Following the EU’s recent unravelling of sustainability regulations through its Omnibus package, the EU is now poised to revisit the General Data Protection Regulation (GDPR) as part of another upcoming omnibus simplification package expected as early as April. The proposed changes to GDPR will have a particular focus on easing compliance burdens for small and mid-sized enterprises (SMEs). EU Justice Commissioner Didier Reynders recently confirmed that GDPR revisions would be included in the EU’s broader regulatory simplification initiative. While details remain scarce, the upcoming Digital Fairness Act may also lead to targeted adjustments in GDPR and the ePrivacy Directive, potentially affecting rules on consent, cookies, and sensitive data processing.
Why is the EU reopening GDPR?
For years, there has been limited political appetite to reopen the GDPR, despite increasing calls to align it with other EU data-related laws such as the Data Act. However, Reynders’ March 13 announcement signalled a shift, with GDPR set to be revised as part of an EU-wide effort to reduce bureaucratic red tape.
An EU spokesperson confirmed that “potential adjustments to the GDPR” are under consideration, though it is still too early to determine the precise scope of the changes. The primary focus appears to be simplifying record-keeping obligations for SMEs, particularly those with fewer than 250 employees. Although these suggestions are already on the table, as we saw with changes to sustainability rules including CSRD and CSDDD, revisions could go further, potentially harmonising GDPR enforcement with other emerging regulations.
Possible conflicts and legal uncertainty
Although the omnibus simplification package and the Digital Fairness Act may introduce separate GDPR amendments, these changes could have opposing goals. The simplification package aims to reduce compliance burdens, particularly for SMEs, while the Digital Fairness Act could introduce stricter rules around consent and cookie policies. Given the current polarisation in EU tech policy debates, there is concern that overlapping amendments may lead to legal uncertainty and regulatory conflicts during the legislative process.
Proposals for a tiered, risk-based GDPR
One of the most controversial ideas being floated is a proposal by Axel Voss, a German Member of the European Parliament, to shift GDPR from its current one-size-fits-all approach to a tiered, risk-based model. Significantly, this model is supported by privacy advocate Max Schrems. Inspired by the EU AI Act, Voss suggests a three-layer system:
Mini GDPR: For companies processing fewer than 100,000 data subjects and not handling sensitive personal data. These firms would face reduced compliance obligations, such as no longer needing Data Protection Officers (DPOs), and capped fines at €500,000 instead of the current €20 million. This would cover around 90% of businesses.
Normal GDPR: For companies processing sensitive data or operating at a larger scale but still falling short of Big Tech classification. This would maintain the existing rules.
GDPR Plus: For large platforms, data brokers, and companies processing data from over 10 million individuals. These firms would face stricter transparency obligations, mandatory audits, and an increased burden of proof for GDPR compliance. This would particularly be targeted at big tech companies, advertisers, and others who use large amounts of data in their business models.
Along with centralised enforcement as opposed to the patchwork of national regulators which is currently the case, penalties could be dramatically raised too. GDPR breaches could see fine levels of €100,000,000—or 10% of global annual turnover.
Voss argues that the existing framework places excessive burdens on SMEs while failing to regulate Big Tech effectively. Voss has also argued to remove the enforcement role of the European Data Protection Board and adjust fundamental principles like the right to be forgotten or data minimisation.
Another proposed solution is centralised enforcement by the European Commission for significant cases, mirroring antitrust enforcement mechanisms. This approach could improve consistency while allowing national DPAs to focus on domestic matters. Meanwhile the Trump Administration has made clear its opposition to GDPR, calling fines against US tech companies ‘extortion.’ A possible renegotiation of GDPR could smooth over transatlantic tensions.
Ongoing negotiations on GDPR enforcement
Beyond the omnibus package, EU policymakers are already negotiating changes to GDPR enforcement. Talks between the European Commission, European Parliament, and Council began in November 2023 to improve cross-border enforcement of GDPR rules. Current discussions focus on:
- Streamlining cooperation between national DPAs.
- Ensuring consistent and timely enforcement across the EU.
- Enhancing the role of complainants and DPAs in investigations.
- Introducing clearer timelines for regulatory processes.
What does this mean for businesses?
For now, businesses should prepare for potential changes to GDPR, particularly if they operate as SMEs. The EU’s focus on regulatory simplification could reduce compliance burdens, but any new enforcement mechanisms may introduce stricter oversight. Companies should stay informed about legislative developments and be ready to adapt to new data protection rules as they emerge. At the same time, UK organisations are preparing for their own fundamental changes to UK GDPR with the forthcoming Data (Use and Access) Bill. Both in the UK and the EU, data protection is changing.