The European Union has long set the benchmark for digital regulation, having established robust legislation such as the General Data Protection Regulation (GDPR), the Digital Markets Act (DMA), and most recently, the Artificial Intelligence Act (AI Act). Through such frameworks, the EU has cemented its position as a pioneer in protecting data privacy, managing competition, and ensuring accountability. 

These comprehensive regulatory standards, however, have also been accompanied by some challenges. Member States and relevant actors in the tech field have been growing concerned that the increase in legislation may also increase the associated bureaucracy and, in turn, hinder innovation. Such concerns stem from the belief that the proliferation of laws may stifle innovation and burden startups and businesses with complicated rules.  

In response, the European Commission is exploring potentially simplifying the EU’s digital legislation. This initiative aims at reducing procedural burdens without compromising the core objectives of the legal instruments. Ultimately, the EU seeks to balance the need to support innovation with the importance of upholding strong protections. The shift towards simplification comes at a critical time whereby the EU is seemingly being outpaced by the US and China in tech innovation. Therefore, streamlining certain regulatory obligations is believed to be an effective step towards closing that gap.

Current Status and Ongoing approach

The complexity of the EU’s digital regulation is a product of the cumulative impact of multiple legislations regulating the Union’s digital landscape. For instance, companies that develop AI tools must comply with data protection protocols under the GDPR, ensure algorithmic transparency under the AI Act, and maintain platform responsibilities enshrined in the DSA. The frameworks, which overlap in some aspects, have seemingly created some legal uncertainty. 

In recognition of such challenges, the European Commission has begun exploring the possibility of simplifying laws in hopes of encouraging investment in the EU’s tech industry. Central to this simplification effort is the “Omnibus” package, which aims at reducing the red tape for small and medium sized enterprises (SMEs). By focusing on empowering SMEs and firms that may lack the financial and legal capital needed to navigate several regulatory hurdles, the EU hopes to enhance innovation and competition in the region. 

In pursuit of helping SMEs, simplification proposals are aimed at mitigating regulatory redundancies. One potential change, for example, suggests reducing the compliance and reporting obligations for SMEs. Under the GDPR, companies with less than 250 employees are exempt from record-keeping for their data processing activities, unless said data processing activities involve sensitive data or could pose a risk to data subjects. However, the new proposal would raise the threshold to 750 employees while limiting record-keeping to “high-risk” activities. Moreover, reporting obligations and administrative costs are set to be reduced by approximately  25%, for all companies and up to 35% for SMEs. The belief is that a 25% reduction could amount to €37.5 billion in savings for businesses. 

Furthermore, simplification also addresses the absence of harmonized compliance standards that companies face. Through establishing common specifications to demonstrate compliance, companies would operate under legal certainty and incur fewer costs. These are just some examples of the objectives and potential benefits that simplification aims to achieve in order to increase competition in the single market. Nevertheless, the plan of simplification is faced with some hurdles. 

Backlash and the Way Forward 

Policy makers and civil society organizations alike have voiced their concerns about possible adverse effects. The European Digital Rights (EDRi) network, for instance, has highlighted the possibility that a shift towards simplification may undermine key accountability safeguards. The group states that having data protection obligations rely on company size as opposed to the actual risk on people’s rights may weaken data protection standards set out by the GDPR. Evidently, at the heart of such concerns, is the fear that revisiting existing legislation may come at the cost of people’s rights. To this point, some criticisms have touched on the risks associated with raising the thresholds in the GDPR, and how that could potentially reframe the core focus of the regulation. Experts are concerned that streamlining regulations in pursuit of economic growth could dilute the safeguards to human rights provided by these legal instruments. 

The concerns pertaining to simplification, however, are not only limited to the GDPR as the Omnibus simplification package has targeted other regulations. To illustrate, reducing the due diligence obligations established under the Corporate Sustainability Due Diligence Directive (CSDDD) has serious environmental ramifications. Companies are no longer obliged to terminate business relationships as a last resort in situations whereby adverse environmental impacts cannot be controlled. Moreover, the narrowed scope of the CSDD would exclude roughly 80% of European companies from sustainability reporting as the obligation only extends to companies with over 1,000 employees and turnover exceeding €50 million. Consequently, the reporting of serious violations such as forced labor and deforestation could be difficult to stop and prevent. Through these weakened accountability mechanisms it would seem as though corporate interests are taking precedence over human rights protections. Therefore, the move towards simplification requires navigating a complex impasse between innovation and principle.

 It is in the best interest of the EU to pivot towards being a competitor in the tech innovation sector, but that must be done without weakening the protection mechanisms that have been established. If not carefully assessed, simplification could reduce accountability and strengthen the position of dominant market actors. Notably, while regulation does play a role in affecting the EU’s competitiveness, it is not the sole factor influencing innovation. Several tech policy experts have stated that the lack of competitive innovation in Europe will not be resolved by solely focusing on regulation, shedding light on market-related factors that must also be recognized. As noted by the PLMJ Chair in Law and Technology at Católica Global School of Law and Católica Lisbon School of Law, Giovanni De Gregorio, startups struggle to develop in Europe not only due to regulation but also because of less private investments and venture capital. 

Additionally, addressing the lack of harmonization in regulations remains important. While there has been movement towards addressing the regulatory fragmentation, the ability for companies to grow remains limited by interpretations of EU law at a national level and overlapping frameworks. Consequently, the presence of various legislative instruments have made it difficult for business, especially smaller-sized firms, to operate. Claudia Canelles Quaroni, Privacy and Safety lead at CCIA Europe, stated that the reframing of the GDPR will only help “0.2% of EU companies” and the priority should instead be on implementing uniform data protection rules. Furthermore, when it comes to data processing, the size of the company is not what is important, but rather the risks pertaining to the data collection and processing activities. In the absence of appropriate protections, even small-size companies can cause harm. As such, conflating robust data protection with stifled innovation is a false understanding of the issue at hand. 

In line with these arguments, the way forward should be to view the EU’s robust digital legislation as a tool to incentivize innovation, and not an obstacle. With respect to the GDPR, strong data protection laws with clear enforcement procedures create an environment of legal certainty for both companies and the consumer. Comprehensive legislation with strict accountability measures reassures consumers that their data is handled responsibly and encourages them to engage with businesses. 

The goal should always be upholding the model of fairness and transparency, considering that simplification, if not carefully planned, risks weakening the law to the benefit of large firms that would exploit any regulatory gaps. Simplification could set a domino effect towards deregulation and weakening accountability mechanisms, possibly causing detriment to the digital ecosystem that the EU has established. Future regulations should allow for innovation by creating laws that ensure accountability but also create an environment that allows firms to scale. One avenue in achieving this goal would be engaging with SMEs at a policy making level to better understand the difficulties they face when adhering to legislation. Ensuring clarity and coordination should be the priority moving forward, and innovation will follow suit. 

The EU’s simplification is a significant moment in the Union’s approach to digital regulation. There is an opportunity to refine the current framework, while also upholding regulatory principles. Simplification has promising benefits, especially for startups and small players, but the challenge will be ensuring that the EU’s standing on effective regulation is not reduced.