Seven years after the General Data Protection Regulation transformed global privacy standards, Europe finds itself at a crossroads. The landmark legislation that once inspired similar laws from Brazil to California is now facing its first major reckoning. But is GDPR truly on the chopping block, or are we witnessing a more nuanced recalibration of European digital policy?
What’s Actually Happening?
The European Commission has unveiled proposals to modify GDPR as part of its “Fourth Omnibus” simplification package, announced in May 2025. The changes are more modest than headlines suggest. The primary reform extends record-keeping exemptions from companies with fewer than 250 employees to those with fewer than 750 employees, unless they process high-risk data or special category information.
Separately, EU negotiators reached agreement in June 2025 on procedural reforms to streamline cross-border GDPR enforcement, introducing stricter deadlines and better cooperation mechanisms between national data protection authorities.
Yet leaked documents suggest more controversial changes may be coming. According to privacy advocates Johnny Ryan and Georg Riekeles writing in The Guardian, these include provisions that would allow companies to claim AI training data is legal without rigorous proof, and potentially weaken protections for sensitive personal data categories.
Why the Push for Reform?
The impetus traces back to former Italian Prime Minister Mario Draghi’s September 2024 competitiveness report, which argued that Europe’s regulatory complexity, including GDPR, was “hampering innovation” and creating administrative burdens through inconsistent enforcement across member states.
EU officials worry about Europe’s position in the global tech race, particularly in artificial intelligence, with Danish Digital Minister Caroline Stage Olsen stating that while “privacy is necessary, we don’t need to regulate in a stupid way”.
The geopolitical context matters too. With Donald Trump returning to the White House and US-EU tech tensions simmering, some European policymakers fear overly aggressive regulation could provoke retaliation or disadvantage European companies competing with American and Chinese tech giants.
What Do Proponents Hope to Achieve?
The official narrative focuses on competitiveness and reducing bureaucracy for small and medium-sized enterprises. European Commissioner Michael McGrath stated the goal is to “ease the burden” on smaller organizations while “preserving the underlying core objective of our GDPR regime”.
Proponents argue that simplification could help European startups scale more easily, reduce compliance costs for businesses that have outgrown SME status but aren’t tech giants, and create clearer rules around emerging technologies like AI.
But Critics See Something Different
Privacy advocates argue the problem isn’t over-regulation but chronic under-enforcement. Ryan and Riekeles point to Meta’s documented internal data practices—using information given for one purpose across unrelated services—as a clear violation of GDPR’s purpose limitation principle that has gone largely unpunished.
They note a troubling irony: China’s DeepSeek AI emerged under stricter regulations than Europe’s, suggesting that rigorous rules don’t inherently stifle innovation. Instead, they argue, proper GDPR enforcement against tech giants would break up data monopolies and create space for European competitors.
Robin Berjon of the Future of Tech Institute warned that proposed reforms “go beyond mere simplification” and could strengthen the hand of “American tech monopolies and intelligence agencies” who benefit most from the surveillance economy.
Critics also worry about the procedural approach. The Guardian article notes the Commission may use legislative maneuvers to skip required impact assessments and avoid full scrutiny from the European Parliament.
How Likely Are Major Changes?
The picture is mixed. The UK’s recent Data Use and Access Act passed in June 2025, though it delivered “relatively modest” reductions in regulatory burden—less ambitious than expected. This may preview what happens in the EU.
The European Data Protection Board and Supervisor issued a joint opinion in July 2025 welcoming targeted simplification of record-keeping obligations while emphasizing that modifications should be “targeted and limited in nature” and not affect core GDPR principles.
The reality is that GDPR enjoys strong support among privacy advocates, has the backing of the EU’s fundamental rights framework, and faces skeptical data protection authorities. Wholesale dismantling seems unlikely. Targeted adjustments—particularly around SME compliance burdens—appear more probable.
A Passing Trend or Lasting Shift?
This may be less about gutting GDPR and more about Europe grappling with competing pressures: maintaining privacy leadership while staying competitive in AI, appeasing business interests while protecting citizens, and asserting digital sovereignty while avoiding trade conflicts.
Reform proposals are expected to face negotiations extending into late 2025, with discussions likely continuing through Denmark’s EU Council presidency. The extended timeline suggests this isn’t a done deal.
The enforcement reforms already agreed upon could prove more significant than the deregulation attempts. These measures aim to fix delays and inconsistencies in cross-border complaints, with most investigations to be concluded within 15 months. If implemented effectively, better enforcement might address the competitiveness concerns without weakening protections.
The Real Question
Perhaps the debate shouldn’t be whether GDPR is on the chopping block, but whether Europe will finally enforce the rules it already has. The Guardian article makes a compelling point: enforcing existing GDPR provisions—particularly around purpose limitation and special category data—would do more to level the playing field for European tech companies than deregulation ever could.
Ireland’s enforcement record remains particularly concerning, with US tech giants clustering there and the country recently appointing a former Meta lobbyist as a data protection commissioner. Without addressing this enforcement gap, any regulatory changes risk being cosmetic at best, counterproductive at worst.
The coming months will reveal whether Europe is truly willing to water down its privacy protections in pursuit of elusive competitiveness gains, or whether this moment represents growing pains as the bloc figures out how to be both a privacy leader and an innovation hub. One thing seems clear: GDPR isn’t disappearing, but it may emerge looking somewhat different—for better or worse—than the law that set the global standard in 2018.
Sources:
- DLA Piper Privacy Matters: European Commission publishes proposal for simplification of the GDPR
- European Data Protection Board: Targeted modifications of the GDPR: EDPB & EDPS welcome simplification
- The Record: Europe preparing to ‘ease the burden’ of landmark data privacy law
- Global Compliance News: EU reaches agreement to streamline cross-border GDPR enforcement
- TechPolicy.Press: EU Set the Global Standard on Privacy and AI. Now It’s Pulling Back
- The Guardian: The EU has let US tech giants run riot. Diluting our data law will only entrench their power
