How to undertake GDPR reform the right way

In a guest post for the Future of Privacy Forum (FPF), Christopher Kuner, Visiting Fellow at the European Centre on Privacy and Cybersecurity at Maastricht University, has considered former Italian Prime Minister Mario Draghi's report in 2024 calling for reform of the EU General Data Protection Regulation (GDPR) to boost European competitiveness, particularly in artificial intelligence (AI). Kuner writes that while Draghi validly criticised the inconsistent and fragmented implementation of the GDPR by Member States, his subsequent call for a "radical simplification" of the law has fuelled public discussion about fundamental changes.

Under political pressure following the report, the European Commission proposed a GDPR Omnibus package without public consultation in May 2025, containing targeted amendments such as eliminating record-keeping for smaller data controllers. The Commission is also expected to announce a broader Digital Omnibus later this year to simplify data legislation and reduce the burden on businesses.

Kuner argues that any reform must be evidence-based, targeted, transparent, and protect fundamental rights. He also notes that the idea of data protection law throttling growth is a historical claim that has proven hyperbolic. The article goes on to caution that the GDPR is finely balanced, and hasty, untargeted reforms risk creating legal uncertainty and undermining the high level of protection. He concludes that while discussion of improvement is not taboo, any reform must recognise data protection as a fundamental right. Any necessary changes should be limited to clearly-defined priorities, such as addressing fragmentation in Member State implementation, without altering the GDPR's core principles or reducing individual protection.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.