European Union officials are preparing sweeping changes to the bloc’s landmark privacy legislation in a bid to accelerate artificial intelligence (AI) development.
The European Commission will unveil a digital omnibus package later this month that includes far-reaching amendments to the General Data Protection Regulation (GDPR), the flagship privacy law long considered untouchable in EU tech policy, according to draft documents obtained by POLITICO.
While officials have publicly characterized the changes as “targeted” adjustments, the draft proposals reveal a significant overhaul intended to benefit AI companies.
The move marks a dramatic shift in Brussels’ approach to data protection as Europe struggles to maintain economic competitiveness in the global AI race. Former Italian Prime Minister Mario Draghi specifically cited the GDPR as an impediment to European AI innovation in his landmark competitiveness report last year.
“Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” Jan Philipp Albrecht, a German politician and former European Parliament member who helped architect the original GDPR, asked POLITICO. “The Commission should be fully aware that this is undermining European standards dramatically.”
Conversely, Eduardo Ustaran, a privacy and cybersecurity lawyer at law firm Hogan Lovells, said “relaxation in the timing of the regulatory scrutiny should not be confused with a weakening of the law.”
“Despite external pressures, the EU will always stay loyal to the aims behind the AI Act, in particular the protection of individuals’ fundamental rights,” Ustaran said in an email. “The development and use of AI in a human-centric way is core to the EU’s vision for the future, which means that the AI Act is here to stay.”
The EU’s proposed changes would create new exceptions allowing AI companies to legally process sensitive personal data that include religious beliefs, political views, ethnicity, and health information for training and operating their systems. Officials also plan to redefine what constitutes personal data and special category data, which currently receive enhanced protection.
Additionally, the Commission wants to reform cookie consent requirements by providing website and app owners with additional legal grounds for tracking users beyond obtaining explicit consent.
The European Union draft proposal could change before its official unveiling on Nov. 19, followed by negotiations with EU countries and Parliament.
Privacy advocates have condemned both the substance and process of the proposed changes.
It took four years to negotiate the GDPR, yet public consultation on the digital omnibus ended just last month. The Commission has not prepared impact assessments for the proposals, arguing the changes are merely technical.
The initiative has exposed sharp divisions among EU member states and lawmakers. Estonia, France, Austria, and Slovenia oppose rewriting the GDPR, while traditionally privacy-minded Germany is pushing for substantial changes to support AI development.
In the European Parliament, Czech Green lawmaker Markéta Gregorová expressed concern that fundamental rights “must carry more weight than financial interests.”
European privacy regulators have already delayed AI rollouts by Meta Platforms Inc., X, LinkedIn, and Google in recent years, while their U.S. counterparts have faced no equivalent blanket privacy restrictions. In fact, spending on AI infrastructure projects in the U.S. are hurtling at a dizzying pace with no national legislation anywhere in sight. Google, Meta, OpenAI, Amazon.com Inc., Microsoft Corp., NVIDIA Corp., and others are throwing hundreds of billions of dollars into the construction of data centers while also investing in European facilities.
The EU has launched an ambitious multi-pronged strategy to position itself as a global AI leader, anchoring its efforts around the AI Continent Action Plan in April. The plan was complemented by the Apply AI initiative, which focuses on increasing AI adoption across key industrial and public sectors, especially among small and medium-sized enterprises.
The InvestAI Initiative, announced in February, aims to mobilize $231 billion for AI investment, including a $23.1 billion fund specifically for AI gigafactories. The bloc is establishing 13 AI factories across 17 member states backed by $2.3 billion in investment, with all facilities expected to be fully operational by the end of 2025. These gigafactories will be equipped with around 100,000 latest generation AI chips, providing companies of all sizes access to large-scale computing power.
Tech analyst Jack Gold says there is an argument to be made for loosening some restrictions, particularly as European R&D and investment trails much of the rest of the world, in many cases because of strict regulations.
“Honestly, this is about balance. For example, I’m all for keeping my personal health information private. But what about an anonymized version of thousands of health records used for discovery and research?” Gold said in an email. “If GDPR maintains an absolute restriction, aren’t we diminishing what might be available to lead to improved outcomes? And yes, it’s a fine balance. But it’s also a challenge as Europe may restrict info, but other places won’t, putting European centric data well behind other data types.”
The EU’s consideration of rolling back parts of its landmark data laws should not be read as a sign to companies to similarly give up on privacy and data/AI governance, says Josh Mason, chief technology officer at RecordPoint.
“There’s a difference between compliance and risk; the risk hasn’t gone away just because a given legal provision has. Companies that invest in privacy and data/AI governance benefit in many ways outside of compliance,” Mason said in an email. “They gain an improved cybersecurity posture, a more rapid and impactful AI roll-out, and improved customer and stakeholder trust. The onus will now be on the companies themselves to determine appropriate ways to manage the risk.”
