Undermining the GDPR through ‘simplification’: EDRi pushes back against dangerous deregulation
EDRi has responded to the European Commission’s consultation on the GDPR ‘simplification’ proposal. The plan to remove documentation safeguards under Article 30(5) risks weakening security, legal certainty and rights enforcement, and opens the door to broader deregulation of the EU’s digital rulebook.
A dangerous shortcut disguised as simplification
On 8 July 2025, EDRi submitted its contribution to the public consultation on the Fourth Omnibus Regulation, firmly opposing the proposed amendment to Article 30(5) of the General Data Protection Regulation (GDPR). The Commission wants to remove the obligation to keep records of processing activities unless the data is considered ‘likely high risk’.
This change is presented as a way to reduce administrative burdens on smaller organisations. However, it is being introduced without an impact assessment, without evidence of disproportionate burden, and outside the normal procedures for revising fundamental rights legislation. The result is a procedural shortcut that undermines legal safeguards and weakens public trust in the EU’s legislative process.
Undermining a structural safeguard
Article 30 records are a core part of the GDPR’s accountability architecture. The current text only exempts controllers when processing is occasional, low risk, and does not involve sensitive data. The proposed amendment removes this cumulative test and replaces it with a vague, self-assessed ‘high risk’ threshold.
This shift would allow routine and large-scale processing to be undocumented, based entirely on an organisation’s own judgment. It removes a key check on hidden or repetitive data use and erodes the internal traceability needed to understand and control processing activities.
EDRi’s contribution underlines that record-keeping is essential for security and resilience. Without documented data flows, organisations are less able to detect or respond to data breaches, trace unauthorised access, or notify individuals when harm occurs. The change could undermine breach response, forensic analysis, and preventive security planning, directly contradicting a number of GDPR principles.
Legal uncertainty and misaligned incentives
The proposed threshold of ‘likely high risk’ is not clearly defined and offers no binding criteria, no consultation with authorities, and no requirement to document how the decision was made. Organisations are left to self-certify their exemption from documentation, which creates structural incentives to downplay risks.
This undermines legal foreseeability. Neither people nor organisations can rely on the law if its applicability is vague or discretionary. It also creates uncertainty for processors and third parties, who depend on documentation to understand their roles and responsibilities in data processing chains.
Instead of providing clarity, the proposal introduces confusion, likely increasing reliance on legal advice and consultants while still failing to ensure robust compliance. And that means that companies could end up paying more money, not less, as we’ve been told.
Deregulation by design: weakening rights through stealth
The method used to introduce this change is as problematic as the content itself. By embedding it in a horizontal ‘burden reduction’ package, the Commission is using an economic instrument to modify a fundamental rights framework, something they’ve done with previous omnibus packages. There was no clear procedure to carry all these initiatives forward, which impact different pieces of legislation, and no impact assessment on how the change would affect the ability of people to exercise their rights.
EDRi warns that this approach sets a dangerous precedent: rights protections could be gradually dismantled through procedural loopholes. Such deregulation by design bypasses democratic oversight, disorients co-legislators, and lowers the threshold for reopening protective legislation.
This move also threatens the coherence of the EU’s digital legal framework. The GDPR is the backbone of other instruments, including the AI Act, Digital Services Act, and Digital Markets Act. Weakening its core safeguards will ripple across these regulations, compromising enforceability, accountability, and trust.
The GDPR must not be reopened
The GDPR is a living and adaptable Regulation. Its architecture allows for sectoral guidance, evolving technologies, and risk-based enforcement with a rights-based core. What it needs is better application and support, not piecemeal revision.
There is no justification for reopening the GDPR, especially through mechanisms designed for economic streamlining. Such efforts distort the legal baseline, shift political expectations, and risk a long-term erosion of rights protections.
EDRi urges policymakers, other stakeholders, and people in the EU as a whole, to defend the GDPR as the cornerstone of the EU’s digital rulebook, and to push back against any attempt to use simplification packages to weaken structural safeguards.
We call on the European Commission to withdraw the amendment to Article 30(5) and urge co-legislators to reject any attempt to change GDPR obligations.
The GDPR does not need to be rewritten. It needs to be properly applied and enforced. There is no guarantee that removing structural safeguards like documentation will simplify compliance. It has the potential, however, to undermine security, transparency, and legal certainty, placing both people and organisations at risk.