Denmark to drive GDPR simplification: scaleups must not be forgotten

On Wednesday, European Ministers of Justice met in Copenhagen for an informal meeting hosted by the Danish Presidency of the Council of the European Union to discuss, among other things, the potential for simplifying and reviewing rules under the General Data Protection Regulation (GDPR).

The GDPR has been a hot topic since its adoption  in 2016. The European privacy framework remains one of the most comprehensive and strictest in the world, but many European companies are increasingly frustrated by the rigid interpretation of personal data and the heavy administrative burden required for compliance. 

At the same time, European lawmakers view the GDPR as a global benchmark and have been clear in their reluctance to reopen it - except for narrowly targeted efforts to reduce complexity and ease the regulatory burden.

Justice Ministers want to make the GDPR more business and user friendly

We are yet to see the Commission’s proposal for the GDPR simplification later this year, however, it’s becoming clear that it’s not just European business or industry ministers (or the industry itself), but also justice ministers who recognize that the GDPR poses a competitiveness challenge for many European businesses.

The host of the informal meeting, Peter Hummelgaard, Denmark’s Minister for Justice, referenced the Draghi report during his remarks:

“Like everybody knows, the Draghi report highlighted we have serious competitiveness challenges within the bloc. Therefore, during the Danish presidency we will set a focus on modernizing the regulatory landscape, by specially focusing on the GDPR”

Inese Lībiņa-Egnere, Latvia’s Minister of Justice, told journalists that the goal is to “make data protection more user-friendly”.

Annelies Verlinden, Belgium’s Minister of Justice, echoed the sentiment, emphasizing that while the GDPR remains “a very important regulation, we want to avoid extra administrative requirements. In Belgium we do have many SMEs and we don’t want to be too burdensome”. 

Commission wants targeted simplification, sees no need for broader review

Michael McGrath, the European Commissioner overseeing the GDPR review and simplification efforts, highlighted during the press conference that the European Commission has already proposed targeted simplifications in May to ease GDPR record-keeping obligations for SMEs, small mid-caps, and organizations with fewer than 750 employees. Last week, the Commission also hosted a GDPR implementation dialogue, offering select stakeholders an opportunity to share their experiences and ideas for further simplification.

Commissioner McGrath told journalists that there “isn’t any significant call for a dramatic (or radical) reopening of the GDPR”, reflecting the feedback gathered during the implementation dialogue with industry earlier this month.

“However, some stakeholders and a few Member States did make the case for targeted amendments. What was consistent across the board was the call for more practical and consistent guidance, as well as stronger stakeholder engagement from national DPAs and the EDPB. There’s also a clear need for more uniform application of GDPR rules across the EU”.

The Commission is working on two fronts: Executive Vice President Henna Virkkunen is leading the development of a European Data Union Strategy, aimed at streamlining the interplay between the Open Data Directive, the Data Governance Act, and the Data Act - with the goal of unlocking new investments and enabling more effective data sharing within and beyond Europe. Meanwhile, Michael McGrath is heading efforts to simplify the GDPR. 

In practice, the GDPR - or more often, its overly strict interpretation - is frequently used as a reason not to share data, undermining the Open Data Directive’s goal of greater public-sector openness and the Data Act’s ambitions for improved B2B data sharing. To truly address the challenges facing Europe’s data economy, these initiatives must reinforce one another - a politically complex, but necessary, task. 

What are the Danes proposing? Let’s not forget the scaleups

At the beginning of July, the Danish Presidency circulated a non-paper on the GDPR review, which includes several positive, business-friendly proposals. 

The examples of these proposals include 1) setting a minimum threshold for when data subject rights apply; 2) allowing SMEs more flexibility in low-risk data processing; 3) clarifying when Data Protection Impact Assessments (DPIAs) are required and considering exemptions or simplified procedures for SMEs; and 4) making complaints to Data Protection Authorities (DPAs) conditional on prior engagement with the data controller - to help prevent misuse, encourage resolution at company level, and, potentially, ease the workload of DPAs.

It is increasingly clear that neither the Commission nor the Danish Presidency will find the political will to reopen the GDPR for a broader review. However, it is essential that the changes proposed by the Danish Presidency are not limited to the traditional definition of small and medium-sized enterprises (SMEs) - those with up to €50 million in annual turnover and fewer than 250 employees. At the very least, they should follow the precedent set by the earlier simplification omnibus, which extended GDPR reporting relief to small and mid-caps, or companies with fewer than 750 employees.

This broader scope would allow GDPR simplification to better support the European data economy - including scale-ups - which are central to Europe’s competitiveness ambitions. 

These companies already face barriers such as strict interpretations of personal data under the GDPR, limited readiness of public institutions to share data, and reluctance from private actors to do the same. It’s crucial to ensure these high-growth firms are not overlooked in the reform process.

Europe’s traditional “think smal first” approach has its merits, but when it comes to GDPR reform, it must be complemented by a “don’t forget those who can scale while doing that” mindset.