GDPR Changes in EC Simplification Package Must Safeguard Privacy, Lawyers Say
As the European Commission readies a "digital omnibus" proposal to simplify data laws and reduce business obligations, any reforms -- including to the GDPR -- must be evidence-based and continue recognizing data protection as a fundamental right, privacy lawyers said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
So far, the only omnibus package the EC has floated that amends the GDPR would extend lighter requirements, which were previously available to only small and midsized enterprises, to small midcap (SMC) enterprises, with some exceptions in cases of high risk, said Tanguy Van Overstraeten, a Van Bael & Bellis data protection lawyer, in an email Oct. 29 (see 2505210007). That initial proposal is under review.
The EC's digital omnibus measure is unofficially expected Nov. 18, Van Overstraeten said. Anticipated provisions are intended to reduce the burden on businesses by focusing on data legislation, including cookies, cybersecurity incident reporting and targeted adjustments to the AI Act.
Any revamp must ensure that the GDPR remains compliant with the EU Charter, which recognizes privacy as a fundamental right, Van Overstraeten said. There's broad room for change while respecting those rights, he added.
For example, in the current legislation, business contact details are treated the same way as personal ones. "I would certainly advocate in favour of the approach of Singapore to exclude [business contact details] from the scope of the GDPR," Van Overstraeten said.
Moreover, reforms should take a risk-based approach, he said, arguing that the current regime creates unnecessary burdens that lead to fatigue, such as with cookie banners, and thus lowers effective protection.
In a blog post Oct. 23, Future of Privacy Forum Senior Fellow Christopher Kuner cited a 2024 report by Mario Draghi, the former Italian Prime Minister and European Central Bank President, which called for greater European competitiveness. That sparked discussion about whether the GDPR should be fundamentally changed to boost the EU's competitive position as a global AI leader, Kuner said.
But "in order to protect fundamental rights, maintain legal certainty, and continue to ensure a high level of protection, any reform should be evidence-based, targeted, transparent, and further the EU’s values," wrote Kuner, who's also a visiting fellow at Maastricht University's European Centre on Privacy and Cybersecurity.
Draghi was concerned about the fragmented approach to GDPR implementation across the EU and more recently urged "radical simplification" of the measure, Kuner noted. Under pressure after Draghi's report, the EC "proposed without any consultation" the May 2025 GDPR omnibus, which contained targeted amendments that eliminated recordkeeping requirements for some categories of smaller data controllers.
The EC's upcoming digital omnibus package proposes to simplify data legislation to "quickly reduce the burden on businesses," Kuner wrote. It's possible that political pressure in the EU and criticism from the Trump administration could lead to further proposals for GDPR reform as well, he added.
So far, however, there has been no widespread public pressure for significant changes to the GDPR, Kuner said. Arguments that data protection law throttles economic growth have proven to be "hyperbolic."
In addition, the EC hasn't shown any desire to reopen discussion about the GDPR beyond some technocratic changes, Kuner said. Its call for evidence on the digital omnibus proposal didn't mention the GDPR, suggesting that any further proposals for change might be announced without public consultation. Van Overstraeten noted that many responses mentioned the GDPR, but it's unclear whether they will be considered.
Draghi's report didn't mention that the GDPR protects fundamental rights under EU law, giving the impression that it's "little more than red tape that the EU can change at will," Kuner said.
Any GDPR reform should recognize data protection as a fundamental right in the EU legal order, Kuner argued. Proposed changes should be subject to an evidence-based assessment grounded on criteria such as effectiveness, efficiency, relevancy and coherency and must include stakeholder consultation. GDPR changes should "not rely on anecdotes or political announcements."
Reform should also focus not only on the need to remove burdens for businesses but on making the law work better for people, Kuner wrote. It shouldn't be a "'Brussels bubble' exercise conducted at a technocratic level."