EU Civil Society Groups and Labor Unions Raise Alarm Over Proposed Changes to GDPR

On the eve of the formal unveiling of the European Commission’s plan to roll back some provisions of the General Data Protection Regulation (GDPR), a coalition of more than 100 civil society organizations, companies, academics, and trade unions on Monday released an open letter expressing “grave concern” over the proposal.

“Proposals to amend certain provisions intended to support small and medium-sized companies to increase legal certainty and strengthen enforcement are good in theory,” the letter said. “However, we are concerned that the proposed changes risk, unsupported by any evidence, missing the mark of genuine simplification, and could instead roll back key accountability safeguards and with them, the accountability principle itself.”

Signatories include European Digital Rights (EDRi), the Centre For Democracy and Technology Europe, Mozilla, and the European Federation of Public Service Unions.

The Commission plan is part of a broad drive to “simplify” the European Union’s complex web of digital technology regulation, including GDPR, the Digital Services Act, and the AI Act, in an effort to promote EU competitiveness and spur economic growth. The GDPR proposal is part of an omnibus package of measures bundled together to speed passage through the European Parliament.

Among other things, the proposal would extend existing exemptions from certain record-keeping requirements under GDPR for small and medium enterprises (SMEs) to organizations with up to 500 employees and a certain turnover, or gross revenue, threshold. The signatories warn that could undermine one of the law’s core principles.

“This shift undermines what is often called the GDPR’s ‘risk-based approach’, a mechanism for calibrating obligations according to the potential harm to people’s rights and freedoms, not company size,” the letter said. “More fundamentally, it could erode the Regulation’s original foundation as a rights-based instrument grounded in the recognition of personal data protection as a fundamental right. Data rights do not become less important when the controller is smaller; and people’s vulnerability to harm does not shrink accordingly.”

Read more: Texas AG Announces $1.375 Billion Deal with Google in Data Privacy Dispute

The coalition also views the proposal as a step onto a slippery slope that could lead to more dramatic changes to GDPR. “In our experience, deregulatory efforts rarely stop at ‘technical adjustments.’ Once reopened, the GDPR could become vulnerable to broader deregulatory demands,” they wrote.

The letter also notably alludes to recent political pressure on the Commission coming from outside the EU, while avoiding specific mention of the Trump administration.

“We also cannot ignore the geopolitical context. Over the past years, calls from foreign commercial and political actors to loosen the EU’s digital protections have consistently started with attempts to weaken the GDPR, a strategy now extended to the entire EU tech rulebook, including the DSA, the DMA and the AI Act,” the letter reads. “Weakening the GDPR would also harm the EU’s credibility. The Regulation is still widely cited as a benchmark for rights-based digital governance. Undermining it would send a signal that the EU is willing to abandon its own standards under pressure.”

The drive to simplify EU digital regulation has its roots in the landmark economic report released last September by Italian Prime Minister Mario Draghi, which concluded that Europe’s complex laws are preventing it from competing economically with other regions, particular the U.S. and China. “The EU’s regulatory stance towards tech companies hampers innovation,” Draghi wrote, pointing in particular to GDPR and the AI Act.

The report’s findings have since emerged as a blueprint for EU economic reformers and have been enthusiastically embraced by European Commission president Ursula von der Leyen.