ELI Webinar on a Targeted Revision of European Union Data Protection Law

05.11.2025

The ELI hosted a webinar on 5 November 2025 devoted to its Response to the European Commission’s Public Consultation on the Simplification of EU Data Protection Law.

Teresa Rodriguez de las Heras Ballell (ELI President; Director of the Chair AI: Foundations & Frontiers) opened the event, noting that this pioneering proposal offers a risk-based, three-layer approach to EU data protection designed to maintain high standards of rights protection while reducing unnecessary burdens on small and medium-sized enterprises (SMEs) as well as non-profit organisations. The ELI proposal, available here, responds to the Commission’s Simplification Strategy aligned with the Draghi Report’s call for legislation that promotes innovation, growth and competitiveness in Europe.

Christiane Wendehorst (ELI Scientific Director; Professor, University of Vienna) presented the core features of the Response. She explained that the three-layer regulatory model, inspired by the AI Act, differentiates between enhanced, regular and light regimes based on the scale, nature and purpose of data processing. Large-scale or high-risk controllers would be subject to enhanced obligations, while smaller actors whose data activities are not core to their business would face lighter requirements. This risk-based structure seeks to reduce regulatory burdens where risk is low, while strengthening safeguards where fundamental rights are most at stake.

Agata Szeliga (Attorney at law, partner at Sołtysiński Kawecki & Szlęzak) elaborated on sections concerning prohibited and exempted practices. She highlighted provisions addressing misleading data-generation methods, the use of purported consent where real consent is absent, and the disclosure of data to parties likely to misuse it. Szeliga also discussed proposed simplifications for anonymised or transitional data processing, and clarifications regarding the handling of sensitive data under Article 9 GDPR, including new legal bases linked to contractual necessity and bias detection in AI systems.

Rania Wazir (Co-Founder and CTO of leiwand.ai) examined the AI-related aspects of the Response. She underlined the importance of enabling responsible AI training by clarifying when the use of large, non-identifiable datasets is permissible. She also stressed safeguards for data subjects in AI operations, including proportionality in exercising rights and the prohibition of unauthorised ‘digital cloning’ of individuals.

Two external experts then offered critical commentary. Max Schrems (Lawyer, Founder of NOYB – European Center for Digital Rights) cautioned against overly broad reforms, arguing that the ELI Response may risk undermining the coherence of the GDPR and could be misused by large actors. Among other things, he stressed the need for evidence-based policymaking and effective enforcement mechanisms.

Isabelle Vereecken (Head of Secretariat, European Data Protection Board, EDPB) reflected on the EDPB’s perspective, noting that while simplification and practical tools for compliance are welcome, the GDPR remains a cornerstone of trust in Europe’s digital economy and should not be reopened wholesale. She presented recent EDPB initiatives, such as templates, checklists and stakeholder dialogues, aimed at improving consistency and legal certainty within the existing framework.

In closing, Wendehorst and Szeliga reiterated that the ELI Response does not seek to lower protection but to make compliance more realistic and effective across different contexts.

The event concluded with an engaging discussion with the audience.

The recording of the webinar is available below.