EU Considers Major Rollback of GDPR and AI Regulations Amid Competitiveness Concerns

EU's leaked GDPR, AI reforms slated by privacy activists

Lobbying efforts gain ground as proposals carve myriad holes into regulations Privacy advocates are condemning the European Commission's leaked plans to overhaul digital privacy legislation, accusing officials of bypassing proper legislative processes to favor Big Tech interests. Max Schrems, founder of privacy group Noyb, warned: "One part of the European Commission (EC) seems to try overrunning everyone else in Brussels, disregarding rules on good lawmaking, with potentially terrible results." He compared the approach to Trump administration tactics, arguing the proposals masquerade as small business relief while actually benefiting tech and advertising giants. As first reported by MLex, the EC's proposed legislative changes are manifold, and in Noyb's view these would poke so many holes in existing rules to "make [GDPR] overall unusable for most cases." The EC is planning to introduce the "Digital Omnibus" package on November 19, introducing amendments to legislation covering AI regulation, cybersecurity, data protection, and privacy. An overview of the leaked proposals [PDF], shared by Noyb, includes details on the most potentially impactful ideas to existing laws and regulations. One of the proposed changes covers an amendment to the GDPR, which the privacy group claims would introduce a loophole that affords a company freer rein to use personal data for its commercial benefit. The current GDPR stipulates that even if personal data is tied to a pseudonomized user (ie, "John Doe" is changed to "User12345"), then the data must still be treated as if it belongs to an identifiable, natural person, and data protection rules should still apply. Under the new proposals, this stipulation would no longer be enforced, potentially allowing data controllers to be more lax with protecting users' personal data. "This could apply to almost all online tracking, online advertisement, and most data brokers," Noyb said. The EC may also propose a "purposes limitation" on data access rights, hindering an individual's right to access, correct, or delete the data an organization or company has on them. Noyb's interpretation is that data controllers would have greater powers to reject data access requests. "This means that if an employee uses an access request in a labor dispute over unpaid hours - for example, to obtain a record of the hours they have worked - the employer could reject it as 'abusive.' The same would be true for journalists or researchers." The proposals weaken GDPR's Article 9 sensitive data protections - sexual orientation, health status, political views - would only apply when "directly revealed." Companies could infer this data from other sources without triggering protections. Noyb warned this could enable employers to deduce pregnancies and terminate employees before legal protections attach, or discriminate based on inferred sexual orientation. All of these measures are, in part, being framed by the EC as a means to alleviate the administrative burden placed on small businesses, but Schrems instead labeled this a "side-show to get public support." Whether these proposals do indeed attract the public support, the EC will need for them to pass could have consequences for policymaking beyond Europe. The current US administration has taken a more pro-innovation approach to regulating technology, such as AI, but it is not inconceivable that the way in which the EC's proposals are received later this month could later inform similar policy decisions - at least at state level - as they have done previously. For example, the GDPR, introduced in 2018, inspired the landmark California Consumer Privacy Act (CCPA), which passed in the same year and became enforceable in 2020. AI reforms Big Tech and other EU companies have lobbied the EU to weaken the AI Act since it passed and partially came into force last year. Core to their arguments is that the regulations are too restrictive on innovation, and the reforms may give AI systems a special exemption, allowing them to process data that would otherwise require a legitimate legal basis. According to Noyb's interpretation, "this would lead to a grotesque situation: If personal data is processed via a traditional database, Excel sheet or software, a company has to find a legal basis under Article 6(1) GDPR. However, if the same processing is done via an AI system, it can qualify as a 'legitimate interest' under Article 6(1)(f) GDPR." The org adds: "This would privilege one (risky) technology over all other forms of data processing and be contrary to the 'tech neutral' approach of the GDPR." The proposals additionally aim to introduce amendments that make it easier for data controllers to comply with data protection laws, while being allowed to use people's data to train their models. Various protections are outlined in the leaked draft, such as the requirement for data minimization and safeguards to be implemented, although the document does not specify what safeguards mean in this context. Noyb also said certain interpretations of the proposals could allow companies to gather more data from users' personal devices that could then be used to train Big Tech's AI models. Such data is currently protected by Article 5(3) of the GDPR, which is underpinned by Article 7 of the Charter of Fundamental Rights of the European Union - respect for private and family life, home, and communications. A legitimate interest protection for gathering data related to "security purposes" and "aggregated information" could be interpreted broadly by AI companies if the EC does not apply strict definitions, potentially leading to excessive searches of data subjects' devices, the privacy campaigners argued. ®

