Ever since the European Commission has published its Digital Omnibus proposal, discussions about the workload the GDPR creates for businesses in Europe have intensified. Among other things, the Commission wants to restrict the Right of Access, allegedly to reduce the regulatory burden. But do these changes actually reflect the needs of privacy professionals working at companies? To find out more, noyb conducted a survey asking Data Protection Officers (DPOs) which elements of the GDPR take up most of their time – and where it is best spent to ensure people's data protection.
Turns out, most professionals don’t want protections to be cut back, but to reduce documentation duties and paperwork. In many cases, they even ask for clearer laws instead of more ‘flexibility’, which is hard to manage for most companies.
Input straight from the source. The European Commission’s key argument for changing the GDPR is reducing the alleged ‘regulatory burden’ for European companies. However, the Commission isn’t cutting back on administrative steps, but went right for the ‘core’ elements of the law. Among other things, they propose narrowing the definition of personal data, restricting the right of access and opening the flood gates for AI training. This begs the question: does this help the average EU company? Will it reduce the workload of internal Data Protection Officers (DPOs) and other compliance staff? noyb conducted a survey among DPOs and privacy professionals to answer these exact questions – and learn about the needs of people working with the GDPR every single day. Their responses often point in the opposite direction to the European Commission’s approach.
Max Schrems, Chairperson of noyb: “This study shows an enormous gap between the needs of real people working on compliance every day and the problems pushed by the ‘Brussels lobby bubble’. We are not helping normal EU business here – the Commission proposal often even cuts into what professionals see as useful.”
Data subject rights: Low workload, big impact. Interestingly, the majority of respondents said that complying with data subject rights (Article 15 to 21) doesn’t create a lot of work. Most significantly, more than 70% said that the Right of Access (Article 15) only creates “some”, “little” or even no work. At the same time, it is seen as a useful tool for protecting people’s rights. This matches noyb’s real-life experience: most companies hardly ever receive access requests (SARs), while specific companies (Big Tech, data brokers or credit agencies) usually get a lot, but also have automated SAR responses. It’s therefore surprising that the European Commission's Digital Omnibus proposal still suggests a limitation of Article 15 GDPR, which would make it very hard for Europeans to enforce their privacy rights.
Core rules: relevant workload, big returns. As expected, the core rules under Articles 5 to 11 GDPR (e.g. principles regarding the lawfulness of processing or conditions for consent) generate a relevant workload. However, the respondents also ranked these rules as the second most useful elements of the law to protect the rights of data subjects. The same goes for the transparency duties under Article 13 and 14, which the European Commission also suggests to limit.
Real Simplification: Move away from “one size fits all” approach. While the “risk-based approach” of the GDPR was seen as a way to limit the burden on smaller companies in a “one size fits all” law, professionals report the exact opposite. In practice, it’s a common complaint that large companies can manage unclear texts and "risk" assessments that are open to interpretation, while smaller controllers don’t have the resources to do so. Respondents clearly favour a system with clear thresholds for company sizes that should be based on relevant metrics like user numbers – not employee numbers. Despite the fact that a lot of them represent larger companies (500+ employees), 70% of respondents said that there is a need for stricter rules for large companies.
Max Schrems: “For many years, there is a debate about ‘tiering’ the GDPR, with class A, B or C companies. Right now, a tiny non-profit like noyb generally falls under the same rules as Google. Instead of doing so, the Commission wants to add flexible ‘risk’ elements to the law, which means that most companies would need a lawyer to know if an Article applies to them.”
Less “risk”, more clarity via whitelists and blacklists. 83.3% of the participants said that they favour a whitelist for processing activities, and 91.1% said they favour a blacklist for processing activities. A large majority takes the view that such lists would save companies “a lot of work” and create more legal certainty. Surprisingly, privacy professionals working for controllers do not feel that a “blacklist” (similar to Article 5 of the AI Act) would limit controllers too much. It seems that legal certainty is preferred over flexible laws.
Reduce B2B compliance costs: Surprisingly, the GDPR generates a large amount of compliance costs between businesses (“B2B”) that are not user-facing. Millions of contracts are drafted and managed between businesses. Just having the law apply directly to providers like Cloud Hyperscalers could reduce millions of work hours – and actually improve privacy protections. DPOs would very much support such simplification.
Max Schrems: “The Omnibus is not just on the wrong track for users, but also for most businesses. In many ways we have a ‘loose-loose’ proposal.”
Start of a broader debate. The points raised in this survey just mark the beginning of a larger debate sparked by the Digital Omnibus proposal. We do believe, however, that evidence-based changes to the GDPR could be beneficial for everyone: controllers, processors, data subjects and authorities. We hope that these first results could guide our way towards useful solutions for actual problems, instead of chasing buzzwords.
