Planned Reform of the GDPR

Below is an overview of the main content and background of the current discussion:

Planned Changes

The reform proposals aim to reduce burdens related to specific GDPR provisions, including:

1. Article 30 GDPR:
   Article 30 GDPR obliges controllers and processors to maintain a record of their processing activities. However, Article 30(5) provides an exemption for smaller companies (fewer than 250 employees), provided that the processing is not regular or does not involve special categories of data.
2. Article 35 GDPR:
   Article 35 GDPR requires controllers to carry out a data protection impact assessment when a form of processing is likely to result in a high risk to the rights and freedoms of natural persons – e.g., in cases of extensive profiling or sensitive data. The requirements can be perceived as particularly burdensome for smaller companies.
3. Notification and documentation obligations: especially for companies with fewer than 500 employees

These requirements currently apply regardless of company size. The plan is to adapt or exempt them for SMEs.

Criticism of the Current GDPR

1. Bureaucratic burden: SMEs in particular report disproportionate effort for documentation and implementation of GDPR requirements.
2. Cost burden: Smaller companies incur high external consulting costs or internal staffing expenses for data protection tasks.
3. Competitive disadvantage: Politicians such as Mario Draghi warn that companies in the EU may fall behind U.S. and Chinese firms as a result.

Specific Concerns from Data Protection Organizations

Organizations such as EDRi (European Digital Rights) and activists like Max Schrems express the following concrete concerns:

1. Weakening of accountability (Article 5(2) GDPR): If documentation requirements are reduced, it becomes more difficult to verify compliance with data protection rules.
2. Weakened supervisory authorities: Fewer mandatory records could make it harder for data protection authorities to enforce the GDPR.
3. Restriction of data subject rights: If companies are required to document less, it may be harder for individuals to exercise their rights (e.g., access or deletion requests).
4. Gateway for lobbying: Opening up the GDPR could lead to targeted attempts by economic interests to dilute core data protection rights.
5. Risk of erosion through incremental changes: Even if the “core” of the GDPR formally remains, accumulated detail changes could weaken the overall impact of the law.

Role of Lobbying

Even during the initial introduction of the GDPR, there were over 3,000 proposed amendments, mainly under the influence of large technology companies. The planned reform is again expected to face strong lobbying pressure – both from tech firms and industry associations.

Legal Framework

The principles of the GDPR are based on Article 8 of the EU Charter of Fundamental Rights ("Protection of personal data"). According to Max Schrems, the European Court of Justice could overturn a reform if it violates these fundamental rights.

Sources

Europe’s GDPR privacy law is headed for red tape bonfire within ‘weeks’