Critics call proposed changes to landmark EU privacy law 'death by a thousand cuts'

BRUSSELS, Nov 10 (Reuters) - Privacy activists say proposed changes to Europe's landmark privacy law, including making it easier for Big Tech to harvest Europeans' personal data for AI training, would flout EU case law and gut the legislation. The changes proposed by the European Commission are part of a drive to simplify a slew of laws adopted in recent years on technology, environmental and financial issues which have in turn faced pushback from companies and the U.S. government. EU antitrust chief Henna Virkkunen will present the Digital Omnibus, in effect proposals to cut red tape and overlapping legislation such as the General Data Protection Regulation, the Artificial Intelligence Act, the e-Privacy Directive and the Data Act, on November 19. According to the plans, Google (GOOGL.O), opens new tab, Meta Platforms (META.O), opens new tab, OpenAI and other tech companies may be allowed to use Europeans' personal data to train their AI models based on legitimate interest. In addition, companies may be exempted from the ban on processing special categories of personal data "in order not to disproportionately hinder the development and operation of AI and taking into account the capabilities of the controller to identify and remove special categories of personal data". "The draft Digital Omnibus proposes countless changes to many different articles of the GDPR. In combination this amounts to a death by a thousand cuts," Austrian privacy group noyb said in a statement. Noyb is known for filing complaints against American companies such as Apple (AAPL.O), opens new tab, Alphabet and Meta that have triggered several investigations and resulted in billions of dollars in fines. "This would be a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted," noyb's Max Schrems said. European Digital Rights, an association of civil and human rights organisations across Europe, slammed a proposal to merge the ePrivacy Directive, known as the cookie law that resulted in the proliferation of cookie consent pop-ups, into the GDPR. "These proposals would change how the EU protects what happens inside your phone, computer and connected devices," EDRi policy advisor Itxaso Dominguez de Olazabal wrote in a LinkedIn post. "That means access to your device could rely on legitimate interest or broad exemptions like security, fraud detection or audience measurement," she said. The proposals would need to be thrashed out with EU countries and European Parliament in the coming months before they can be implemented. Reporting by Foo Yun Chee Editing by Alexandra Hudson Our Standards: The Thomson Reuters Trust Principles., opens new tab * Suggested Topics: * Boards, Policy & Regulation * Human Rights Foo Yun Chee Thomson Reuters An agenda-setting and market-moving journalist, Foo Yun Chee is a 21-year veteran at Reuters. Her stories on high profile mergers have pushed up the European telecoms index, lifted companies' shares and helped investors decide on their next move. Her knowledge and experience of European antitrust laws and developments helped her break stories on Microsoft, Google, Amazon, Meta and Apple, numerous market-moving mergers and antitrust investigations. She has previously reported on Greek politics and companies, when Greece's entry into the eurozone meant it punched above its weight on the international stage, as well as on Dutch corporate giants and the quirks of Dutch society and culture that never fail to charm readers.

