108 civil society organisations (including IFEX), academics, companies and other experts have called on the European Commission to protect people's rights and dignity in a data-driven world by reaffirming the GDPR as the cornerstone of EU’s digital law and supporting its rigorous enforcement.
This statement was originally published on article19.org on 20 May 2025.
ARTICLE 19, together with EDRi and 106 civil society organisations, academics, companies, trade unions, and experts is calling on the European Commission to reject any reopening of the General Data Protection Regulation (GDPR), and to reaffirm it as a cornerstone of of the EU’s digital rulebook.
Dear Executive Vice-President Virkkunen, Dear Commissioner McGrath,
We write as civil society organisations, academics, companies, trade unions, experts and others alarmed by a growing risk: that the most important digital rights law seems set to be quietly unravelled. We are gravely concerned about ongoing proposals to reopen the General Data Protection Regulation (GDPR), including changes expected as part of the fourth omnibus package, and mounting rumours that the GDPR will be further reopened in subsequent initiatives later this year or beyond.
The GDPR is more than a Regulation. It is the backbone of the EU’s digital rulebook, a hard-fought legislative achievement that sets high standards and safeguards people’s dignity in a data-driven world. Its impact reaches far beyond the EU’s borders, influencing digital governance globally.
Proposals to amend certain provisions intended to support small and medium-sized companies to increase legal certainty and strengthen enforcement are good in theory. However, we are concerned that the proposed changes risk, unsupported by any evidence, missing the mark of genuine simplification, and could instead roll back key accountability safeguardsand with them, the accountability principle itself. In practice, they could allow some companies to avoid keeping records of data processing (even when handling special categories of data) purely based on staff headcount or turnover.
This shift undermines what is often called the GDPR’s ‘risk-based approach’, a mechanism for calibrating obligations according to the potential harm to people’s rights and freedoms, not company size. More fundamentally, it could erode the Regulation’s original foundation as a rights-based instrument grounded in the recognition of personal data protection as a fundamental right. Data rights do not become less important when the controller is smaller; and people’s vulnerability to harm does not shrink accordingly.
While competitiveness is important, using it to justify exemptions from core protections sends a worrying message: that people’s rights are expendable when economic interests are at stake. But sustainable competitiveness depends on trust, accountability, and fairness, not on lowering standards. It also relies on other factors that have nothing to do with regulation: long-term investment, robust infrastructures and coherent enforcement. The GDPR, which is technologically neutral, supports innovation precisely by ensuring that people’s rights are respected and that businesses operate on a level playing field. Many companies and Data Protection Officers (DPOs), including those of us signing this letter, do not support reopening the GDPR. On the contrary, there is broad recognition that obligations such as those under Article 30 help ensure compliance and foster responsible data practices.
In our experience, deregulatory efforts rarely stop at ‘technical adjustments.’ Once reopened, the GDPR could become vulnerable to broader deregulatory demands. Many such pressures are already visible, including calls to weaken rules on consent with no effective safeguards for users, or legitimise invasive uses of personal data for AI training.
We also cannot ignore the geopolitical context. Over the past years, calls from foreign commercial and political actors to loosen the EU’s digital protections have consistently started with attempts to weaken the GDPR, a strategy now extended to the entire EU tech rulebook, including the DSA, the DMA and the AI Act – and already underway for corporate accountability and environmental justice. Weakening the GDPR would also harm the EU’s credibility. The Regulation is still widely cited as a benchmark for rights-based digital governance. Undermining it would send a signal that the EU is willing to abandon its own standards under pressure, further eroding trust in its digital policies.
The GDPR is presented by some as an obstacle to aggressive data extraction models that rely on opacity, manipulation, and disregard for rights. These are often the same actors who work to evade meaningful enforcement. Undermining the GDPR would not only weaken protections for people in the EU; it would send a signal globally that rights-based regulation is negotiable under pressure.We share the concern that the current compliance model can feel burdensome, especially for smaller entities acting in good faith. But weakening legal protections is not the answer. Instead, the EU needs to invest in real enforcement of existing rules against repeat offenders, while improving guidance, access to tools, and proportional compliance support for smaller actors.We urge the European Commission to:
- Reject any reopening of the GDPR – no matter how limited it may appear – and reaffirm the Regulation’s integrity as a foundation of EU digital law;
- Recognise that current implementation challenges can be solved by effective enforcement with clarity and not deregulation;
- Continue to support compliance mechanisms and legal certainty, not by rewriting the law but by ensuring greater support and assistance, especially for smaller entities;
- Resist external and internal pressures that seek to trade away people’s rights in the name of competitiveness or trade interests.
The GDPR was designed to protect people in the face of growing digital power asymmetries, which disproportionately harm communities that have been systematically marginalised for decades. It is not broken, but the pressure to break it is real. Reopening it now would risk turning back the clock on hard-won rights.
We remain at your disposal for dialogue and urge you to stand firm in defence of fundamental rights.
