The GDPR Shake-Up: What You Need to Know

Nearly seven years after it took effect—and approaching its ninth anniversary since adoption—the General Data Protection Regulation (GDPR), the European Union’s flagship data privacy law, is back in the headlines as it faces its most critical reckoning yet.

The GDPR is the latest law to undergo reforms as part of the European Commission’s broader effort to simplify EU rules. Central to this push is Europe’s Omnibus, a reform package designed to simplify EU rules and reduce “unnecessary bureaucracy” for businesses—particularly small and mid-sized companies—to promote growth and innovation.

The initiative is part of a broader deregulatory push following a landmark report by former Italian Prime Minister Mario Draghi, which warned that overly complex EU laws—GDPR among them—are stifling innovation and holding Europe back in global competition with the US and China.

Alongside the Omnibus package aimed at easing compliance burdens for small and mid-sized companies, the EU is also pushing reforms to overhaul GDPR enforcement procedures—efforts designed to speed up cross-border investigations and improve cooperation between national data protection authorities. But privacy advocates say these “simplification” reforms risk diluting core protections and further bogging down an already sluggish enforcement process.

Omnibus broadens GDPR exemptions for 38,000 companies

The GDPR changes in the fourth Omnibus package aim to reduce compliance burdens for small and mid-size companies by expanding exemptions under Article 30 of the law, which requires organizations to maintain detailed records of their data processing activities—such as the categories of data processed, international data transfers, and security measures.

Currently, under the GDPR, firms with fewer than 250 employees are exempt—unless their data processing poses a risk to individuals' rights or involves sensitive data. The new proposal raises that threshold to 750 employees and limits record-keeping to cases involving “high-risk” processing or special category data.

According to the Commission, nearly 38,000 companies across the EU would, for the first time, benefit from existing SME exemptions under GDPR and other simplified rules—such as streamlined prospectus requirements—making it easier and cheaper for small mid-caps to list on public markets.

Critics see it differently. “First it was 500 employees, now it’s 750—and who’s to say it won’t be a higher threshold next?” Itxaso Domínguez de Olazábal, a policy advisor at European Digital Rights (EDRi), told Tech Policy Press. “We knew it would also change from ‘risk’ to ‘high risk.’ And we keep being told the GDPR is risk-based, but let’s be clear: it was conceived as a rights-based regulation. Risk helps determine safeguards, not whether people deserve protection. This constant redrawing of thresholds turns rights into privileges and chips away at the core logic of the Regulation,” she said.

Some in industry, however, are cautiously critical. “Easing GDPR requirements for small and mid-sized companies may offer limited relief, but this minor change falls far short of addressing the deeper structural issues that plague the EU’s data protection framework,” said Claudia Canelles Quaroni, Privacy and Safety Lead at Computers and Communications Industry Association Europe (CCIA). In the CCIA press release, she emphasized that the real need lies in consistent and harmonized application across the EU: “To guarantee uniform data protection rules across the European Union, three improvements are essential: align GDPR implementation across all EU legislation for greater coherence, reinforce the one-stop-shop mechanism, and prevent fragmentation in Member-State implementation.”

Parallel efforts to streamline GDPR enforcement

These targeted revisions are a first step in the simplification agenda of the GDPR, but not the only effort ongoing to reform the law. A parallel legislative overhaul—the GDPR Procedural Regulation—aims to accelerate and coordinate cross-border investigations, particularly those involving US tech companies.

Under the GDPR, when a complaint targets a company based in another EU or EEA country, it must pass through a complex cooperation mechanism between the complainant’s national data protection authority (DPA) and the lead DPA in the company’s home country—often Ireland. This system has proven slow and opaque, with major cases dragging on for years and limited accountability for delays.

To address these shortcomings, the European Commission proposed new rules in 2023 to streamline enforcement, clarify roles, and speed up decisions in cross-border cases. But critics argue the proposal risks making things worse.

But instead of streamlining enforcement, critics say the new rules do the opposite. “The aim was to make the procedures faster and simpler. But what we got is a totally crazy and probably unlawful procedure,” said Max Schrems, founder of the Austrian privacy NGO noyb, which has filed a string of GDPR complaints against major tech companies. Schrems warned the reforms could slow enforcement even further, adding unnecessary steps and procedural loops. “We now assume EU cases will take two to three years, while national cases must be decided in just three to six months,” he told Tech Policy Press.

Last week, EU institutions held what was expected to be the final trilogue on the proposal. However, according to MLex, the proposals failed to finalize due to issues over procedural deadlines and judicial remedies. The next political meeting to finalize the regulation is expected in early June.

In addition to these enforcement reforms, regulators are also working on streamlining the interaction between the GDPR and AI Act. As the EU seeks to make its data rules more “business-friendly,” a growing chorus of experts and advocates warns that simplification should not come at the cost of substance. “This was supposed to be a simplification package,” said Schrems. “However, the new Procedures Regulation would massively slow down things and make them much more complicated. It's the exact opposite of a simplification package.”