Europe Begins Rethinking Its Crackdown on Big Tech

Adam Satariano reported from London and Jeanna Smialek from Brussels. After more than a decade of aggressively regulating the technology industry, the European Union is having second thoughts. In a significant shift, policymakers in Brussels are moving to scale back and simplify landmark rules for artificial intelligence and data privacy. Driven by growing concern that overregulation is stifling economic growth, officials and business leaders across the 27-nation bloc are questioning whether Europe's digital rulebook has gone too far and left companies lagging the United States and China. The Trump administration has also criticized Europe's regulations. The rethinking is set to be laid out in a "digital package of simplification" that the European Commission, which manages much of the bloc's day-to-day work, plans to unveil on Wednesday. According to drafts circulated in recent weeks, which were reviewed by The New York Times, key aspects of the General Data Protection Regulation, or G.D.P.R., a data privacy law, would be rewritten. Parts of a law restricting certain uses of A.I. would also be delayed. Europe has long been seen as Big Tech's most formidable global watchdog. Authorities in Brussels have levied billions of dollars in fines and forced business changes at Amazon, Apple, Google and Meta for antitrust breaches, data abuses and the unchecked spread of illicit content. Policymakers passed laws to keep the biggest tech companies from boxing out smaller rivals and to force social media platforms to combat disinformation and harmful material. Those actions contrasted with the more hands-off approach of the United States, while offering a template for governments from Latin America to Asia to regulate the tech sector. Any retreat by Europe could ease pressure on the largest tech companies and signal the start of a more restrained era of oversight for the digital economy. "Regulation cannot be the best export product of the E.U.," said Aura Salla, a member of the European Parliament from Finland. Ms. Salla, who once worked as a lobbyist for Meta, said companies faced a "jungle" of overlapping and sometimes contradictory rules that slowed product development and pushed businesses to move elsewhere. The digital simplification package is part of broader deregulatory push this year by Ursula von der Leyen, the European Commission president. It follows the departure of officials like her former vice president, Margrethe Vestager, who spearheaded much of the tech clampdown over the past 10 years. How far Europe's policy shift might go remains to be seen. The proposals, already the target of heavy lobbying from Silicon Valley and other interest groups, are relatively narrow. But they reflect a growing belief in Brussels that changes are needed to revive Europe's competitiveness. Criticism from the Trump administration that the bloc's rules unfairly target American firms has added to the urgency. The changes may not happen for months, as they require approval from the European Parliament and a substantial majority of countries in the European Union. Many of the proposed changes aim to encourage A.I. development in Europe. The potential changes to the G.D.P.R. would make it easier for companies to use data -- including sensitive personal information -- to build A.I. systems. Officials also want to delay, until at least 2027, key pieces of the A.I. Act, the world's most comprehensive law for the use of artificial intelligence. That could postpone enforcement of measures related to "high-risk" uses of A.I. in areas such as hiring and education. Regulators have faced pressure from U.S. tech firms, as well as European businesses like Airbus, ASML and Mercedes-Benz, to slow the rollout of the law. Another major change would redefine the European Union's concept of "personal data," relaxing a key privacy protection to make it easier for companies to sell information collected about users. "This is really a mind-shift," said Patrick Van Eecke, head of European cyber, data and privacy at the law firm Cooley, which represents many tech companies. Some of the moves may be welcomed by consumers. One would scale back the widespread use of the pop-up boxes on websites that ask users to allow data tracking. People would be allowed to set their privacy preferences once in a browser, rather than being bombarded with requests at each website. European officials have said the proposals do not represent a major deregulatory pivot and are aimed at simplifying rules to help businesses and consumers. But proponents of regulation fear the changes would weaken one of the few bulwarks against the tech industry. "It's really clear that the winds have been changing," said Mathias Vermeulen, a co-founder of the digital policy consultancy AWO in Brussels. "A continent that has prided itself for at least a decade on its tech-focused regulation is now almost doing this complete U-turn and rethinking its approach." Mr. Vermeulen said tech regulation had become an easy scapegoat for Europe's economic malaise. Scaling back oversight could benefit American and Chinese companies most of all, he said. "Tweaks to the G.D.P.R. aren't magically going to solve Europe's competitiveness problem," he said. Many in Brussels are preparing to protect the tech regulations. Brando Benifei, a member of the European Parliament from Italy who helped draft the A.I. Act, warned of a "race-to-the-bottom deregulatory agenda." "The claim that Europe must choose between innovation and regulation is a false dichotomy," he said. "Weakening accountability would be shortsighted from an economic point of view and democratically irresponsible." The European Union is not abandoning its oversight. Regulators are pressing ahead with major cases against tech companies. In April, Apple was fined 500 million euros, or about $580 million, for anticompetitive business practices. Elon Musk's X is under investigation for its freewheeling approach to policing user content. Last week, the commission began investigating Google's search-ranking policies. The commission has not proposed amending two regulations that U.S. tech companies complain the most about. One, the Digital Markets Act, is meant to encourage digital competitiveness. The other, the Digital Services Act, requires platforms to monitor harmful content on their websites. Yet the changes to be released on Wednesday are a notable evolution. The shift in tone could have global repercussions, if countries elsewhere follow suit. "The E.U. is the most established, credible, legitimate model regulator," said Anu Bradford, a Columbia Law School professor who coined the term "Brussels effect" to describe the European Union's outsize influence on global oversight. If Europe pulls back, she said, other nations might think that "maybe we should be having second thoughts as well." Policymakers are trying to boost Europe's position in the digital economy. The region trails in start-up investment and is home to only a few major tech companies, like the music service Spotify, business software firm SAP and semiconductor equipment maker ASML. The highest-profile A.I. companies, such as OpenAI, are in the United States or China. The European Union faces an "existential" threat to its prosperity without sweeping economic changes, Mario Draghi, a former president of the European Central Bank, warned in an influential report last year. Michael McGrath, the European Union commissioner overseeing justice and consumer protection issues, said last week that the point of the digital tech package was "reducing administrative burden" for companies, calling it a "sensible initiative" that would iron out duplication through targeted tweaks.

