���������

A member of the European Parliament (MEP) has said that the General Data Protection Regulation (GDPR) needs to be part of the European Commission’s regulatory simplification plans, hammering home the overburdensome elements of the regulation and warning it could hinder the fight against fraud.

Regina Doherty, an Irish MEP, said during a hearing with the European commissioner for democracy, justice, the rule of law and consumer protection that it was time to reopen the GDPR framework and look at ways to ease some of the compliance requirements. 

Although Commissioner Michael McGrath did not commit to any specific regulatory changes at this stage, he did confirm that it is being looked at currently by the European Commission as a regulation that could be amended. 

Doherty, who sits with the centre-right European People’s Party (EPP), welcomed the commission’s simplification goals during her interjection. “Given the global economic uncertainties that we’re experiencing now because of tariffs, I think it is even more urgent.” 

Describing GDPR as “very important for personal data and giving Europeans protection that we’ve never had before, particularly in light of increased economic weaponisation of data”, she cautioned on the impact that it was having on some businesses, especially small and medium-sized enterprises, as it has triggered “major bureaucracy and reporting requirements which has maybe impeded them to innovate and upscale”. 

She urged the commission to ensure reform “actually supports SMEs in their efforts to combat fraud” in particular. 

In response, McGrath emphasised the need for balance. 

“The question is, in those parameters, is there more that we can do to support companies in fulfilling the obligations they have to ensure fundamental rights are protected?”

The Irish politician confirmed to the MEP that the commission is examining what it can do and “what role it can play in making a contribution to simplification".

“At this point, we have identified the issue of recordkeeping in particular,” he said, with a particular focus on SMEs.

However, he said that the final proposal remains to be developed. “The vehicle to bring it forward is also to be agreed.”

He said that he is keen to engage with stakeholders in the coming months, while acknowledging that the GDPR “often gets a bad name”. 

“Sometimes perhaps unfairly, because even in consistent application of it, and perhaps misinterpretation of it.”

Preparing for GDPR 2.0 

It seems clear that GDPR reform is now officially up for discussion in Brussels, although how far the commission and counterparts in the European Council and Parliament are wiling to go remains to be seen. 

It has been one of the EU’s signature legal frameworks, with copycat laws having been installed in countries such as Brazil, Japan and India. 

To re-examine the framework will no doubt be controversial with civil rights groups and consumer lobbyists, and any amendments made will need to ensure that it remains able to protect consumers from data privacy risks. 

However, the GDPR was not designed with fraud and financial crime in mind, and it prioritises individual privacy over risk analytics. 

As a result, financial institutions and technology companies often walk on a tightrope, not only making sure they are effectively battling crime but also not breaching data protection laws.

There are plenty of noticeable tensions with the GDPR and fraud prevention. For example, the GDPR mandates that organisations collect and process only the data necessary for a specific purpose. However, effective fraud detection often requires analysing extensive datasets, including indirect indicators such as IP logs or behavioural patterns. 

Meanwhile, the GDPR also imposes strict conditions on cross-border data transfers and inter-entity data sharing. 

As financial crimes like fraud often involve multiple actors across different jurisdictions, particularly those that begin on social media and messaging platforms, any delays or obstacles in the prompt sharing of data can help provide criminals with opportunities to evade detection.​

Yet, AML compliance has at times taken precedence over the GDPR. For example, a customer of the neobank Bunq requested access to personal data related to a customer due diligence investigation that had led to the temporary blocking of his accounts. 

Bunq withheld certain information, citing AML compliance requirements, and when it went to litigation, the District Court of The Hague ruled in favour of Bunq, emphasising that financial institutions have the right to withhold specific information if disclosing it could compromise crime prevention efforts.