Europe preparing to ‘ease the burden’ of landmark data privacy law

The European Commission is now finalizing a plan to simplify and potentially remove many of the regulatory requirements imposed by the continent’s complex and far-reaching General Data Protection Regulation, particularly those impacting small and medium-sized businesses.

The commission is working on a plan to simplify the law in order to “ease the burden” on smaller organizations while “preserving the underlying core objective of our GDPR regime,” Michael McGrath, the European commissioner overseeing data privacy laws, said in recent remarks at an interview at the Center for Strategic and International Studies (CSIS).

At the end of March, Danish Digital Minister Caroline Stage Olsen reportedly told journalists that while there are many positive features in the GDPR and privacy is paramount, Europe needs “to make it easy for businesses and for companies to comply.”

“We don’t need to regulate in a stupid way,” she said. Denmark takes charge of running the EU Council — which sets the bloc’s political direction and policy priorities — in the second half of this year.

The goal is to “improve the competitiveness” of the European economy through a “whole range  of simplification measures,” McGrath said in the interview last month. 

The plan for changing the GDPR will be unveiled by May 21, according to a European Commission agenda.

One goal is to simplify the record keeping requirements which small and medium sized enterprises with less than 500 people are subjected to, McGrath said.

“We’re working through that process at the moment,” McGrath said.

Data privacy experts told Recorded Future News they are watching closely, and with some concern, to see how far the simplification process goes and to what extent privacy protections are undermined. 

The rigorous GDPR standards, which were implemented in 2018, are widely regarded as the toughest in the world and are widely heralded by the privacy community.

Reform on the horizon

There have been signs that the standards will be significantly reformed since a tough report focused on European competitiveness released by former Italian Prime Minister Mario Draghi in September homed in on the law. 

The report cautioned that the GDPR and what it called other overly burdensome regulations are keeping the EU’s economy from effectively competing with China and the U.S.

"The EU's regulatory stance towards tech companies hampers innovation," Draghi’s report said of the GDPR and the regulatory landscape in Europe generally.

The report asserted that reforms are needed because Europe will no longer be able to count on factors that have driven growth in past years.

Inconsistent GDPR enforcement country by country creates an administrative burden for European companies, the Draghi report said.

Because the GDPR allows member states to set privacy rules in 15 areas, the law has led to “fragmentation and legal uncertainty,” the report said. 

Different countries' data regulators enforce the GDPR to varying degrees making compliance difficult for businesses to navigate, the report said, and in some countries multiple regulators enforce the law.

“This could hinder cross-border entrepreneurship and innovation, including the development and deployment of new technologies and cybersecurity solutions,” the Draghi report said.

For example, European countries define the age of consent differently, the report said, creating uncertainty for how to comply with elements of the law relating to children’s data protection rights.

Compliance costs for companies adhering to children’s data protection rules range from €500,000 ($546,00) for small and medium sized businesses to €10 million ($10.9 million) for large companies, the report said.

For data-intensive industries, such as software, GDPR compliance can cause costs to spike by as much as 24%, the report said, citing a report from the U.S.-based National Bureau of Economic Research.

The GDPR’s inconsistent implementation and enforcement country by country also creates the risk of European companies being “excluded from early AI innovations because of uncertainty of regulatory frameworks as well as higher burdens for EU researchers and innovators to develop homegrown AI,” the report says. 

“This calls for developing simplified rules and enforcing harmonised implementation of the GDPR.”