EDRi warns against GDPR ‘simplification’ at EU Commission dialogue

Ongoing reform plans put GDPR protections at risk

On 16 July 2025, the European Commission hosted a high-level Implementation Dialogue on the General Data Protection Regulation (GDPR) in Brussels. The aim was to gather feedback on the GDPR’s application amongst different stakeholders. This took place shortly after the consultation on the Fourth Omnibus Package, which included a proposal to weaken GDPR Article 30(5), by removing record-keeping obligations for a large number of organisations. This proposal has already drawn strong criticism from civil society, including EDRi.

EDRi took part in the dialogue both in person and through a written contribution, where we reiterated that there is no justification for reopening the GDPR in any form. The Commission’s own 2024 evaluation concluded that the Regulation is effective, proportionate, and future-proof. The current challenges stem from enforcement gaps and lack of guidance, not from the law itself.

Yet, despite these concerns, several industry actors reiterated their calls for ‘targeted reforms’, often under the familiar banners of SME support or innovation. While there was broad agreement on the value of practical tools, such as templates or joint guidance, clear fault lines emerged over whether the Regulation should be reopened.

Read EDRi’s full post-meeting submission.

What’s really at stake in the push for simplification?

The proposal to amend Article 30(5) may seem limited, but it signals a broader shift: a deliberate attempt to move the Overton window by testing whether core safeguards of the GDPR are up for negotiation. The proposal lacks evidence, bypasses an impact assessment, and openly contradicts the Commission’s own evaluation.

This is not about improving compliance or helping SMEs. It reflects a broader political narrative, one shaped by the Draghi Report on EU Competitiveness and wider deregulatory agendas that reframe rights as obstacles to growth.

The so-called crisis of competitiveness is a manufactured one: constructed to justify weakening hard-won protections, not to address actual barriers to economic performance. There is no credible evidence that the GDPR is responsible for the EU’s economic challenges. On the contrary, what is at stake is whether data governance will remain grounded in rights, or be reshaped to extractive business models.

As we stressed during the dialogue, simplification is not neutral. The question must always be: simplification for whom, and at whose expense?

Rather than weakening rights, the focus should be on strengthening enforcement and improving the regulatory ecosystem. The tools already exist.

A constructive path forward for GDPR implementation

EDRi supports a non-legislative agenda for practical simplification, as outlined by the European Data Protection Board (EDPB), the body that brings together all national privacy watchdogs and plays a key role in ensuring the consistent application of the GDPR. In its Helsinki Statement, the EDPB set out a constructive approach to improving implementation, not through legal reform, but by providing joint guidance, templates, and coordinated enforcement methods.

These are exactly the kinds of measures that can ease compliance for organisations, especially smaller ones, without undermining people’s rights or weakening the Regulation itself. This includes:

• Model templates for record-keeping and Data Protection Impact Assessments (DPIAs), clarifying what compliance looks like in practice.
• Sector-specific compliance models inspired by the French data protection authority CNIL’s former normes simplifiées. offering pre-approved frameworks for common, low-risk types of data processing (e.g. HR or payroll), while still requiring full assessments for more complex or high-risk operations.
• Joint guidance on common interpretation issues, such as lawful bases for processing, transparency obligations, and risk assesment, provided that it harmonise enforcement without lowering standards, as examples, such as the EDPB’s Opinion on AI training, have shown.
• Stronger coordination between data protection authorities (and potentially other regulators), including through shared enforcement methodologies, joint investigations, and common templates.

These kinds of initiatives demonstrate that meaningful simplification is possible, but it must be rights-based, risk-sensitive, and grounded in practice, not politics.

The risk of backsliding

Proposals to ‘clarify’ how the GDPR works together with other laws such as the AI Act or the ePrivacy Directive must not become a pretext to lowering standards. Claims of ‘overlap’ are increasingly instrumentalised by industry to frame the GDPR as redundant or incompatible with newer legislation. In reality, the GDPR does not conflict with these laws, but provides the baseline they must respect and build upon. The GDPR is a technologically neutral, horizontal framework grounded in the fundamental right to data protection. It is not a regulatory burden to be streamlined, but a baseline that newer laws must respect and build upon.

Coordination between legal instruments is useful when it fosters coherence. But it must be done in a way that respects the GDPR’s legal primacy and rights-based logic, not bypass it in favour of weaker, sector-specific regimes.

It’s important to stress that the pressure to weaken the GDPR is not only coming from current and planned legislative proposals. The EDPB is drafting guidelines on ‘Consent or Pay’ models for all types of controllers, despite repeated warnings from that such practices undermine GDPR requirements. At the same time, the recently-adopted GDPR cross-border Procedural Regulation introduced improvements, but also serious shortcomings that risk entrenching enforcement delays and weakening complainants’ rights.

Taken together, these developments reflect a wider pattern: rather than addressing real gaps in enforcement and guidance, political energy is being channelled into reshaping the GDPR in ways that will benefit powerful actors rather than the people these laws are supposed to serve.

A summary that missed key tensions

After the event, the Commission published a summary of the dialogue. While it reflects some of the main themes discussed, it does not fully convey the range of perspectives or the depth of disagreement in the room, particularly around the risks of reopening the GDPR.

The summary gives the impression of a broadly aligned discussion, but in reality, there were clear and significant differences. Industry voices, often indirectly, framed the GDPR as in need of legislative reform, framing it through calls for ‘simplification’ or ‘clarity’, while other organisations like EDRi firmly opposed reopening the Regulation. The document also leaves out the broader context in which the dialogue took place, including growing concerns about a shift toward deregulation across the EU’s digital rulebook. For future exchanges to be meaningful, it is important that public summaries reflect not just areas of convergence, but also the underlying questions of principle and direction that remain contested.

What’s next: The ‘Digital Package’ and beyond

The Commission is currently preparing a broader Digital Package, tentatively scheduled for 10 December 2025, which may include legislative proposals affecting the GDPR. While details are yet to be confirmed, this raises the risk of further erosion under the guise of simplification. Additional changes could follow in 2026, but for now the Commission appears to still be assessing how far it can go, and what political backing it can rely on.

This digital debate is not happening in isolation. Across sectors, from environmental protections to financial regulation, the EU is increasingly entertaining deregulatory agendas framed as “cutting red tape” or “simplifying rules.” Situating the GDPR in this broader context makes clear that what is at stake is not only digital rights, but the EU’s wider commitment to strong, rights-based governance.

In this context, public interest and human rights voices must remain vigilant. The same actors that lobbied against the ePrivacy Regulation and others are now pushing to dilute the GDPR. Rules that protect us from AI harms also face similar attacks. Weakening safeguards for transparency and accountability will not serve SMEs, people, or democratic oversight, but it will benefit those with the most to hide.

The GDPR remains the backbone of the EU’s digital rulebook and a global benchmark for rights-based governance. What it needs is not deregulation, but robust enforcement, adequate resourcing, and consistent rights-based interpretation, a call we raised in May 2025 together with over 120 allies. Weakening the Regulation would endanger not only rights and accountability, but the very credibility of the EU’s digital agenda.

EDRi will continue working with allies to monitor upcoming legislative developments, push back against the broader deregulation agenda, and ensure that the GDPR stays a tool to protect people, not a battleground for commercial shortcuts.