the stakes are much higher. Over 120 organisations, including the European Digital Rights network (EDRi), academics, trade unions, and human rights advocates, have signed an open letter demanding that the Commission not reopen the GDPR.
They urge the European Commission to “reject any reopening of the GDPR”, and argue that doing so could lead to a weakening of key safeguards. “Once reopened, the GDPR could become vulnerable to broader deregulatory demands,” the letter warns. “Many such pressures are already visible, including calls to weaken rules on consent with no effective safeguards for users, or legitimise invasive uses of personal data for AI training.”
This criticism resonates with the position of Access Now, a US-based non-profit, which called on the EU to “stay focused on what matters most: strong, effective GDPR enforcement and protecting people’s fundamental rights — not reopening its core rules”. The group called the reform a “missed opportunity” to strengthen enforcement rather than dilute protections. While the group welcomed efforts to harmonise enforcement across EU member states, it flagged several concerns: reduced rights for complainants, over-centralised decision-making, increased legal complexity, and less transparency. If not properly addressed, these changes could allow powerful entities to evade scrutiny.
A shift in political priorities?
The GDPR reform comes amid a broader pivot in the EU’s regulatory agenda toward competitiveness, as championed in the influential Draghi Report. Under the von der Leyen Commission, the EU has embraced a series of omnibus packages designed to bundle regulatory changes into fast-track processes in order to accelerate economic growth and innovation.
But critics argue these omnibus reforms sacrifice deliberative democracy in favour of expedience. And when fundamental rights are at stake, that trade-off becomes more than just political—it’s constitutional.
Pandora’s box?
The most potent metaphor invoked by critics is that of Pandora’s box. Once the GDPR is reopened, even narrowly, what’s to stop other articles from being challenged, diluted, or rewritten in future reform packages?
Digital rights experts say that even well-intentioned amendments can carry unintended consequences. If certain obligations are made flexible for mid-sized businesses now, will large enterprises be next? Will consent become optional in certain sectors under the banner of innovation or AI development?
And the consequences are global. As the GDPR has long set the tone for privacy laws worldwide, any perceived backsliding by the EU could embolden other governments to weaken their own data protection regimes, critics warn.
The future of GDPR
At its core, the debate over GDPR reform is not about paperwork or compliance checklists, but the balance between rights and regulation. It is about whether the EU still sees itself as a standard-bearer for digital safety or whether it’s prepared to trade that away for an economic boost.
The choice now lies with EU policymakers. With MEPs traditionally standing on the side of privacy, their stance might play a big part. While some argue that the EP has lost the drive in the 2024 elections, whether they will reinforce the GDPR’s foundational role, or open the door to its systemic weakening, will show more than just their stance to data protection. One reform to Article 30(5) may seem modest. But to many, it looks like the first crack in the dam.
