GDPR: EU may tighten rules on AI data processing

Commission to ease data protection rules for SMEs while simultaneously tightening AI-specific regulations, raising questions about whether penalties should require proof of misconduct

Key points: As we reported previously and as EU Commissioner Michael McGrath confirmed on April 3, 2025, GDPR rules are set to be eased for SMEs and organizations with fewer than 500 employees to improve competitiveness. The simplification is expected to focus primarily on record-keeping obligations while maintaining the core principles and objectives of the data protection regime.

Why this matters: These changes aim to balance the need for data protection with business competitiveness, while addressing the specific challenges posed by AI technologies. Among the expected changes are: 

• Transparency requirements: Organizations will need to provide clearer information about the logic, significance, and consequences of automated processing.
• Risk-based approach: The changes will introduce a more proactive, risk-based data governance approach for companies utilizing AI and algorithmic targeting.
• Case-by-case assessment: Following the European Data Protection Board's recommendations, AI model anonymity will need to be determined on a case-by-case basis, considering whether personal data can be extracted from the model

Our take on the situation: We've long highlighted the issue of regulatory overreach in EU data protection, so any reform efforts are certainly a step in the right direction. But the planned focus on the SME sector risks missing a major issue. Rather than seeing GDPR as a legal framework designed to protect EU citizens' personal data, it's increasingly being wielded as a tool to pursue multi-million Euro lawsuits against multinational corporations. 

Four years ago, we asked: Should every GDPR breach automatically constitute an offence? We still await an answer. Wouldn't it be more reasonable to reserve penalties for cases involving deliberate or actual misconduct? And shouldn't regulatory authorities bear the burden of proving such misconduct before imposing fines?

Meanwhile in the U.K. as reported in the Guardian, a UK court has rejected the UK government’s bid to keep a legal challenge by Apple secret. The case relates to a legal challenge brought against the UK government by Apple over the government demanding access (under the Investigatory Powers Act) to Apple’s Advanced Data Protection service, which heavily encrypts personal data stored remotely in its servers. Apple withdrew Advanced Data Protection from UK rather than comply. The UK government argued that revealing the existence of the claim, as well as the names of the parties involved, would be damaging to national security.

ADDITIONAL INFORMATION:

2023 article on perceived GDPR weak spots 

EDPB opinion from late 2024 on AI data processing

Download this week’s Europe newsletter as a PDF