Open Letter: Reopening the GDPR is a threat to rights, accountability, and the future of EU digital policy

108 civil society organisations, academics, companies and other experts, including EDRi, are concerned about the proposals to reopen the General Data Protection Regulation (GDPR). They are calling on the European Commission to protect people’s rights and dignity in a data-driven world by reaffirming the GDPR as the cornerstone of EU’s digital law and supporting its rigorous enforcement.

By EDRi · May 19, 2025

A broad coalition gravely concerned about proposals to reopen the GDPR

In a joint letter, EDRi, together with 107 civil society organisations, academics, companies, trade unions, and experts is calling on the European Commission to reject any reopening of the General Data Protection Regulation (GDPR), and to reaffirm it as a cornerstone of of the EU’s digital rulebook.

We are gravely concerned about ongoing proposals to reopen the GDPR, including changes expected as part of the fourth omnibus package, and mounting rumours that the regulation will be further reopened in subsequent initiatives later this year or beyond.

There’s a lot at stake – the GDPR sets high standards and safeguards people’s dignity in a data-driven world. Its impact reaches far beyond the EU’s borders, influencing digital governance globally.

Read the full open letter (pdf)

Why are we concerned?

The proposed changes risk missing the mark of genuine simplification, and could instead roll back key accountability safeguards, and with them, the accountability principle itself.

Once reopened, the GDPR could become vulnerable to broader deregulatory demands. Many such pressures are already visible, including calls to weaken rules on consent with no effective safeguards for users, or legitimise invasive uses of personal data for AI training.

We also cannot ignore the geopolitical context. Over the past years, calls from foreign commercial and political actors to loosen the EU’s digital protections have consistently started with attempts to weaken the GDPR, a strategy now extended to the entire EU tech rulebook, including the DSA, the DMA and the AI Act – and already underway for corporate accountability and environmental justice.

What needs to change?

The GDPR was designed to protect people in the face of growing digital power asymmetries, which disproportionately harm marginalised communities. Reopening it now would risk eroding on hard-won rights.

The letter calls on the European Commission to:

  • Reject any reopening of the GDPR and reaffirm its integrity as a foundation of EU digital law;
  • Recognise that current implementation challenges can be solved by effective enforcement with clarity and not deregulation;
  • Continue to support compliance mechanisms and legal certainty, not by rewriting the law but by ensuring greater support and assistance, especially for smaller entities;
  • Resist external and internal pressures that seek to trade away people’s rights in the name of competitiveness or trade interests.