Civil society coalition urges EU to reject proposals to reopen the GDPR

In a joint letter coordinated by European Digital Rights (EDRi), civil society groups have called on the European Commission to ‘reject any reopening of the GDPR and reaffirm it as a cornerstone of the EU’s digital rulebook.’

The intervention follows reports that the Commission may consider adjustments to the GDPR through the fourth ‘omnibus package’ of legislative updates and potentially through future initiatives later in 2025. These proposals, according to the letter, could reopen the regulation under the pretext of simplifying compliance or aligning it with newer digital laws such as the Digital Services Act (DSA), Digital Markets Act (DMA), and AI Act.

EDRi and its co-signatories argue that any attempt to amend the GDPR would risk undermining one of the EU’s strongest and most globally influential legal frameworks for data protection. The GDPR, they note, sets high standards and safeguards people’s dignity in a data-driven world, and has become a model for privacy legislation worldwide.

The letter expresses deep concern that proposed changes may erode key principles of data protection, particularly accountability and consent. While some policymakers frame the potential revision as a “simplification,” signatories warn that such moves could:

• dilute requirements for companies to demonstrate compliance;
• weaken safeguards around user consent; and
• legitimise intrusive uses of personal data, including for AI model training, without meaningful user control.

The signatories stress that the GDPR’s accountability principle, the requirement that organisations not only comply with the law but also demonstrate how they do so, is essential to maintaining public trust and ensuring fair data practices. Removing or reducing these safeguards, they argue, would tilt the balance of power further toward large technology companies.

Broader geopolitical and policy implications

The open letter situates these concerns within a wider geopolitical context, warning that deregulatory pressures are not confined to Europe. Over recent years, foreign political and commercial actors have lobbied to weaken EU privacy and digital standards. The letter suggests that these external pressures are increasingly targeting not only the GDPR but also the EU’s broader digital framework,

According to the signatories, any move to reopen the GDPR could embolden such actors and set a precedent for revisiting other EU digital laws, undermining Europe’s global reputation as a defender of digital rights and rule-of-law-based governance.

The coalition’s recommendations

The letter outlines four key recommendations for the European Commission:

1. Reject any reopening of the GDPR and reaffirm its role as the foundation of the EU’s digital legal architecture.
2. Address implementation challenges through enforcement, not deregulation, by strengthening cooperation among national data protection authorities and ensuring consistent application across Member States.
3. Support compliance and legal certainty, especially for smaller entities, through better guidance, training, and resources rather than rewriting the law.
4. Resist both internal and external pressures that seek to dilute privacy and data protection rights in the name of economic competitiveness or trade negotiations.

Safeguarding Europe’s digital rights legacy

The coalition emphasises that the GDPR was designed to protect individuals in an era of expanding digital power asymmetries, where opaque, data-driven systems disproportionately affect marginalised communities.

Reopening the regulation, the letter warns, would jeopardise ‘hard-won rights’ and reverse progress made over the past seven years in establishing global privacy norms. Instead, the focus should remain on effective enforcement and resourcing for data protection authorities, ensuring that the GDPR’s original promise, to put individuals, not corporations, at the centre of the data economy.