Major privacy laws - including GDPR - could be downgraded to try and boost AI growth and cut red tape

Anonymized data may no longer always be protected by such laws New documents seen by Politico suggest some European privacy laws, like GDPR, could soon be eased to boost European competitiveness and support AI innovation. A proposal, expected on November 19, 2025, could see a new 'digital omnibus' package revealed to simplify tech laws. Such a change could allow AI developers to process some categories of data, like political views, religion and health, for training purposes. Politico suggests pseudonymized data - anonymized by removing personally identifiable information - could no longer always be protected by laws like GDPR, which means it could go on to be used in AI training. Furthermore, websites and apps may gain broader legal grounds for tracking users beyond consent. However, these changes could be "targeted" and technical, which means that the core GDPR principles would not be altered. That said, the potential changes have already garnered scrutiny - changing GDPR, which is still a relatively new law and one that's been welcomed by those with an eye on privacy - would risk political scrutiny. GDPR architect Jan Philipp Albrecht warns a change could "[undermine] European standards dramatically." "Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter," Albrecht wrote. The Czech Republic, Estonia, France, Austria and Slovenia have already opposed to a GDPR rewrite. Germany appears to be in support of such a change, while Finland seems to welcome changes that benefit European AI competitiveness. On a global scale, these protective measures have been slated for holding Europe back amid growth by the US and China in terms of AI development. EU privacy regulators have already delayed or blocked a number of AI rollouts by Meta, Google, OpenAI and others. The European Commission has not yet publicly declared changes to GDPR and/or other privacy rules, but expectations that this could happen in the coming days have started discussions on both sides of the coin.

