GDPR Reforms: Is Legislation Easing to Favor AI Advancements?

Early drafts of the Digital Omnibus document, a legislative text the European Commission is considering presenting this month, have been reviewed by various media outlets including Politico and Netzpolitik.de. This document proposes adjustments to the GDPR, Europe’s personal data legislation, and the AI Act. Here’s an overview!

GDPR Relaxation: Plans by the EU

The Digital Omnibus officially aims to reduce legal complexity and compliance costs for businesses and public entities. It outlines several measures to relax the GDPR:

• Cookie Consent: The European Commission intends to incorporate the rules of the ePrivacy directive directly into the GDPR to simplify and unify the management of consent. Websites could set certain cookies without explicit agreement, provided their use is considered low risk or based on legitimate interest.
• Automated Consent Management: Continuing with this simplification, browsers and operating systems would automatically transmit users’ consent preferences. This automation would render most cookie banners unnecessary. However, media outlets would still be allowed to require explicit consent to protect their advertising revenues.
• Processing Personal Data: The draft would allow companies to use personal data to train, test, or validate artificial intelligence models based on “legitimate interest,” significantly reducing the reliance on individual consent.
• Reclassification of Sensitive Data: The Commission plans to limit enhanced protection to only data directly revealing racial origin, religion, health, or sexual orientation, excluding data that might infer these characteristics.
• Pseudonymized Data: The proposed text would exclude pseudonymized data from the full scope of the GDPR, considering them to pose a lower privacy risk.

Data Protection Advocates Express Concerns

Unsurprisingly, these targeted modifications to the GDPR have not been well received by online privacy advocacy groups. noyb, actively engaged in this field, has released a statement voicing its concerns about the “potential threat that the internal draft of the Digital Omnibus poses to the fundamental rights of Europeans.”

The Commission is particularly proposing to alter key elements such as the definition of “personal data” and all rights of the data subjects under the GDPR. The disclosed draft also suggests giving AI companies (like Google, Meta, or OpenAI) a carte blanche to harvest Europeans’ personal data, writes the noyb association.

The association, founded by Max Schrems in 2017, is also worried about the weakened protection of data related to health, political opinions, or sexual orientation.

Possible Easing of the AI Act

The AI Act, which came into effect in August 2024, is the first major legislation aimed at regulating AI in Europe. However, several of its provisions could be “simplified,” as the report discreetly indicates.

The enforcement of certain regulations, such as those concerning “high-risk” AI systems (biometric recognition, automated recruitment, police surveillance), could be delayed by a year. Moreover, penalties and transparency requirements would not be fully applicable until 2027.

The Commission also plans to bolster the role of the new “AI Office,” responsible for coordinating supervision of the legislation across member states. This central body would ensure a uniform application of the rules and prevent national discrepancies.

The official unveiling of the Digital Omnibus package is scheduled for November 19, 2025, but its provisions will still need to be discussed by the European Parliament and member states before potential adoption. This process could extend over several months.