The European Union (EU) is preparing to scale back its well-known data privacy law, the General Data Protection Regulation (GDPR). The European Commission, which creates and enforces EU laws, plans to present a proposal in the coming weeks to make GDPR easier for businesses to follow. This is part of a broader effort by Commission President Ursula von der Leyen to reduce regulations that may be slowing down European companies compared to their competitors in the United States and China.
The EU has already started simplifying other business-related rules, including those for sustainability reporting and investment access. The goal is to help businesses spend less time dealing with complex legal requirements and more time growing their operations.
Source: L’allègement de la réglementation mobilise particulièrement l’attention de la présidente de la Commission européenne, Ursula von der Leyen. | Frederick Florin/Getty Images
GDPR: A Law in Need of Simplification
Since it took effect in 2018, GDPR has been one of the most complicated laws for businesses, especially in the technology sector. It requires companies operating in Europe to manage personal data carefully and respond to user requests about their data. When the law was introduced, businesses sent out countless emails asking for user consent, causing widespread confusion.
Now, after seven years, the EU is looking to make GDPR less burdensome. Danish Digital Minister Caroline Stage Olsen said that while privacy is essential, regulations should be easier for businesses to follow. Denmark will play a key role in discussions on these changes when it takes over the EU Council presidency in the second half of 2025.
The idea of cutting back on GDPR rules aligns with the concerns raised by former Italian Prime Minister Mario Draghi, who argued that Europe’s strict regulations are preventing its economy from competing effectively with the U.S. and China. In his economic report last year, Draghi specifically mentioned the GDPR and the EU’s new Artificial Intelligence Act as obstacles to innovation.
Making Compliance Easier for Small Businesses
For small and medium-sized businesses (SMEs), GDPR’s strict documentation requirements have been a long-standing issue. Justice Commissioner Michael McGrath stated that a review of the law last year showed that SMEs need more support to comply with GDPR. The Commission originally planned to agree on a plan to simplify regulations for SMEs by April 16, but this has been postponed to May 21. However, a Commission official has indicated that the final proposal will be presented by June.
The planned changes will likely focus on reducing reporting requirements for businesses with fewer than 500 employees. However, the core principles of GDPR, such as protecting user privacy, will remain intact. Some potential changes include loosening rules on keeping records of data processing activities and simplifying how businesses complete data protection impact assessments—two requirements that SMEs often struggle with.
A Potential Battle Between Big Tech and Privacy Advocates
When GDPR was first introduced, it sparked one of the biggest lobbying efforts in EU history. Large tech companies invested heavily in influencing the law, while privacy advocates fought to ensure strong protections for users.
Now, revising GDPR could lead to another intense lobbying battle. Big Tech firms may push for weaker regulations, while privacy activists will work to maintain strict protections. Some experts worry that reopening discussions on GDPR could lead to major changes that weaken privacy rights.
Digital rights groups warn that modifying GDPR, even with good intentions, could put the law at risk. Itxaso Domínguez de Olazábal, a policy advisor at digital rights group EDRi, said that any effort to simplify GDPR could open the door to aggressive lobbying efforts that may harm privacy protections.
Privacy Protections Will Remain Strong
Despite pressure from businesses and lobbyists, they are unlikely to remove GDPR’s core protections for personal data. Privacy is a fundamental right in the EU, protected by the Charter of Fundamental Rights. Austrian privacy activist Max Schrems pointed out that if any changes weaken GDPR’s core principles, the European Court of Justice would likely reject them.
Schrems also noted that while lobbyists may try to influence changes, they are unlikely to succeed in eliminating key privacy protections. He believes that any attempt to remove the core elements of GDPR would ultimately fail in court.
What Happens Next?
The European Commission’s proposal to simplify GDPR is expected by June. The exact details of the changes remain unclear, but the focus will be on making compliance easier for small businesses while maintaining strong privacy protections.
The EU is also working on a new law to improve how privacy regulators coordinate their enforcement efforts in major GDPR cases. As these discussions continue, businesses, privacy advocates, and tech companies will all be watching closely to see how the changes unfold.