Published by Global Banking & Finance Review®
Posted on November 10, 2025
3 min readLast updated: January 21, 2026
Proposed EU privacy law changes could ease data use for AI, sparking criticism for potentially undermining GDPR protections.
By Foo Yun Chee
BRUSSELS (Reuters) -Privacy activists say proposed changes to Europe's landmark privacy law, including making it easier for Big Tech to harvest Europeans' personal data for AI training, would flout EU case law and gut the legislation.
The changes proposed by the European Commission are part of a drive to simplify a slew of laws adopted in recent years on technology, environmental and financial issues which have in turn faced pushback from companies and the U.S. government.
EU antitrust chief Henna Virkkunen will present the Digital Omnibus, in effect proposals to cut red tape and overlapping legislation such as the General Data Protection Regulation, the Artificial Intelligence Act, the e-Privacy Directive and the Data Act, on November 19.
According to the plans, Google, Meta Platforms, OpenAI and other tech companies may be allowed to use Europeans' personal data to train their AI models based on legitimate interest.
In addition, companies may be exempted from the ban on processing special categories of personal data "in order not to disproportionately hinder the development and operation of AI and taking into account the capabilities of the controller to identify and remove special categories of personal data".
"The draft Digital Omnibus proposes countless changes to many different articles of the GDPR. In combination this amounts to a death by a thousand cuts," Austrian privacy group noyb said in a statement.
Noyb is known for filing complaints against American companies such as Apple, Alphabet and Meta that have triggered several investigations and resulted in billions of dollars in fines.
"This would be a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted," noyb's Max Schrems said.
European Digital Rights, an association of civil and human rights organisations across Europe, slammed a proposal to merge the ePrivacy Directive, known as the cookie law that resulted in the proliferation of cookie consent pop-ups, into the GDPR.
"These proposals would change how the EU protects what happens inside your phone, computer and connected devices," EDRi policy advisor Itxaso Dominguez de Olazabal wrote in a LinkedIn post.
"That means access to your device could rely on legitimate interest or broad exemptions like security, fraud detection or audience measurement," she said.
The proposals would need to be thrashed out with EU countries and European Parliament in the coming months before they can be implemented.
(Reporting by Foo Yun CheeEditing by Alexandra Hudson)
The GDPR is a comprehensive data protection law in the EU that governs how personal data is collected, processed, and stored, ensuring individuals' privacy rights are protected.
The Digital Omnibus is a set of proposals by the European Commission aimed at simplifying various digital regulations, including those related to data protection and AI.
Personal data refers to any information that relates to an identified or identifiable individual, such as names, email addresses, and identification numbers.
Data processing involves any operation performed on personal data, including collection, storage, retrieval, and deletion.
Legitimate interest is a legal basis under GDPR that allows organizations to process personal data if it is necessary for their legitimate interests, provided these do not override individuals' rights.
Explore more articles in the Finance category
