“Everyone has the right to respect for his private and family life, his home and his correspondence.” — European Convention on Human Rights, Article 8, 1950 

GDPR translates this principle for the digital era, as personal data processing has permeated everyday life. 

New technologies, new privacies?

GDPR will be a decade old next year, in 2026. Since then, technologies have changed drastically, as has the online behaviour of citizens. 

With this pace of change, the question is not whether GDPR’s values still apply, but how they meet today’s technologies and practices. 

The General Data Protection Regulation, or, in full, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, has been in force since 25 May 2018. The GDPR focuses on the protection of natural persons with respect to the processing of personal data and regulates the movement of such data. It embodies European values of individual agency and freedom, and it aims to protect individuals’ rights in a fast-paced digital transition. 

These values translate into several core principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. 

The European Union has been at the forefront on the protection of citizens’ rights in an increasingly digitised world, and the GDPR is one of the most important testimonies to this, along with the flagship Digital Services Act and Artificial Intelligence Act, to name but a few. The GDPR has been considered a clear example of the ‘Brussels effect’, being often referred to as the “gold standard” legislation on data protection.  

However, in the last few years an increasingly complex global context has pushed the European Commission to pursue competitiveness, especially through regulatory simplification. This is particularly true for the digital sector. This simplification push, while aiming to allow the Bloc to compete on the global stage, is feared to have the potential to reduce the safeguards and protections on European citizens’ rights. 

Reform on the table: simplification and overhaul

As shown by recent Proposals by the European Commission, for instance the Digital Omnibus, as technologies scale and diversify, policymakers are asking whether the rules need targeted tuning or broader reform. 

The GDPR is undergoing revisions to simplify compliance for small and medium-sized enterprises and to improve enforcement procedures. Prior to the release of the Digital Ominbus Proposal, Commissioner Michael McGrath (Democracy, Justice, the Rule of Law and Consumer Protection), confirmed that the GDPR would undergo a simplification process, which eventually came to encompass a proposed reduction of record keeping requirements also for companies with 250 employees or more, raising the upper limit to 749.  

According to MEP Axel Voss, Europe faces a clear choice on GDPR reform: “either we revise the GDPR to enable digital innovation while safeguarding privacy, or we continue down a path that leads to stagnation and increasing reliance on foreign technology.” In his view, revising the GDPR is essential to unlock Europe’s digital future. 

The release of the Digital Omnibus proposal, however, has also raised concerns among privacy advocates, arguing that the amendments proposed would risk jeopardising cornerstone measures protecting the privacy of European citizens. Taken together, these signals sketch a spectrum of reform, from simplification for SMEs to broader changes intended to support innovation while preserving rights.

The CSAM debate: safety, scanning, privacy

During its presidency of the Council, Denmark has given high priority to the Regulation on Child Sexual Abuse Material detection (CSAM). 

In 2023, the European Commission proposed a regulation that would require digital communication apps to scan the communications of EU citizens, even if they were not under suspicion, the CSAM proposal. This proposal has faced criticism from academics, privacy regulators, and the Council of the European Union’s internal legal experts for violating the essence of the fundamental right to privacy. However, it is relevant to point out that privacy-preserving approaches have been proposed, where checks would be done on the user’s device, minimising (even eliminating) the transfer of personal identifiable information. 

While adoption had been initially targeted for October 2025, further debate pushed back the potential adoption of an amended version of the initial legislative proposal to April 2026. 

A question remains: what will the implications for data protection be after the legislative proposal is amended?  

While the proposal has come to include more privacy and proportionality guarantees, its impact on data protection will need to be examined more closely as its legislative procedure advances and the key principles of the proposal become clearer. 

Living with trade-offs

Every generation has to choose its most suited online and offline environment, and how to feel as comfortable as possible in the trade-off between what you receive and what you share. 

The next months have indeed the potential to reshape how the European Union positions itself on the balancing act between data protection, law enforcement and innovation. 

If you work on privacy, compliance, or trust by design, follow our updates on the InDiCo-Global channels.