Radical Change to GDPR Seen as Unlikely -- But It Could Be Streamlined
Until recently, there was no real political appetite to reopen the General Data Protection Regulation, though it was becoming increasingly necessary to align GDPR with other data-related EU laws such as the Data Act and to streamline it, Linklaters IT, data and cyber attorney Tanguy Van Overstraeten said in an interview Friday.
Sign up for a free preview to unlock the rest of this article
This may now change with the recent announcement that EU Justice Commissioner Michael McGrath wants to include the GDPR as part of the third phase of the EU's regulatory simplification process, Van Overstraeten said.
On March 13, McGrath confirmed, according to a transcript, that the GDPR will be simplified as part of EU efforts to cut red tape and simplify rules for citizens and businesses. The regulation will "feature in a future omnibus package, particularly around the recordkeeping for SMEs [small and mid-sized enterprises] and other small and medium-sized organizations with less than 500 people," McGrath said.
"Potential adjustments to the GDPR" are under consideration as part of the simplification exercise, an EC spokesperson emailed us Friday. It's too early, however, to anticipate the content or scope of the next omnibus package, he said.
The omnibus reform focuses primarily on simplifications for SMEs, Van Overstraeten said. However, he foresees that policymakers may find other ways to align the GDPR with legislation such as the Data Act, and that there may also be efforts toward making the European Data Protection Board more responsive to actual issues when it publishes guidance (see 2412180004).
The GDPR is already being supplemented, said Van Overstraeten. Talks between the European Parliament and Council on a regulation that is due to streamline cross-border enforcement of the GDPR are moving quickly, and, if adopted, the regulation will show that the GDPR can be modernized without a radical reworking that may open a Pandora’s box, he said.
In addition, a set of new laws such as the Data Act, Data Governance Act and the European Health Data Space Regulation also address information that may include personal data, Van Overstraeten noted. There's a need now to reassess how to combine all these rules, including the GDPR, to make it feasible for people and businesses to comply.
The GDPR has been imitated in many countries, some of which have enacted even tougher rules, Van Overstraeten noted. If it's reopened, it's unclear what the global benchmark would then be, he said.
Axel Voss, a German Member of the European Parliament from the European People's Party Group, has proposed changing the GDPR from its current one-size-fits-all approach to a tiered, risk-based approach along the lines of the EU AI Act (AIA). Van Overstraeten said Voss's view was an isolated one until recently (see 2503070001).