Data privacy laws and protections against the harvesting of user data for AI development would be rolled back if new proposals released by the EU on Wednesday become law.
A leaked document from the European Commission, Originally published by German advocacy site Netzpolitik.orgIt shows the bloc is pushing for major changes to its landmark General Data Protection Regulation (GDPR) laws, which are considered by many to be the global standard, amid broader changes.
The motivation, at least, is to cut red tape for European businesses struggling to compete on the global stage by simplifying many data protection rules. But privacy campaigners argue that profits are being prioritized over citizens’ privacy and security, while other observers believe the influence of Donald Trump’s government and US tech giants is a key factor.
What are the major changes to Europe’s GDPR legislation?
The EU’s GDPR policy changes, which came into effect in 2018, will likely be the most noticeable among the many technological changes. According to the leaked document, the definition of personal data will be limited, allowing companies to process such data to train AI models “for the purposes of legitimate interest.”
If the proposal becomes law, the now-familiar pop-ups asking users if they accept cookies would disappear, leaving more companies able to obtain user data without consent, forcing users to delete their data after the fact. Companies have complained that the application of laws around cookies has created high compliance costs, especially given that it can be enforced by both EU and national agencies.
What are the implications of personal data?
Article 9 of the law, which deals with more personal data, will also change. While individuals’ direct answers to questions on topics such as sexuality, religion or health will still be protected, the scope of what defines sensitive data will be limited.
In practice, this will mean that data obtained from non-direct queries (for example, browsing habits) will not have the same protection as before. However, the document goes on to say that: “The enhanced security of genetic data and biometric data should remain untouched due to their unique and distinctive characteristics.”
In terms of AI, the other big change is that the EU will advocate for a further one-year moratorium on the implementation of parts of its AI legislation, meaning they will now come into force in 2027 rather than 2026. It’s a delay that has been pushed by many big businesses in Germany, including Lufthansa, so they can quickly implement the changes before stricter rules come into effect. The airline announced earlier this year that they were planning to replace approximately 4,000 jobs with AI.
Why is this happening now?
The EU’s position is that red tape has become a burden for companies.
The document’s introduction reads, “The accumulation of regulations sometimes has an adverse impact on competitiveness. What is needed is faster and visible improvements for people and businesses through more cost-effective and innovation-friendly implementation of our rules – all while maintaining high standards and agreed objectives.”
However, many critics argue that these changes are also motivated by a desire to appease the US and its major tech companies. US Vice President JD Vance complained earlier this year that “onerous international regulations” threatened to hinder AI development, while companies like Meta and Apple have been fined billions of dollars in recent years for violating EU data rules.
The EU rejects the notion of US influence on the move, with chief Commission spokeswoman Paula Pinho saying it “began before the US President’s order” earlier this week.
What are the concerns?
German politician Jan Philipp Albrecht, who as a former European Parliament member was one of the chief architects of the GDPR, was one of the first to comment. “Is this the end of data protection and privacy because we have signed it into the EU Treaty and the Charter of Fundamental Rights?” he asked. “The Commission must be fully aware that it is dramatically weakening European standards.”
A group of 127 civil society organisations, including Amnesty International, also highlighted their concerns.
“What is being presented as a ‘technological streamlining’ of EU digital laws is, in fact, an attempt to covertly dismantle Europe’s strongest protections against digital threats.” for an open letter Reading.
“These are protections that keep everyone’s data safe, hold governments accountable, protect people from artificial intelligence (AI) systems that decide their life chances, and ultimately keep our society free from uncontrolled surveillance. Unless the European Commission changes course, this will be the largest rollback of digital fundamental rights in the history of the EU.”
what happens next?
Commission President Ursula von der Leyen will need the approval of both the EU Parliament and member states to bring the document into law.
This may prove difficult, as many in his coalition are reportedly doubtful about the benefits of the plan. Von der Leyen will certainly need to win over both allies and enemies to obtain the documents, but the organization says this is not an invasion of privacy.
“I can confirm 100 percent that the objective… is not to undermine our high privacy standards for our citizens,” said Thomas Regnier, EU digital affairs spokesman.
Edited by: Jess Smee