EU bows to pressure on loosening AI, privacy rules

The European Union is set next week to kickstart a rollback of landmark rules on artificial intelligence and data protection that face powerful pushback on both sides of the Atlantic. Part of a bid to slash red tape for European businesses struggling against US and Chinese rivals, the move is drawing accusations that Brussels is putting competitiveness ahead of citizens' privacy and protection. Brussels denies that pressure from the US administration influenced its push to "simplify" the bloc's digital rules, which have drawn the wrath of President Donald Trump and American tech giants. But the European Commission says it has heard the concerns of EU firms and wants to make it easier for them to access users' data for AI development -- a move critics attack as a threat to privacy. One planned change could unite many Europeans in relief however: the EU wants to get rid of those pesky cookie banners seeking users' consent for tracking on websites. According to EU officials and draft documents seen by AFP, which could change before the November 19 announcement, the European Commission will propose: -- a one-year pause in the implementation of parts of its AI law -- overhauling its flagship data protection rules, which privacy defenders say will make it easier for US Big Tech to "suck up Europeans' personal data." The bloc's cornerstone General Data Protection Regulation (GDPR) enshrined users' privacy from 2018 and influenced standards around the world. The EU says it is only proposing technical changes to streamline the rules, but rights activists and EU lawmakers paint a different picture. 'Biggest rollback' The EU executive proposes to narrow the definition of personal data, and allow companies to process such data to train AI models "for purposes of a legitimate interest," a draft document shows. Reaction to the leaks has been swift -- and strong. "Unless the European Commission changes course, this would be the biggest rollback of digital fundamental rights in EU history," 127 groups, including civil society organizations and trade unions, wrote in a letter on Thursday. Online privacy activist Max Schrems warned the proposals "would be a massive downgrading of Europeans' privacy" if they stay the same. An EU official told AFP that Brussels is also expected to propose a one-year delay on implementing many provisions on high-risk AI, for example, models that can pose dangers to safety, health or citizens' fundamental rights. Instead of taking effect next year, they would apply from 2027. This move comes after heavy pressure from European businesses and US Big Tech. Dozens of Europe's biggest companies, including France's Airbus and Germany's Lufthansa and Mercedes-Benz, called for a pause in July on the AI law which they warn risks stifling innovation. More battles ahead Commission president Ursula von der Leyen faces a battle ahead as the changes will need the approval of both the EU parliament and member states. Her conservative camp's main coalition allies have raised the alarm, with the socialists saying they oppose any delay to the AI law, and the centrists warning they would stand firm against any changes that undermine privacy. Noyb, a campaign group founded by Schrems, published a scathing takedown of the EU's plans for the GDPR and what they entail. The EU has pushed back against claims that Brussels will reduce privacy. "I can confirm 100% that the objective... is not to lower the high privacy standards we have for our citizens," EU spokesman for digital affairs, Thomas Regnier, said. But there are fears that more changes to digital rules are on the way. Simplification, not deregulation The proposals are part of the EU executive's so-called simplification packages to remove what they describe as administrative burdens. Brussels rejects any influence from Trump -- despite sustained pressure since the first weeks of the new US administration, when Vice President JD Vance railed against the "excessive regulation" of AI. This "started before the mandate of the president of the US," chief commission spokeswoman Paula Pinho said this week. Calls for changes to AI and data rules have been growing louder in Europe. A major report last year by Italian ex-premier Mario Draghi also warned that data rules could hamper European businesses' AI innovation.

EU bows to pressure on loosening AI, privacy rules

Brussels (Belgium) (AFP) - The European Union is set next week to kickstart a rollback of landmark rules on artificial intelligence and data protection that face powerful pushback on both sides of the Atlantic. Part of a bid to slash red tape for European businesses struggling against US and Chinese rivals, the move is drawing accusations that Brussels is putting competitiveness ahead of citizens' privacy and protection. Brussels denies that pressure from the US administration influenced its push to "simplify" the bloc's digital rules, which have drawn the wrath of President Donald Trump and American tech giants. But the European Commission says it has heard the concerns of EU firms and wants to make it easier for them to access users' data for AI development -- a move critics attack as a threat to privacy. One planned change could unite many Europeans in relief however: the EU wants to get rid of those pesky cookie banners seeking users' consent for tracking on websites. According to EU officials and draft documents seen by AFP, which could change before the November 19 announcement, the European Commission will propose: -- a one-year pause in the implementation of parts of its AI law -- overhauling its flagship data protection rules, which privacy defenders say will make it easier for US Big Tech to "suck up Europeans' personal data". The bloc's cornerstone General Data Protection Regulation (GDPR) enshrined users' privacy from 2018 and influenced standards around the world. The EU says it is only proposing technical changes to streamline the rules, but rights activists and EU lawmakers paint a different picture. 'Biggest rollback' The EU executive proposes to narrow the definition of personal data, and allow companies to process such data to train AI models "for purposes of a legitimate interest", a draft document shows. Reaction to the leaks has been swift -- and strong. "Unless the European Commission changes course, this would be the biggest rollback of digital fundamental rights in EU history," 127 groups, including civil society organisations and trade unions, wrote in a letter on Thursday. Online privacy activist Max Schrems warned the proposals "would be a massive downgrading of Europeans' privacy" if they stay the same. An EU official told AFP that Brussels is also expected to propose a one-year delay on implementing many provisions on high-risk AI, for example, models that can pose dangers to safety, health or citizens' fundamental rights. Instead of taking effect next year, they would apply from 2027. This move comes after heavy pressure from European businesses and US Big Tech. Dozens of Europe's biggest companies, including France's Airbus and Germany's Lufthansa and Mercedes-Benz, called for a pause in July on the AI law which they warn risks stifling innovation. More battles ahead Commission president Ursula von der Leyen faces a battle ahead as the changes will need the approval of both the EU parliament and member states. Her conservative camp's main coalition allies have raised the alarm, with the socialists saying they oppose any delay to the AI law, and the centrists warning they would stand firm against any changes that undermine privacy. Noyb, a campaign group founded by Schrems, published a scathing takedown of the EU's plans for the GDPR and what they entail. The EU has pushed back against claims that Brussels will reduce privacy. "I can confirm 100 percent that the objective... is not to lower the high privacy standards we have for our citizens," EU spokesman for digital affairs, Thomas Regnier, said. But there are fears that more changes to digital rules are on the way. Simplification, not deregulation The proposals are part of the EU executive's so-called simplification packages to remove what they describe as administrative burdens. Brussels rejects any influence from Trump -- despite sustained pressure since the first weeks of the new US administration, when Vice President JD Vance railed against the "excessive regulation" of AI. This "started before the mandate of the president of the US", chief commission spokeswoman Paula Pinho said this week. Calls for changes to AI and data rules have been growing louder in Europe. A major report last year by Italian ex-premier Mario Draghi also warned that data rules could hamper European businesses' AI innovation.

