Notes from the IAPP Europe: It's a GDPR week

The EU General Data Protection Regulation will soon celebrate its ninth anniversary since its 2016 adoption and the law still knows how to make an entrance. This week saw a whirlwind of news on two key policy initiatives pertaining to the GDPR's application.

GDPR simplification

The GDPR will not be reopened. This statement was repeatedly voiced by the European Commission throughout last year. However, with competitiveness being a top priority of the Von der Leyen II Commission, it is to no surprise that the upcoming digital omnibus package — which, as part of the Commission's wider plans to simplify EU rules, is set to minimize the EU digital framework's constraints on small- and medium-sized enterprises and small midcaps — includes targeted revisions to the GDPR.

Earlier this year, EU Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection Michael McGrath unveiled the contours of the GDPR simplification plan, emphasizing it would be limited to revisiting record-keeping requirements to reduce compliance burdens for smaller businesses with limited resources.

The European Commission proposed the regulation for GDPR simplification 21 May. The proposed changes concern a few articles, including Article 30(5), which currently provides an exception to the requirement for companies to keep detailed records of their processing activities, such as information on the categories of data processed, international data transfers and technical and organizational security measures. The Commission proposes expanding the scope of the current derogation to include small mid-cap enterprises and organizations with less than 750 employees.

The exception to this derogation has also been modified. It would only apply to processing that poses a highrisk to data subjects' rights and freedoms, as defined in Article 35. Additionally, the non-occasional processing exception has been removed, and a recital has been added allowing the processing of special categories of personal data to qualify for the record-keeping exception under certain circumstances.

The proposal is a first step in the simplification agenda of the GDPR. Although the Commission has identified several areas of friction in GDPR implementation over the years, it is not clear whether it will take steps to tackle additional areas beyond this week's proposal.

In a joint letter published before the proposal was tabled, the European Data Protection Board and European Data Protection Supervisor express preliminary support for the initiative. However, they highlighted the importance of ensuring a risk-based approach of the legislation is retained irrespective of a company's size.

The digital omnibus package, set to be published in the last quarter of 2025, is expected to also simplify cybersecurity reporting requirements, touch upon certain data sharing rules and even address the Artificial Intelligence Act.

GDPR procedural regulation

On 21 May, the European institutions held what was expected to be the final trilogue on the proposal for a regulation on additional procedural rules concerning GDPR enforcement.

The interinstitutional negotiations on the file that aims to streamline procedural rules for GDPR enforcement in cross-border cases started in November 2023. In the final meetings, co-legislators were trying to find an agreement on topics such as deadlines, including the nuances for their extension, remedies in case of the lead data protection authority's inaction or overly long procedures and the right to be heard in front of the EDPB.

These issues remain in deadlock, putting a question mark on whether an agreement on this file will be possible before the summer break, a priority for the Polish presidency of the European Council. It remains to be seen how the final version of the file will align with recent developments in the field, such as the advocate general's opinion concluding an organization may challenge an EDPB decision directly before the Court of Justice of the European Union, or the GDPR simplification plans kickstarting.

Laura Pliauškaitė is European operations coordinator for the IAPP.