The Future of the GDPR – Changes on the Periphery or at the Core?
Seven Years of the GDPR
The General Data Protection Regulation (GDPR) turns seven this month – since May 25, 2018, governments, businesses, and even individuals have been required to comply with the rules that protect our personal data. The GDPR has had major consequences for affected parties, who had to take all sorts of steps to comply with the rules, such as mapping data processing activities, drafting privacy statements, requesting consent, and entering into data processing agreements. Although the GDPR serves an important purpose – protecting the privacy of data subjects – the regulatory burden is often perceived as high. This is also due to the often vague standards and differing rules and interpretations across member states.
European Commission: Reducing the regulatory burden on small businesses
The European Commission is considering simplifying the GDPR, along with other digital regulations, to ease the burden on smaller businesses. This is outlined in a European Commission document from earlier this year and was subsequently confirmed in an interview with European Commissioner Michael McGrath. The simplification is part of a broader plan by the Commission to improve regulation. This is being done through so-called omnibus packages, which amend a whole series of related regulations at once. In this way, the rules can be better aligned and simplified. The GDPR will also be addressed in a future omnibus package. According to a Commission official, the announcement is expected as early as May or June 2025.
McGrath refers to simplifying “record keeping” for small and medium-sized enterprises. This applies to companies with fewer than 500 employees. According to McGrath, however, the basic principles of the GDPR will remain intact. Various provisions of the GDPR may fall under the term “record keeping.” This includes the obligation to maintain a record of processing activities, a requirement that applies to virtually every business. For small businesses – especially those that handle a significant amount of personal data and are still undergoing many changes due to their startup phase – this obligation can be a major burden. In addition, Data Protection Impact Assessments (DPIAs), which must be conducted for high-risk processing operations, can be perceived as a significant burden. Incidentally, the European Data Protection Supervisor has indicated that the DPIA requirement for smaller businesses must remain in place, as even small businesses can carry out high-risk processing operations. It is consistent with a risk-based approach to conduct a DPIA in such cases.
Although these are welcome changes for smaller businesses, the core obligations of the GDPR appear to remain in place: a legal basis is still required for every processing activity, data may only be processed for a specific purpose, and the guiding principle remains that as little data as possible should be processed for the shortest possible duration.
MEP Axel Voss: The GDPR Needs a Radical Overhaul
MEP Axel Voss believes the GDPR needs a much more radical overhaul. According to Voss, the GDPR is a barrier to the innovation needed to make Europe competitive again.
The strict rules of the GDPR, differences in interpretation, and inconsistent enforcement have turned the processing and sharing of personal data into an administrative nightmare. He, too, believes that smaller businesses should be exempt from certain obligations, but he goes a step further. According to Voss, the starting point should not be that data subjects have absolute control over personal data, but rather that we should move toward the responsible use of personal data. He seems to mean that the starting point should be that personal data may indeed be processed. He may believe that the principle of data minimization and the right of data subjects to have their data erased should be limited.
Whether it will come to that remains to be seen. The European Commission appears to be leaning toward a more limited amendment. Moreover, opening the GDPR to major changes could allow for undesirable influence. The GDPR’s legislative process is notorious for the strong lobbying by big tech companies, which are seeking as much leeway as possible to process personal data. The European legislator may not want to go through that process again.
GDPR Procedural Regulation
Meanwhile, the European Union is also working on a new regulation designed to streamline cross-border enforcement: the GDPR Procedural Regulation. This regulation includes rules on the admissibility of complaints, the role of the controller and processor, and how different supervisory authorities collaborate. The regulation is intended to clarify the legal status of the various parties involved and provide legal certainty.
The Commission’s proposal was published on July 4, 2023. The European Parliament and the Council have since responded. Discussions among the three parties in the so-called trilogues are intended to result in a uniform proposal, which will then be adopted and enter into force shortly thereafter. Privacy advocate Max Schrems is critical of the current proposal, arguing that it would actually complicate procedures.
Data Protection Omnibus Act
At the same time, the Dutch legislature is working on the Data Protection Omnibus Act, which is intended primarily to amend the GDPR Implementation Act (UAVG). The current proposal includes the following:
Minors are granted more independent rights, separate from their legal representative, such as the right to withdraw consent;
The rules regarding the processing of biometric personal data, such as in fingerprint scanners and facial recognition, are clarified by describing the purpose for which this data may be processed; and
Rules regarding the processing of medical records will be clarified, including by no longer requiring consent for the transfer of records when a healthcare provider goes bankrupt or ceases operations. In such cases, the record may be transferred to another entity to ensure it is properly preserved.
The bill was debated in the House of Representatives on April 15, 2025. During that debate, numerous other topics were raised, including combating discrimination, the publication of fines by the Dutch Data Protection Authority, and the regulatory burden caused by the GDPR. We now await further debate in the House of Representatives.
2025 promises to be another interesting year for privacy law. Be sure to follow us for updates and contact us if you have any questions.