The European Commission is preparing a wide-ranging legislative package that would relax parts of the General Data Protection Regulation (GDPR) and delay elements of the EU’s artificial intelligence law, a move supporters say will cut red tape for businesses and critics warn could erode hard-won privacy protections.

A leaked draft indicates the proposals would narrow the definition of personal data and allow companies to process certain datasets to train AI models on the basis of legitimate interest, while simplifying cookie consent rules.

Some non-risk cookies would no longer trigger pop-ups, and browser-level controls could let users manage preferences more broadly across websites. The plan also extends the grace period for high-risk AI systems until standards and support tools are confirmed to be available.

Henna Virkkunen, the European Commission’s executive vice-president for tech sovereignty, said the changes balance innovation and rights. “By cutting red tape, simplifying EU laws, opening access to data and introducing a common European Business Wallet we are giving space for innovation to happen and to be marketed in Europe. This is being done in the European way: by making sure that fundamental rights of users remain fully protected”.

Civil society groups and privacy advocates argue the package risks undermining core GDPR safeguards. Max Schrems of privacy advocacy group noyb said: “The Digital Omnibus would mainly benefit big tech, while failing to provide any tangible benefits to average EU companies. This proposed reform is a sign of panic around shaping Europe’s digital future, not a sign of leadership” He added that the changes “are not based on evidence but rather on fear and industry claims”.

Jan Philipp Albrecht, a former member of the European Parliament who helped draft the GDPR, questioned the scale of the rollback. “Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” he asked.

Reporting from Netzpolitik.org highlights additional changes under the so-called Digital Omnibus, including a consolidation of data laws into a revised Data Act and proposals to ease compliance for smaller firms by reducing documentation requirements and centralising oversight within an AI Office.

The Commission insists privacy standards will remain high, but the legislative process could be lengthy. The proposal heads to the European Parliament and the EU’s 27 member states, where a qualified majority would be needed for approval. With lobbying intensifying and political divisions already evident, substantial changes are possible before any measures take effect.

---