Since its entry into force in May 2018, the General Data Protection Regulation (GDPR) has been considered the central framework for handling personal data within the European Union. Its aim is to strengthen citizens’ rights in the digital space and to obligate companies to practice transparent and responsible data protection. Despite its pioneering status, the GDPR is frequently criticized—especially by small and medium-sized enterprises (SMEs)—as overly bureaucratic and difficult to implement. Now, a comprehensive reform is planned for 2025. With its proposals, the European Commission seeks to reduce existing hurdles and adapt the regulation to current technological developments such as artificial intelligence (AI) and big data—without compromising fundamental data protection rights. But can this balancing act succeed?
Why GDPR Reform Is Now on the Agenda
The proposed GDPR reform was officially introduced in spring 2024. Since then, additional proposals have emerged, all pursuing a central goal: making the regulation more practical and efficient. Two key objectives are in focus:
- Relief for SMEs by reducing excessive obligations
- Adapting the GDPR to technological innovation
While business associations such as Bitkom and the BDI welcome the reform, data protection advocates and civil society organizations like noyb warn of serious risks to EU citizens’ fundamental rights.
Reducing Bureaucracy for SMEs: Relief or Risky Exception?
A core element of the reform is the planned relief for small and medium-sized enterprises. Companies with fewer than 750 employees would be exempt from certain documentation requirements—such as processing records or data protection impact assessments—provided no high risk is involved.
The EU Commission justifies this step by citing the need to align the GDPR with business realities. The current “one-size-fits-all” approach places a disproportionate burden on SMEs with limited resources.
Surveys show that many companies are not fundamentally opposed to data protection—they simply struggle with the practical implementation of its requirements. A shift toward differentiated regulation could offer much-needed relief.
However, critics argue that this differentiation sets a precedent: data protection rights could be weighted differently depending on company size. This would contradict the European fundamental right to informational self-determination.
Jurisdictional Flexibility: Streamlining or Strategic Loophole?
Another significant aspect of the GDPR reform concerns the jurisdiction of data protection authorities. Currently, the principle is that in cases of cross-border processing, the authority at the company’s main establishment takes the lead.
In the future, this model is to be made more flexible to accelerate procedures and reduce legal uncertainty.
Yet practice already reveals weaknesses in the system: companies like Meta and Google benefit from the Irish Data Protection Authority being responsible for them—an authority repeatedly criticized for slow response times and weak enforcement.
Too much flexibility could allow corporations to strategically choose “data-friendly” authorities—clearly a setback for EU-wide harmonization of data protection oversight.
Technological Change: How AI and Big Data Challenge the GDPR
A major driver of the reform is technological progress. The GDPR was created at a time when automated decision-making, algorithmic profiling, and AI systems were still fringe topics. Today, they are central to digital business models.
Therefore, the Commission proposes:
- Clearer definitions of terms like “personal data” and “automated decision”
- Reassessment of pseudonymized or aggregated data
- Technology-neutral solutions that uphold data protection standards
Industry representatives welcome this move, hoping for legal clarity to support data-driven innovation. Companies want to better understand what compliant AI applications should look like.
But data protection advocates urge caution: in practice, pseudonymized data is often re-identifiable—especially when analyzed using AI across large datasets. A premature opening could foster misuse and undermine fundamental rights.
Civil Society Criticism: Lack of Transparency and Inclusion
It’s not just the content but also the legislative process itself that faces sharp criticism. Civil society organizations complain that economic interests dominated the drafting of the reform.
NGOs, data protection experts, academics, and civil rights groups were barely involved. This one-sidedness threatens the legitimacy of the entire legislative process and could erode trust in EU institutions.
Civil society therefore calls for a transparent debate, balanced representation of interests, and an independent impact assessment that also considers long-term risks to democracy and the rule of law.
Conclusion: GDPR Reform as a Balancing Act Between Innovation and Rights Protection
The planned GDPR reform of 2025 is undoubtedly necessary—not least to align regulation with the realities of modern data processing. Targeted relief could benefit especially small and medium-sized enterprises. Greater clarity is also needed in dealing with emerging technologies like AI and data analytics.
But modernization must not come at the expense of data protection and digital self-determination. The challenge lies in finding a fair, practical, and legally sound solution. One thing is clear: if data protection is weakened, Europe risks not only losing trust but also its leading role in global data law.
