The European Commission will offer relief to small mid-cap companies burdened by the current scope of the General Data Protection Regulation (GDPR) in a rule simplification package known as an Omnibus to be published on Wednesday, according to a working document seen by Euronews.
Currently, companies with fewer than 250 employees are exempt from the data privacy rules to reduce their administrative costs, the Commission now proposes to extend this derogation to the so-called small mid-cap companies.
Small mid-cap companies can employ up to 500 employees and make higher turnovers. Under the plan - the Commission's fourth such Omnibus - such companies will only have to keep a record of the processing of the users’ data when it's considered “high risk”, for example private medical information.
The change comes seven years after the GDPR took effect. Since then the rulebook has shielded consumer data from US tech giants but is also perceived as burdensome for smaller and mid-sized companies that often did not have the means to hire data protection lawyers.
The biggest fine issued under the rules so far is €1.2 billion on US tech giant Meta: the Irish data protection authority fined the company in 2023 for invalid data transfers.
Although fines are generally lower for smaller businesses, at up to €20 million or 4% of annual turnover they remain significant.
In the Netherlands for example, VoetbalTV, a video platform for amateur football games, was fined €575,000 by the Dutch privacy regulator in 2018. Although the company appealed and the court overturned the fine, it had to file for bankruptcy.
Lower fines
Both EU lawmaker Axel Voss (Germany/EPP), who was involved in steering the legislation through the European Parliament, and Austrian privacy activist Max Schrems, whose organisation NOYB filed numerous data protection complaints with regulators, called for different rules for smaller companies earlier this year.
Under the plan, 90% of the businesses – small retailers and manufacturers -- would just face minor compliance tasks and would not need an in-house data protection officer anymore, no excessive documentation and lower administrative fines, capped at €500,000.
Voss said his proposal would not weaken the EU’s privacy standards, but make it “more enforceable, and more proportionate”.
Similar calls are coming from the member states: the new German government stressed in its coalition plan that it will work on EU level to ensure that “non-commercial activities (for example, associations), small and medium-sized enterprises, and low-risk data processing are exempt from the scope of the GDPR.”
Concerns from civil society
By contrast, civil society and consumer groups have warned that the Commission’s plan to ease GDPR rules could have unintended consequences.
On Tuesday, privacy advocacy group EDRi stated in an open letter that the change risks “weakening key accountability safeguards” by making data protection obligations depend on company size rather than the actual risk to people’s rights. It also fears this could lead to further pressure to roll back other parts of the GDPR.
Consumer advocates share similar concerns, in a letter from late April, pan-European consumer group BEUC warned that even small companies can cause serious harm through data breaches. It argued that using headcount or turnover as a basis for exemptions could create legal uncertainty and go against EU fundamental rights.
Both groups say the focus should instead be on better enforcement of existing rules and more practical support for small companies.
Parallel talks on GDPR enforcement rules
Meanwhile reforms of the data privacy law are under negotiation between the Council and the European Parliament. A new round of political discussions on the GDPR Procedural Regulation is expected to take place on Wednesday.
EU institutions are attempting to finalise a long-awaited deal to improve cooperation between national data protection authorities. The regulation is meant to address delays and inconsistencies in how cross-border cases are handled under the GDPR, by harmonising procedures and timelines.
According to experts familiar with the file, one of the main sticking points is whether to introduce binding deadlines for national authorities to act on complaints. While the Parliament has pushed for clearer timelines to speed up enforcement, some member states argue that fixed deadlines could overwhelm authorities and increase legal risks.
This change is however not expected to impact the Commission's 4th Omnibus package.
