GDPR at a Crossroads: Brussels Moves to Ease Compliance but Faces Big Risks.

EXCLUSIVE

GDPR at a Crossroads: Brussels Moves to Ease Compliance but Faces Big Risks.

Once hailed as the EU’s crown jewel in tech legislation, the General Data Protection Regulation (GDPR) is no longer untouchable.

On Wednesday, the European Commission will unveil proposed amendments to the GDPR aimed at reducing compliance burdens—particularly for small and medium-sized enterprises (SMEs). Later that same day, officials will also finalize negotiations on a complementary law intended to address longstanding procedural shortcomings in cross-border data protection enforcement.

These developments form part of a broader EU effort to streamline legislation and reduce regulatory complexity, a campaign reinvigorated by former Italian Prime Minister Mario Draghi’s recent economic report. Draghi specifically cited GDPR as an innovation bottleneck contributing to Europe’s lag behind the U.S. and China.

While digital rights advocates often celebrate the GDPR as a global benchmark for privacy protection, many businesses view it as overly burdensome and cost-prohibitive. The new proposals aim to maintain the regulation’s core principles while offering much-needed relief for companies grappling with administrative red tape.

Key proposals include:

Expanding current reporting exemptions from SMEs (fewer than 250 employees) to mid-cap firms (up to 500 employees).

Granting more exemptions from record-keeping and privacy impact assessments.

Introducing new rules to accelerate cross-border investigations by defining clearer procedures, timelines, and legal safeguards.

These changes, however, raise concerns about reigniting the intense lobbying war that marked the GDPR’s initial adoption between 2012 and 2016. EU officials stress that the revisions are limited and surgical, with no intent to dilute the regulation's foundational values.

Yet, internal Commission documents suggest that broader reform may be considered in the future, with references to potential “consolidation” of GDPR in upcoming strategies like the Data Union Strategy.

Policy Perspective:

From a policymaking standpoint, these revisions reflect the EU’s struggle to balance privacy rights with economic competitiveness. While streamlining GDPR could promote innovation and ease business compliance—particularly for SMEs—it risks weakening the EU’s global leadership in data protection. Any erosion of legal certainty or perceived watering down of privacy safeguards could compromise public trust and embolden tech industry lobbying.

Ultimately, GDPR reform must proceed with caution, ensuring that simplification does not come at the expense of fundamental rights. Policymakers must strive for a modernized GDPR that remains both business-friendly and uncompromising on citizen privacy.