GDPR Amendments May Compromise Core Principles, Civil Society Alerts

Many civil society organizations express significant concern about the European Commission’s proposal to amend the General Data Protection Regulation (GDPR), asserting that it is a foundational component of the EU’s digital governance framework.

In March 2025, Michael McGrath, the EU Commissioner for Democracy, Justice, the Rule of Law, and Consumer Protection, unveiled the Commission’s consideration of simplifying the GDPR to alleviate the compliance burden on small businesses.

The proposed simplification efforts are aimed at reducing record-keeping requirements for small and medium-sized enterprises (SMEs) and similar organizations employing fewer than 500 individuals, while striving to maintain the core principles of the GDPR. This initiative is set to be introduced later this year, distinct from another series of proposals currently under negotiation, focused on modifying the enforcement procedures of the GDPR.

Some organizations, including the Centre for European Policy Studies, have welcomed this simplification, advocating for a “pragmatic revision that balances personal data protection with the necessity of utilizing data for innovation and societal advancement.”

Conversely, this proposal has drawn substantial criticism from a variety of stakeholders. In an open letter directed to Commissioner McGrath and Henna Virkkunen, the Executive Vice-President for Tech Sovereignty, Security, and Democracy, 108 organizations and individuals have requested that the GDPR remain intact. The letter was published on May 19 and includes signatories from civil organizations like Access Now and Amnesty International, as well as companies such as Mozilla and Proton.

The letter acknowledges the theoretical merit of modifying certain GDPR provisions to assist smaller organizations. However, the signatories caution that such amendments could undermine the core accountability principle that the GDPR upholds. They warned that such changes might permit some companies to evade essential data processing record-keeping duties simply based on their employee count or revenue, which would compromise the GDPR’s risk-based approach that aligns obligations with potential threats to individuals’ rights and freedoms, rather than organizational size.

Moreover, the authors articulated concerns that these changes might diminish the recognition of personal data as a fundamental right, as enshrined in the GDPR. They emphasize that data rights remain critical regardless of an organization’s size, arguing that individuals’ vulnerability to harm does not lessen in smaller contexts. The authors assert, “While competitiveness is important, using it to justify exemptions from core protections sends a troubling message: that individuals’ rights are subordinate to economic interests.”

Finally, the signatories forewarn that revising the GDPR could introduce a disturbing trend toward future deregulation, further weakening the regulation’s integrity. Their experience suggests that such deregulatory efforts often escalate beyond mere adjustments, potentially leading to more profound changes detrimental to the GDPR’s effectiveness.

Instead of initiating changes to the legislation, the authors advocate for the EU Commission to focus on resolving existing implementation challenges through effective enforcement and clarity rather than deregulation. They conclude by reinforcing that the GDPR extends beyond a mere regulation; it functions as the cornerstone of the EU’s digital governance, having established high standards and safeguarding individual dignity in an increasingly data-driven landscape, with implications that reach beyond EU borders and influence global digital governance frameworks.