GDPR simplification is not a simple matter

There is a change of atmosphere about regarding the EU General Data Protection Regulation (GDPR) as a solid structure.

The case for GDPR change

As the GDPR took years to negotiate and led to the European Parliament discussing 3,000+ proposed amendments, there has been an understandable desire to leave the text frozen since it became applicable in May 2018. It is well understood that the GDPR is a finely balanced structure, so there is a risk that interfering with one aspect could upset its delicate balance between individual rights and data controllers’ duties.

However, there has been increasing realisation that some data controller duties, such as Records of Processing, are heavy burdens for many Small and Medium Enterprises. For example, Malta’s Data Protection Commissioner is an advocate for change on the grounds that virtually all companies in his country are SMEs.

The problem is that some relatively small companies can be processors of sensitive data, for example relating to health or ethnicity. In a fair legal framework they should be subject to disciplines as strict as those which apply to larger companies.

Need to adapt right of rectification

For many years, the right to rectification without undue delay has been a basic right in privacy laws which is well understood as an aspect of fairness. It is the subject of Article 16 in the EU GDPR which is short and relatively simple.

This right certainly applies to correction of facts, but opinions are more difficult to resolve. While EU national DPAs take the view that AI systems must comply with GDPR principles, it is difficult to apply the right to rectification to AI systems. They often hallucinate and certain facts can be corrected in principle. However, AI systems also produce what appear to be opinions. A simple example is note-taking software which summarises meetings. I have noticed that the software often “misunderstands” the details of a discussion, mistakes which would not have been made by a competent note-taker.

An AI system produces “outputs” not “opinions” in a conventional sense. AI is increasingly used as part of a recruitment process, for example, by Unilever, Goldman Sachs and Walmart to measure candidates’ facial expressions, sociability, cognitive ability, emotional traits and body language analysis.

If an AI driven system rejects a candidate, do these companies have protocols to enable failed candidates to make a subject access request to ask why the algorithm rejected them? Who acts as an arbiter in such cases?

The case for GDPR no change

European Digital Rights has taken the lead in representing 120 civil society organisations, academics, companies, trade unions, and experts in their letter to the European Commission on 19 May opposing reopening of the GDPR on the basis that:

• “The GDPR is more than a Regulation. It is the backbone of the EU’s digital rulebook, a hard-fought legislative achievement that sets high standards and safeguards people’s dignity in a data-driven world.”
• Although proposals to reduce burdens for SMEs are good in theory, simplification “could instead roll back key accountability safeguards… In practice, they could allow some companies to avoid keeping records of data processing (even when handling special categories of data) purely based on staff headcount or turnover.”
• It could erode the Regulation’s original foundation as a rights-based instrument, grounded in the recognition of personal data protection as a fundamental right.
• Simplification risks a worrying message: that people’s rights are expendable when economic interests are at stake.
• Deregulatory efforts rarely stop at ‘technical adjustments.’
• “Attempts to weaken the GDPR, [is] a strategy now extended to the entire EU tech rulebook.”

It remains to be seen which of these arguments will prevail in the current climate where the new US administration wants to press the stop button on the EU’s value system, not only on new regulation but also on much of the current data regulation.

Impact on international transfers

If the GDPR is weakened, the European Commission would find it easier to recognise many more countries as “adequate” and accept weaker cross-border transfer mechanisms including APEC’s Cross-Border Privacy Rules and the Global Cross-Border Privacy Rules. Professor Graham Greenleaf, PL&B’s Asia-Pacific Editor, provides evidence to describe these systems as a “dead parrot”. Although some national DPAs in Europe have held exploratory talks about reviewing possible EU equivalence of these international transfer mechanisms (and failed), the European Commission has not.

Africa

Several African countries are moving ahead with new privacy laws in a completely different socio-economic environment from that in Europe or North America. Our correspondent reports that Africa is the leading continent using mobile money, with more than 1.1 billion registered accounts, representing more than half of the global total. Therefore, privacy policy priorities in African countries are bound to differ from those in European countries. This different socio-economic context will mean that EU assessments for “adequacy” for Kenya and other countries in Africa, Asia and Latin America will need, to some extent, to take national circumstances into account.

Professor Greenleaf’s survey has recorded 172 countries with data privacy laws since 1973, which means that these laws exist nearly everywhere. Diversity of approach is inevitable.

He is delivering two presentations and chairing one session at The Good, the Bad and the Good Enough, the Privacy Laws & Business 38th International Conference at St. John’s College, Cambridge 7-9 July. We hope that you will join participants from around 20 countries either in person or online.

The programme has several themes including:

• How the GDPR applies to AI systems and management implementation
• The GDPR simplification agenda, and
• Your first opportunity to learn about the UK’s new Data Use and Access Act 2025 – expected to be enacted in the next few days.

Together with Editor, Laura Linkomies, Graham Greenleaf and other PL&B colleagues, I thank you for your continued subscription to PL&B Reports, welcome your feedback, and look forward to meeting you in Cambridge in just over a month from now.

Regards

Stewart Dresner
Publisher, Privacy Laws & Business

June 2025