With the EU proposing to simplify the General Data Protection Regulation, industry bodies and campaign groups are wary.
The changes come as part of a broader drive to simplify EU regulation to make it easier for the bloc to compete with the U.S. and China. And their main aim is to ease reporting requirements for small businesses, but there’s also talk about broader reforms at a later stage.
Currently, only businesses with fewer than 250 employees are exempt from a requirement to keep detailed records of their data processing activities, including the purposes of the processing, the categories of data held and its third-party recipients, along with, where possible, a description of their technical and organizational security measures.
Now, though, this exemption has been extended to companies with fewer than 750 employees and either less than €150 million in turnover or less than €129 million in total assets.
The exemption applies unless their data processing is likely to result in a “high risk” to data subjects’ rights and freedoms, or where special category data is processed.
According to the European Commission, there are around 38,000 of these small mid-cap companies across all EU member states.
“Cutting red tape and simplifying rules means giving businesses the freedom to innovate, grow, and create jobs,” said Stéphane Séjourné, executive vice-president for prosperity and industrial strategy.
“Today’s Omnibus is another stepping stone in this regard, extending new benefits to small and mid-cap companies and ensuring that legislation is aligned with on-the-ground reality.”
However, the changes are receiving a wary response. In an open letter, civil rights collective European Digital Rights said it was concerned that the changes might not represent a genuine simplification, but could instead roll back key accountability safeguards.
“In practice, they could allow some companies to avoid keeping records of data processing (even when handling special categories of data) purely based on staff headcount or turnover”. the letter reads.
“While competitiveness is important, using it to justify exemptions from core protections sends a worrying message: that people’s rights are expendable when economic interests are at stake”.
Meanwhile, industry body the Computer and Communications Industry Association said the changes don’t go far enough.
“Easing GDPR requirements for small and mid-sized companies may offer limited relief, but this minor change falls far short of addressing the deeper structural issues that plague the EU’s data protection framework. Without further adjustments, enforcement and implementation will remain weak”, said CCIA Europe’s privacy and safety lead Claudia Canelles Quaroni.
“At best, today’s proposal will ease GDPR burdens for just 0.2% of EU companies. While well-intentioned, its limited scope means it won’t meaningfully strengthen Europe’s dwindling digital competitiveness. These are cosmetic fixes, not systemic solutions.”
The CCIA is calling on the EU to align GDPR implementation across all EU legislation for greater coherence, reinforce the one-stop-shop mechanism and work to prevent fragmentation in the way member states implement the rules.
These are the first proposed changes to the GDPR since its introduction in 2018, and there are fears that the Commission is opening up a can of worms – especially given persistent rumors that there may be more proposed changes to come later this year or next.