GDPR Changes Risk Undermining its Principles, Civil Society Warns

Many civil society organizations are unhappy about the EU Commission’s plans to reopen the General Data Protection Regulation (GDPR), claiming that the text should be considered a cornerstone of the EU’s digital rulebook.

In March 2025, Michael McGrath, the EU Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, announced that the Commission is considering simplifying the GDPR to reduce the burden on smaller businesses.  

The Commissioner stated that the upcoming simplification efforts will target reducing record-keeping obligations for SMEs and similar organizations with under 500 employees, while preserving the fundamental principles of the GDPR.

This initiative, announced for later in the year, is distinct from another set of proposed changes aimed at modifying GDPR enforcement procedures, which are currently under negotiation.

This initiative was welcomed by some European organizations, including the Centre for European Policy Studies, a think tank, which called for “a pragmatic revision that balances protecting personal information with the need to leverage data for innovation and societal benefit” in a February 2025 blog post.

However, the simplification has also been heavily criticized by many others.

Civil Society to Fight Against Reopening GDPR

In an open letter to Commissioner McGrath and Henna Virkkunen, the EU Commission’s Executive Vice-President for Tech Sovereignty, Security, and Democracy, 108 organizations and individuals demanded that the GDPR be left untouched.

The signatories of the letter, published on May 19, included civil society organizations (Access Now, Amnesty International, European Digital Rights, Noyb…), companies (Mozilla, Proton, Tuta Mail…), academics and trade unions.

In the letter, the 108 signatories acknowledged that the idea of modifying some provisions within the GDPR to support small and medium-sized organizations is “good in theory.”

However, they fear that amendments could risk undermining the principle of accountability at the core of the GDPR.

“In practice, [the proposed changes] could allow some companies to avoid keeping records of data processing (even when handling special categories of data) purely based on staff headcount or turnover,” warned the authors. “This shift undermines what is often called the GDPR’s ‘risk-based approach’, a mechanism for calibrating obligations according to the potential harm to people’s rights and freedoms, not company size.”

Protecting Personal Data as a Fundamental Right

The letter expressed concern that the proposed changes may diminish the significance of personal data as a fundamental right, as currently recognized under the GDPR.

“Data rights do not become less important when the controller is smaller; and people’s vulnerability to harm does not shrink accordingly,” the authors emphasized. “While competitiveness is important, using it to justify exemptions from core protections sends a worrying message: that people’s rights are expendable when economic interests are at stake.”

Finally, the signatories warned that reopening the GDPR could trigger a slippery slope of future deregulation, further eroding the regulation’s strength. They cautioned that, in their experience, deregulation efforts rarely stop at minor tweaks and may instead lead to more significant changes that compromise the regulation’s effectiveness.

Instead of reopening the legislation, the authors of the open letter recommended that the EU Commission recognizes “that current implementation challenges can be solved by effective enforcement with clarity and not deregulation.”

“The GDPR is more than a Regulation. It is the backbone of the EU’s digital rulebook, a hard-fought legislative achievement that sets high standards and safeguards people’s dignity in a data-driven world. Its impact reaches far beyond the EU’s borders, influencing digital governance globally,” they added.