EU set to relax data protection rules to boost AI growth - SiliconANGLE

The European Union is looking at loosening the shackles of its strict regulations around privacy to boost the development of artificial intelligence, according to documents obtained by Politico. The bloc's General Data Protection Regulation, or GDPR, touted as a global benchmark for data privacy, was created to protect citizens from tech industries that may exploit their data. The regulations have drawn sharp criticism from U.S. tech giants and investors, who argue that the rules risk undermining Europe's competitiveness in the global race to develop artificial intelligence. In response, the EU is preparing a series of revisions, collectively known as the "Digital Omnibus", aimed at easing some of these concerns and adapting the framework to a rapidly evolving industry. Proposed amendments would introduce new exemptions allowing AI developers to lawfully process sensitive categories of data, such as information on a person's political or religious beliefs, ethnicity, or health, for the purposes of training and operating their systems. The European Commission also intends to revise the definition of these protected data categories, which currently enjoy enhanced safeguards under EU privacy law. In addition, officials plan to redefine what qualifies as personal data, suggesting that pseudonymized information - where identifiers have been obscured so individuals cannot easily be traced - may not always fall under the GDPR's protections, reflecting a recent judgment by the EU's highest court. Lastly, the Commission aims to overhaul Europe's cumbersome cookie consent framework by adding a new clause to the GDPR that would grant websites and apps broader legal grounds to track users, beyond the need for explicit consent. The plan is set to be unveiled on Nov. 19, and is expected to ignite a storm of disagreement within the bloc. According to the Financial Times, the Trump administration has been putting a heavy hand on European officials to simplify digital rules so that the bloc stays competitive with China. This will mean changes to the AI Act, which was introduced last year in an effort to combat the dangers of high-risk AI systems. Companies such as Apple Inc., Meta Platforms Inc., and Google LLC warned that the rules could stifle innovation, echoed by U.S. Vice President J.D. Vance earlier this year, who said "excessive regulation" could cripple Europe's emerging AI industry. European Commission President Ursula von der Leyen emphasized that "AI needs the confidence of the people and has to be safe," while also recognizing worries about excessive regulation. "At the same time, I know that we have to make it easier and we have to cut red tape, and we will," she added.

