Calling them “death by a thousand cuts” among other descriptors, prominent privacy groups are heavily criticizing the European Commission (EC)’s proposed changes to foundational digital EU privacy laws such as the General Data Protection Regulation (GDPR), Artificial Intelligence Act, and e-Privacy Directive.
The proposals have been packaged as what the EC calls the “Digital Omnibus,” meant primarily to trim redundancy and onerous restrictions from the EU’s most important privacy regulations. But groups such as noyb are calling the proposal a “massive downgrade” to these laws, noting such terms as expanded exemptions to consent requirements and reductions of what constitutes “special” protected data as applies to AI model training.
Privacy groups highlight blows to EU privacy law
The Digital Omnibus package comes after not just years of criticism of EU privacy laws by big tech, but also more recent pressure applied by the US government under the Trump administration. Big tech has been more concerned with lifting restrictions on consent requirements and data collection, however, while the US objection has centered more on speech and business restrictions. EU officials do not necessarily need external pressure to make changes, however; the bloc has shown serious concern about falling behind in the AI arms race in no small part due to its stringent privacy rules.
The Digital Omnibus effort was first announced earlier this year and will not be formally presented until November 19, but draft documents have been obtained by media sources such as Politico. The new bill would impact the existing terms of the GDPR, the Artificial Intelligence Act, the e-Privacy Directive and the Data Act in an assortment of ways.
One of the biggest sore points for privacy advocates is the lifting of bans on processing certain special categories of protected personal data if the existing restriction might “disproportionately hinder the development and operation of AI.” Another major point of contention is the proposed merger of the ePrivacy Directive, which covers cookie consent rules, with the GDPR; critics allege this would severely weaken it.
The GDPR would also see several direct amendments under the proposed EU privacy law changes. One could be leveraged by companies to circumvent restrictions on the commercial use of collected personal data, by “pseudonomizing” the information and thus moving it beyond the reach of some security and transfer rules. Another would limit user data access rights, restricting the purposes for which they are allowed to access their stored personal information to correct it or request deletion.
The Omnibus also takes on the new AI Act’s terms, and this is the element upon which the changes seem to be most focused. A series of exemptions for AI training would be carved out that would allow personal data to more freely be used without express user consent, by expanding the “legitimate interest” exceptions. Critics worry that organizations could abuse this by simply routing all of their data processing through an AI system, circumventing many of the existing consent requirements. The EC itself would also assume direct control over AI regulation as the centralized primary authority.
Supporters push EU privacy law changes as “small business friendly”
While these proposed EU privacy law changes seem almost entirely like concessions to big tech desires at first glance, the EC is selling them as removement of onerous restrictions on smaller businesses. Critics such as noyb are calling this a “side-show” meant to pass changes that are instead really tailored to the tech industry’s longstanding wants and needs.
Supporters also note that the EU privacy law changes would leave in place the ability for users to opt out of having their personal data used for AI training. However, this would now be a proactive opt-out rather than having extensive legal protection in place by default. Google is facing a similar legal issue in the United States at the moment, as it is being taken to court in California for switching Gemini AI assistant access to emails and messages from opt-in to opt-out without sufficient notice to Gmail and Chat users.
AI regulation has become a contentious issue in the bloc due to application of EU privacy laws that has delayed or removed service at times. ChatGPT availability was famously paused in Italy for a few weeks due to concerns about protection of children’s data, and since then most of the other major LLM providers have experienced some sort of delay to rollouts of new products due to some sort of regulatory issue or another.
The proposal may well change before it makes its public debut, and it will then be subject to debate amongst EU members and Parliament that will very likely alter at least some of its terms. A number of bloc members, most notably France and Austria, have signaled that any weakening of the GDPR’s protections is a likely dealbreaker. In Parliament, the split appears to be along left-right party lines for the most part.
