Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The European Union's most iconic tech law was long thought to be untouchable. Those days are over.
In May, the European Commission formally unveiled its plan to amend the EU General Data Protection Regulation, which would ease reporting obligations for small and mid-sized enterprises. In June, the Council of the European Union and European Parliament reached a provisional agreement on the GDPR Procedural Regulation, aiming to improve cooperation between national-level data protection authorities in cross-border enforcement.
Both initiatives are framed as simplifications, but what was supposed to be a cleanup operation now risks muddying the waters further.
One goal — double the risk
The first initiative is a proposed amendment to Article 30 of the GDPR, expanding the exemption from record-keeping duties to businesses with fewer than 750 employees. The procedural regulation, a more complex file, is meant to accelerate sluggish cross-border investigations and create more consistency across EU DPAs.
At face value, these reforms aim to help organizations focus less on paperwork and more on substance. The intention is laudable, but the devil, as always, is in the details.
The promise: Clarity, speed and less red tape
The European Commission, inspired in part by Mario Draghi's recent report on EU competitiveness, launched a drive to "simplify" European legislation. The GDPR, Draghi argues, has become a symbol of legal complexity and compliance burden. For small- to medium-sized enterprises and startups, even basic record-keeping obligations can feel overwhelming.
The GDPR Procedural Regulation was supposed to be the Commission's surgical fix, including defining shared case files, streamlining DPA collaboration and setting binding deadlines.
These are real problems. Today, cross-border cases often drag on for years due to clashing national procedures and unclear rules of engagement.
The reality: More layers, more legal fog
Unfortunately, the provisional agreement reached by the Council of the European Union and European Parliament, following negotiations, raises persistent red flags. While feared 33-month enforcement delays were avoided, the provisional agreement now sets deadlines up to 15 months for complex cases, with a possible 12-month extension — a far cry from fast-track enforcement.
The European Parliament succeeded in securing stronger procedural rights for both complainants and investigated parties, including access to preliminary findings and the right to be heard at every stage.
But each institutional compromise adds procedural layers, making enforcement more rule-bound without necessarily making it more effective.
Digital rights nongovernmental organizations have not minced words. Donation-funded NGO NOYB called a draft of the procedural regulation "the biggest legislative mess in a long time." Thirty civil society organizations, including European Digital Rights and Privacy International, warn that it may introduce new legal grey zones and dilute people's rights instead of streamlining GDPR enforcement.
Even the European Data Protection Board, generally supportive of the goals, cautions that these new obligations must be properly funded and avoid creating new references back to divergent national laws.
Why this moment could break the GDPR
The credibility of the GDPR as a functional, enforceable law is at stake. The intent was to fix a framework under which a complaint that crosses an EU internal border can fall into a procedural abyss: documents can go missing; investigations can take years; and individuals can be left without remedy.
But if the result is a new patchwork of deadlines, rights and procedures — without proper harmonization or resources — the proposed procedural regulation can do more harm than good.
Businesses, especially those operating in multiple member states, need clarity, predictability and legal certainty. They do not benefit from a system that replaces one form of complexity with another.
A wider reform wave — and what it could mean
The simplification push won't stop here. Recent consultations have hinted at a potential future "consolidation" of GDPR rules as part of a wider European strategy for data. The Commission has also been asked to clarify how the GDPR interacts with the newly adopted AI Act, particularly regarding fundamental rights safeguards.
What was once a cautious, principle-driven legal framework risks becoming a patchwork of carve-outs, exceptions and untested shortcuts. Policymakers should take care not to undermine the very goals they set out to achieve.
What it will take to get this right
Europe needs smart simplification — not symbolic deregulation. For these reforms to succeed, they must:
- Set enforceable deadlines that don't leave cases in limbo for years.
- Guarantee early hearing rights for both complainants and organizations.
- Ensure predictable, harmonized procedures across all member states.
- Properly fund data protection authorities to carry out new tasks.
- Minimize legal fragmentation by limiting references back to national laws and maintaining legal certainty.
Above all, the spirit of the GDPR — accountability, transparency and proportionality — must remain intact. Without it, both privacy protection and the EU's digital credibility are at risk.
Final thoughts
These initiatives may look technical. But their impact will be felt in companies large and small, in every sector, across the EU.
This is a make-or-break moment for EU data protection and the promise of a digital Europe where rights and innovation can thrive together.
Victoria Derumier is associate entity director and certified DPO at MyData-TRUST.
