GDPR is often treated in public and policy debate as if it were synonymous with the fundamental right to data protection contained in Article 8 of the Charter of Fundamental Rights of the European Union. From this perspective, any attempt to amend or recalibrate GDPR, such as those proposed in the Digital Omnibus currently under negotiation, is readily portrayed as a threat to fundamental rights. This framing, while rhetorically effective, rests on a misunderstanding of the legal relationship between primary law and secondary legislation in the Union legal order.
Article 8 of the Charter establishes a constitutional guarantee. GDPR, by contrast, is an instrument of secondary law designed to give effect to that guarantee. In doing so, it both reflects and extends beyond the Charter. The failure to distinguish between these two levels of law has led to a tendency to equate changes to regulatory detail with an erosion of fundamental rights. A closer legal analysis shows that this equivalence cannot be sustained.
Article 8 sets out a number of essential guarantees that define the substance of the right to data protection. It recognises that individuals are entitled to have their personal data protected and requires that such data be processed fairly, for specified purposes, and on the basis of consent or another lawful ground. It also guarantees the rights of access and rectification and requires that compliance be supervised by an independent authority.
These elements form the constitutional core of data protection in Union law. They establish what must be preserved in any legislative framework and what cannot be compromised without infringing the essence of the right. The jurisprudence of the Court of Justice has consistently reinforced this point by emphasising that interferences with data protection must respect the essence of the right and comply with the principle of proportionality.
At the same time, Article 8 does not prescribe a detailed regulatory system. It does not require specific forms of documentation, particular compliance mechanisms, or any given administrative structure beyond the existence of independent supervision. It defines principles and guarantees, not the precise means by which they must be implemented.
GDPR translates the principles of Article 8 into a comprehensive regulatory framework. In doing so, it introduces a level of detail and prescriptiveness that goes well beyond the Charter itself. Obligations relating to internal accountability structures, documentation of processing activities, impact assessments, and detailed transparency requirements are not dictated by Article 8. They are the result of legislative choices about how best to operationalise data protection across a complex and evolving digital economy.
This expanded framework reflects a policy decision to pursue a high and harmonised level of protection. It embeds fundamental rights within an extensive compliance architecture that is designed to ensure effectiveness and consistency. However, it is important to recognise that not all elements of this architecture carry the same constitutional weight. Many provisions of GDPR represent what is often described as “gold plating” and go beyond what is required. They enhance the practical application of data protection, but they are not themselves required by the Charter.
This distinction is critical when assessing proposals to adjust or simplify aspects of GDPR, such as those proposed in the Digital Omnibus currently under negotiation. Changes that affect administrative obligations, procedural requirements, or the structure of compliance do not necessarily engage the essence of the fundamental right. They operate at the level of implementation rather than substance.
Once the distinction between constitutional guarantees and legislative design is properly understood, it becomes clear that reform of GDPR does not necessarily threaten fundamental rights. The European Commission retains the freedom to propose changes to those aspects of GDPR that are not mandated by Article 8, and the co legislators are entitled to recalibrate the regulatory framework accordingly.
As long as the core elements of Article 8 remain intact, lawful processing, fairness, purpose limitation, data subject rights, and independent supervision, the fundamental right to data protection continues to be protected. Adjustments to the surrounding compliance architecture do not alter these essential guarantees. Rather, they reflect a reassessment of how best to implement them in practice.
The claim that any reduction in regulatory obligations amounts to an erosion of fundamental rights therefore rests on a conflation between effectiveness and essence. While detailed rules may enhance the practical enforcement of data protection, they are not all constitutionally required. The Charter does not mandate a particular regulatory model, nor does it require that the most burdensome or expansive framework be maintained indefinitely.
In an overall sense, assertions that reforms of GDPR, such as those proposed in the Digital Omnibus currently under negotiation, undermine the fundamental right to data protection are significantly exaggerated. They overlook the distinction between what Article 8 requires and what GDPR, as a matter of legislative choice, has added on top. They also risk elevating secondary legislation to a quasi constitutional status that it does not possess.
A more accurate and legally grounded conclusion is that fundamental rights remain firmly protected so long as the essential guarantees of Article 8 are respected. GDPR plays a vital role in giving effect to those guarantees, but it is not identical to them. This leaves space for thoughtful recalibration of the regulatory framework without calling into question the integrity of the underlying right.
Understanding this distinction is essential for a mature debate about the future of European data protection law. It allows for reform that preserves the substance of fundamental rights while recognising that the mechanisms through which those rights are implemented may legitimately evolve.
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