EU bows to pressure on loosening AI, privacy rules

The EU plans to ease parts of its AI and data protection rules to help European businesses compete with US and Chinese rivals. Critics argue the changes weaken privacy by narrowing the definition of personal data and delaying key AI safeguards. Brussels denies lowering standards, but opposition from rights groups and lawmakers is growing. The European Union is set next week to kickstart a rollback of landmark rules on artificial intelligence and data protection that face powerful pushback on both sides of the Atlantic. Part of a bid to slash red tape for European businesses struggling against US and Chinese rivals, the move is drawing accusations that Brussels is putting competitiveness ahead of citizens' privacy and protection. Brussels denies that pressure from the US administration influenced its push to "simplify" the bloc's digital rules, which have drawn the wrath of President Donald Trump and American tech giants. But the European Commission says it has heard the concerns of EU firms and wants to make it easier for them to access users' data for AI development -- a move critics attack as a threat to privacy. One planned change could unite many Europeans in relief however: the EU wants to get rid of those pesky cookie banners seeking users' consent for tracking on websites. According to EU officials and draft documents seen by AFP, which could change before the November 19 announcement, the European Commission will propose: * a one-year pause in the implementation of parts of its AI law. * overhauling its flagship data protection rules, which privacy defenders say will make it easier for US Big Tech to "suck up Europeans' personal data". The bloc's cornerstone General Data Protection Regulation (GDPR) enshrined users' privacy from 2018 and influenced standards around the world. The EU says it is only proposing technical changes to streamline the rules, but rights activists and EU lawmakers paint a different picture. 'Biggest rollback' The EU executive proposes to narrow the definition of personal data, and allow companies to process such data to train AI models "for purposes of a legitimate interest", a draft document shows. Reaction to the leaks has been swift -- and strong. "Unless the European Commission changes course, this would be the biggest rollback of digital fundamental rights in EU history," 127 groups, including civil society organisations and trade unions, wrote in a letter on Thursday. Online privacy activist Max Schrems warned the proposals "would be a massive downgrading of Europeans' privacy" if they stay the same. An EU official told AFP that Brussels is also expected to propose a one-year delay on implementing many provisions on high-risk AI, for example, models that can pose dangers to safety, health or citizens' fundamental rights. Instead of taking effect next year, they would apply from 2027. This move comes after heavy pressure from European businesses and US Big Tech. Dozens of Europe's biggest companies, including France's Airbus and Germany's Lufthansa and Mercedes-Benz, called for a pause in July on the AI law which they warn risks stifling innovation. More battles ahead Commission president Ursula von der Leyen faces a battle ahead as the changes will need the approval of both the EU parliament and member states. Her conservative camp's main coalition allies have raised the alarm, with the socialists saying they oppose any delay to the AI law, and the centrists warning they would stand firm against any changes that undermine privacy. Noyb, a campaign group founded by Schrems, published a scathing takedown of the EU's plans for the GDPR and what they entail. The EU has pushed back against claims that Brussels will reduce privacy. "I can confirm 100 percent that the objective... is not to lower the high privacy standards we have for our citizens," EU spokesman for digital affairs, Thomas Regnier, said. But there are fears that more changes to digital rules are on the way. Simplification, not deregulation The proposals are part of the EU executive's so-called simplification packages to remove what they describe as administrative burdens. Brussels rejects any influence from Trump -- despite sustained pressure since the first weeks of the new US administration, when Vice President JD Vance railed against the "excessive regulation" of AI. This "started before the mandate of the president of the US", chief commission spokeswoman Paula Pinho said this week. Calls for changes to AI and data rules have been growing louder in Europe. A major report last year by Italian ex-premier Mario Draghi also warned that data rules could hamper European businesses' AI innovation.

Critics call proposed changes to landmark EU privacy law 'death by a thousand cuts'

The changes proposed by the European Commission are part of a drive to simplify a slew of laws adopted in recent years on technology, environmental and financial issues which have in turn faced pushback from companies and the US government. Privacy activists say proposed changes to Europe's landmark privacy law, including making it easier for Big Tech to harvest Europeans' personal data for AI training, would flout EU case law and gut the legislation. The changes proposed by the European Commission are part of a drive to simplify a slew of laws adopted in recent years on technology, environmental and financial issues which have in turn faced pushback from companies and the US government. EU antitrust chief Henna Virkkunen will present the Digital Omnibus, in effect proposals to cut red tape and overlapping legislation such as the General Data Protection Regulation, the Artificial Intelligence Act, the e-Privacy Directive and the Data Act, on November 19. According to the plans, Google, Meta Platforms, OpenAI and other tech companies may be allowed to use Europeans' personal data to train their AI models based on legitimate interest. In addition, companies may be exempted from the ban on processing special categories of personal data "in order not to disproportionately hinder the development and operation of AI and taking into account the capabilities of the controller to identify and remove special categories of personal data". "The draft Digital Omnibus proposes countless changes to many different articles of the GDPR. In combination this amounts to a death by a thousand cuts," Austrian privacy group noyb said in a statement. Noyb is known for filing complaints against American companies such as Apple, Alphabet and Meta that have triggered several investigations and resulted in billions of dollars in fines. "This would be a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted," noyb's Max Schrems said. European Digital Rights, an association of civil and human rights organisations across Europe, slammed a proposal to merge the ePrivacy Directive, known as the cookie law that resulted in the proliferation of cookie consent pop-ups, into the GDPR. "These proposals would change how the EU protects what happens inside your phone, computer and connected devices," EDRi policy advisor Itxaso Dominguez de Olazabal wrote in a LinkedIn post. "That means access to your device could rely on legitimate interest or broad exemptions like security, fraud detection or audience measurement," she said. The proposals would need to be thrashed out with EU countries and European Parliament in the coming months before they can be implemented.

