The GDPR is seen as one of Europe’s most complex pieces of legislation by the technology sector — and by businesses far and wide beyond tech — for how it forces companies doing business in Europe to manage their data and to handle the requests and rights of data subjects to that personal data. Its introduction in 2018 drew a deluge of desperate emails from firms asking for people’s consent to use their data.
Seven years later, Brussels is taking out the scissors to give its (in)famous privacy law a trim.
There are “a lot of good things about GDPR, [and] privacy is completely necessary. But we don’t need to regulate in a stupid way. We need to make it easy for businesses and for companies to comply,” Danish Digital Minister Caroline Stage Olsen told reporters last week. Denmark will chair the work in the EU Council in the second half of 2025 as part of its rotating presidency.
The criticism of the GDPR echoes the views of former Italian Prime Minister Mario Draghi, who released a landmark economic report last September warning that Europe’s complex laws were preventing its economy from catching up with the United States and China. “The EU’s regulatory stance towards tech companies hampers innovation,” Draghi wrote, singling out the Artificial Intelligence Act and the GDPR.
For small and cash-strapped businesses, the reams of documentation the GDPR asks companies to produce has long been a gripe. Justice Commissioner Michael McGrath said the key takeaway from a review of the GDPR last summer “is the need for greater support [for] businesses, especially SMEs, in their compliance efforts.”
McGrath confirmed last week that a proposal to simplify the GDPR is due in the “coming weeks.” The Commission had planned to agree on a so-called simplification package for small and medium-sized businesses on April 16, according to the Commission’s diary, but that date has since been bumped to May 21.