by Ulrich Kelber//
The European Commission has, unexpectedly and deviating from long-communicated timelines, presented far-reaching proposals to amend the GDPR (and other regulations) as part of the “Digital Omnibus”. Many are now attempting to interpret the proposed rules, with assessments varying widely depending on perspective. Only a small number of stakeholders consider the proposals to be genuinely well-targeted and balanced.
How should one approach the European Commission’s proposal? Let us attempt an analysis of who might actually benefit from the proposed changes, which were presented in such haste and in disregard of the legislative standards developed over many years. Cui bono? And who, by contrast, will lose out or gain no advantages at all, even though necessary and feasible improvements have long been under discussion?
Fundamental rights under attack
Regarding the citizens of the European Union, I see only disadvantages in the Commission’s proposals. Their fundamental rights—particularly with regard to data protection, which is enshrined in Article 8 of the EU Charter of Fundamental Rights—are to be hollowed out by the Commission’s plans.
Rights of access are being curtailed, the (unnoticed or unwanted) harvesting of data from citizens’ devices is being facilitated, and the use of one’s own personal data for the training of AI models by third parties can no longer be effectively prevented. Particularly problematic is the European Commission’s redefinition of what constitutes personal data within the meaning of the GDPR. This risks a dam break in favour of processors of “pseudonymised” data, for example in the advertising industry or among data brokers. Numerous avenues for circumvention are emerging. This is likely also a consequence of the fact that the Commission completely dispensed with an impact assessment when drafting its proposal.
For individuals or associations seeking easier compliance with data protection rules, the Commission’s proposals provide no help at all. On the contrary, many of the envisaged provisions create new legal uncertainties. Ideas put forward by data protection supervisory authorities, academia, data protection activists such as Max Schrems, or Members of the European Parliament were simply ignored by the Commission.
The work of data protection supervisory authorities will be made more difficult by impractical rules, weaker control mechanisms, and new, unclear legal questions. If records of processing activities are no longer required and evidence of appropriate organisational and technical measures is eliminated, oversight will become more reactive, while preventive action through guidance will be hampered. New tasks—such as those arising from regulatory sandboxes, which may be sensible in themselves—will tie up resources that are already lacking at data protection authorities that are chronically underfunded, resources that would otherwise be needed for inspections and enforcement.
SMEs do not benefit
Small and medium-sized enterprises were supposedly the primary target group for easing compliance with the GDPR, yet they benefit little, if at all, from the Commission’s legislative proposal. The loopholes created by the new rules can hardly be exploited by companies without in-house legal departments or the financial means to engage expensive law firms. As a rule, SMEs also do not operate purely data-driven business models, yet in principle they must comply with almost the same requirements as Big Tech and bear a comparable documentation burden.
On the contrary, changes to established rules create new legal uncertainty for SMEs. What would truly help them would be a more risk-based GDPR, reduced documentation obligations, and manufacturer liability ensuring that software and IT systems can be operated in a data-protection-compliant manner. At present, responsibility rests solely with SMEs—an untenable situation.
Start-ups are likewise not among the beneficiaries of the Commission’s proposal. They depend on clear, stable, and enforceable rules, as they lack both extensive legal departments and the ability to “sit out” regulatory risks. Weakening enforcement and supervision therefore does not expand their room for manoeuvre; instead, it increases fragmentation and uncertainty, with rising advisory and investment costs as a consequence. Moreover, investors are less interested in symbolic deregulation than in reliable legal certainty, which after the initial phase allows them to earn a dependable return on their risk capital.
Larger European companies—especially those with data-intensive business models—might benefit in some areas from reduced obligations under the GDPR (and the AI Act), as they can cope with newly emerging legal uncertainties by drawing on legal advice. However, this is deeply frustrating for the large number of companies that have invested in legally compliant implementation of their business models and now face the prospect of losing this hard-earned, perceived competitive advantage overnight.
The fact that the European Commission and numerous national governments (such as Germany), driven by panic over Europe’s digital lag, the current economic downturn, and pressure from the US Trump administration, also seek to weaken other digital legal acts such as the DSA and DMA should set alarm bells ringing even among Europe’s largest companies. Instead of finally enforcing the European rules that were adopted for good reason and thereby ensuring a level playing field, the competition-distorting legal violations of Big Tech are being retrospectively legitimised, and the transfer of their market power into ever more sectors at the expense of European companies is being accepted by the Commission. How can one seriously believe that weakening standards under the DMA would promote innovation among European companies, when at present only a single european company (booking.com) is actually subject to the DMA’s obligations?
So: Cui bono?
If the European Commission succeeds with its ambush-style approach, the primary—and almost exclusive—beneficiaries will be Big Tech companies from the United States and, in the longer term, China. These companies have amassed vast troves of data on Europeans, often in manifestly unlawful ways, which they will then be able to use far more freely for new business models and the extension of their market power.
Big Tech remains, in essence, subject to largely the same rules as the small corner shop, despite the far greater threat their business models pose to citizens’ fundamental rights. Newly created legal uncertainty and newly opened loopholes (not least due to the omission of evidence-based policymaking and impact assessments in the Digital Omnibus) can easily be exploited by Big Tech to its own advantage through access to virtually unlimited legal resources.
The result will be less European value creation and less European digital sovereignty. The Commission’s approach thus amounts to little more than deregulation and innovation PR—without positive effects, but with considerable collateral damage.
It is now up to the Member States and the European Parliament to reject the European Commission’s flawed proposals and to initiate genuine improvements to the GDPR. With its initiative, the Commission has opened the law to amendment; it is for the legislators to use that opening responsibly.
Prof. Ulrich Kelber, former head of German DPA (BfDI, Bundesbeauftragter für den Datenschutz und die Informationsfreiheit)