The European Union (EU) is preparing to roll back parts of its landmark rules on artificial intelligence (AI) and data privacy, according to a FirstPost report.
For context, the European Commission is expected to introduce the Digital Omnibus package of reforms on November 19, which can reshape the bloc’s General Data Protection Regulation (GDPR), AI Act, and ePrivacy rules.
This latest move follows a report released by former Italian Prime Minister Mario Draghi a year ago, which warned that Europe’s laws are muzzling innovation and holding the region back in global competition with the United States and China.
However, the rollback has drawn criticism, with Brussels reportedly placing competitiveness ahead of citizens’ privacy and data protection rights.
The EU, for its part, has positioned the rollback as a way to simplify compliance and reduce red tape for small and medium-sized companies.
“We need to make doing business in Europe easier without compromising our high standards of online fairness and safety,” Henna Virkkunen – the Commission’s Executive Vice-President for Tech Sovereignty, Security and Democracy – has previously remarked.
“We aim for less paperwork, fewer overlaps and less complex rules for companies doing business in the EU,” she added.
How Can The EU’s GDPR Change?
According to analysis by Austrian non-governmental organisation (NGO) noyb, the leaked Omnibus draft narrows the definition of personal data, meaning that information which cannot directly identify an individual might no longer count as personal.
The draft also restricts when people can exercise their rights to access, correct, or delete data, limiting these rights to “data protection purposes.” In effect, this could prevent journalists or consumers from using data requests in investigations or disputes.
Data of an inherently sensitive nature, such as health status, political views, or sexual orientation, would only receive protection if explicitly disclosed.
This would mark a watershed moment, as existing European court rulings currently safeguard people from profiling based on inferences and deductions.
Furthermore, the draft introduces a legitimate interest exception that allows tech companies to collect personal data, including some sensitive information, for AI training as long as unspecified safeguards are in place.
Noyb warns that this could give US and global tech companies greater freedom to use European data for AI training or analytics. EU users would rarely know if companies are accessing their data, and objections would be nearly impossible to enforce.
How Can the EU’s AI Act Change?
Under the draft proposal, companies deploying high-risk AI systems could receive a one-year grace period before fines and other obligations take effect.
Advertisements
Draft documents also suggest that the EU might postpone penalties for transparency violations, such as failure to clearly label AI-generated content, until August 2027.
Civil society groups have raised concerns that tech companies may unilaterally classify high-risk AI systems as low-risk, thereby bypassing safeguards without notifying anyone.
Will the EU’s ePrivacy Regulation Be Subsumed Within the GDPR?
Europe’s ePrivacy Regulation governs how companies access data on EU users’ phones, computers, and other devices. The Omnibus reforms could merge this regulation into the GDPR framework.
Currently, websites must seek explicit consent before storing or accessing most cookies. However, under the proposed changes, companies could collect some data without asking first, either for a limited set of “low-risk” purposes or under their “legitimate interest.”
This would shift Europe from an opt-in system to something closer to an opt-out regime, where users must actively refuse tracking to avoid being monitored online.
Why It Matters
The European Commission is still discussing the reforms package, which could change before November 19. Crucially, Commission President Ursula von der Leyen will need approval from both the EU Parliament and EU member states.
A geopolitical angle is also at play. Virkkunen met top US tech executives in May this year to pitch the idea of a more business-friendly Europe and highlight plans to simplify digital rules.
Furthermore, this push for “simplification” comes months after Apple urged the EU in September 2025 to rethink the Digital Markets Act (DMA), arguing that the legislation worsens the user experience for Europeans.
Therefore, the critical questions for the EU now are:
- How far is it willing to go to ‘appease’ US-based Big Tech companies and the US government?
- And, is it essentially playing into the hands of foreign actors and leaving EU citizens to fend for themselves in the ‘digital wilderness’?
Also Read:
Support our journalism:
For You