EU Weighs Scaling Back GDPR, AI and Privacy Rules

The European Union (EU) is preparing to roll back parts of its landmark rules on artificial intelligence (AI) and data privacy, according to a FirstPost report. For context, the European Commission is expected to introduce the Digital Omnibus package of reforms on November 19, which can reshape the bloc's General Data Protection Regulation (GDPR), AI Act, and ePrivacy rules. This latest move follows a report released by former Italian Prime Minister Mario Draghi a year ago, which warned that Europe's laws are muzzling innovation and holding the region back in global competition with the United States and China. However, the rollback has drawn criticism, with Brussels reportedly placing competitiveness ahead of citizens' privacy and data protection rights. The EU, for its part, has positioned the rollback as a way to simplify compliance and reduce red tape for small and medium-sized companies. "We need to make doing business in Europe easier without compromising our high standards of online fairness and safety," Henna Virkkunen - the Commission's Executive Vice-President for Tech Sovereignty, Security and Democracy - has previously remarked. "We aim for less paperwork, fewer overlaps and less complex rules for companies doing business in the EU," she added. According to analysis by Austrian non-governmental organisation (NGO) noyb, the leaked Omnibus draft narrows the definition of personal data, meaning that information which cannot directly identify an individual might no longer count as personal. The draft also restricts when people can exercise their rights to access, correct, or delete data, limiting these rights to "data protection purposes." In effect, this could prevent journalists or consumers from using data requests in investigations or disputes. Data of an inherently sensitive nature, such as health status, political views, or sexual orientation, would only receive protection if explicitly disclosed. This would mark a watershed moment, as existing European court rulings currently safeguard people from profiling based on inferences and deductions. Furthermore, the draft introduces a legitimate interest exception that allows tech companies to collect personal data, including some sensitive information, for AI training as long as unspecified safeguards are in place. Noyb warns that this could give US and global tech companies greater freedom to use European data for AI training or analytics. EU users would rarely know if companies are accessing their data, and objections would be nearly impossible to enforce. Under the draft proposal, companies deploying high-risk AI systems could receive a one-year grace period before fines and other obligations take effect. Draft documents also suggest that the EU might postpone penalties for transparency violations, such as failure to clearly label AI-generated content, until August 2027. Civil society groups have raised concerns that tech companies may unilaterally classify high-risk AI systems as low-risk, thereby bypassing safeguards without notifying anyone. Europe's ePrivacy Regulation governs how companies access data on EU users' phones, computers, and other devices. The Omnibus reforms could merge this regulation into the GDPR framework. Currently, websites must seek explicit consent before storing or accessing most cookies. However, under the proposed changes, companies could collect some data without asking first, either for a limited set of "low-risk" purposes or under their "legitimate interest." This would shift Europe from an opt-in system to something closer to an opt-out regime, where users must actively refuse tracking to avoid being monitored online. The European Commission is still discussing the reforms package, which could change before November 19. Crucially, Commission President Ursula von der Leyen will need approval from both the EU Parliament and EU member states. A geopolitical angle is also at play. Virkkunen met top US tech executives in May this year to pitch the idea of a more business-friendly Europe and highlight plans to simplify digital rules. Furthermore, this push for "simplification" comes months after Apple urged the EU in September 2025 to rethink the Digital Markets Act (DMA), arguing that the legislation worsens the user experience for Europeans. Therefore, the critical questions for the EU now are: