Civil society: EU plan for GDPR reform opens Pandora's box

According to critics, the EU Commission is overshooting the mark with its initiative to streamline the General Data Protection Regulation (GDPR) with new proposals. Around 110 civil society organizations, scientists, companies and other experts warn in an open letter that the Brussels executive institution is opening Pandora's box with its latest proposed amendments. "We are seriously concerned about the current proposals to revise the GDPR," the signatories sound the alarm. "There is a lot at stake."

The regulation sets high standards and protects people's dignity in a data-driven world, explain the signatories, which include Access Now, AlgorithmWatch, Amnesty International, Digitalcourage, Mozilla, Noyb, Privacy International and Statewatch under the aegis of the umbrella organization European Digital Rights (EDRi). The effects of the GDPR extend far beyond the borders of the EU and influence digital regulation globally. The current proposals run the risk of "failing to achieve the goal of genuine simplification". Instead, they could lead to a step backwards in terms of important guarantees for accountability and therefore compliance itself.

The Commission had actually set out to rectify a core problem of the GDPR with a small reform and make it easier to enforce. Its initial aim was to simplify cooperation between national supervisory authorities in cross-border cases. To this end, "some aspects" of the relevant administrative procedure were to be "harmonized". The executive body was primarily targeting Ireland: the Irish data protection authority has long been seen as a bottleneck in GDPR enforcement. The Data Protection Commission (DPC) in Dublin is the lead supervisory authority in this area for large tech companies such as Google, Meta, Microsoft, Apple and X, which have their European headquarters in Ireland. Other supervisory authorities in the EU have not yet been able to intervene directly.

Process directory only for 750 employees or more

In the meantime, however, the Commission has massively expanded its plans. The main bone of contention at the moment is a draft amendment proposal submitted to heise online, which would massively weaken the documentation obligation in the GDPR. Article 30 of the regulation currently states that every controller and processor must keep a record of processing activities and what information it should contain. Paragraph 5 of this clause already provides for an exemption for small and medium-sized enterprises (SMEs) and organizations with fewer than 250 employees. These do not have to keep records under certain conditions.

The Commission now wants to "simplify" the exemption from the documentation obligation and clarify that records are only required "where the processing activities are likely to result in a 'high risk' to the rights and freedoms of data subjects". At the same time, the scope of the exemption is to be extended to companies with fewer than 750 employees. That is a difference of 500 employees. This would also exempt many larger companies from the recording requirement.

Companies with up to 749 employees and operating in the data economy would no longer even have to keep a register of procedures, according to criticism from the Greens in the EU Parliament. Unless the few high-risk scenarios from Article 35 GDPR apply. It is a mystery how this approach can still achieve compliance.

GDPR reform to be adopted in the near future

Consumers are affected on a daily basis "by the fact that their personal data is processed – even by small companies", complains Michaela Schröder, Managing Director of the German Federation of Consumer Organizations (vzbv). If these companies no longer have to systematically document how they do this, an important basis for identifying potential risks to the rights of data subjects at an early stage is missing. The vzbv therefore demands that there should be no blanket exemptions from the documentation obligation. Instead, SMEs should be supported in creating data protection documents with practical tools such as online generators for low-risk processing. Politicians must strengthen the GDPR and not weaken it.

According to the open letter, the GDPR could "become susceptible to more comprehensive deregulation demands" if it is tightened up. Many of these pressures are already visible, including demands to weaken the consent rules without effective safeguards for users or to legitimize "the invasive use of personal data for AI training". The strategy of weakening the GDPR is now also being extended to the entire EU regulatory framework for the technology sector.

Negotiators from the EU Council of Ministers, the Parliament and the Commission will meet on Wednesday evening to finalize the GDPR amendment. This is said to be the last so-called trilogue on the matter. It is still unclear whether the MEPs will support the Commission's latest amendment proposal. According to reports, parameters and deadlines are still controversial. Max Schrems from Noyb fears that the reform would effectively make GDPR procedures "unenforceable". Enforcement of the standards could be undermined by the introduction of excessively long deadlines and overly complex procedures. The organization is examining options for an annulment procedure should the controversial changes be adopted.

(olb)