The European Commission has proposed sweeping changes to its data protection and artificial intelligence regimes in a bid to reduce the regulatory burden, boost European AI start-ups, and improve overall competitiveness in a market dominated by the United States and China.
The changes will affect the General Data Protection Regulation (GDPR), the AI Act, the e-Privacy Directive and the Data Act.
However, digital rights campaigners have condemned the proposals as the biggest roll back of data protection rights in the EU's history.
The so-called 'Digital Omnibus’ is the latest move by the European Commission to reduce some of the new regulations introduced in the past decade in response to the climate emergency, break-neck digital innovation and a string of financial crises.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
The move is also being seen in light of US President Donald Trump’s frequent assaults on EU tech regulation which he claims "discriminates" against US corporations.
The Commission said the simplifications would allow EU businesses and start-ups to spend less time on administrative work and compliance, saving up to €5 billion by 2029 and to allow such companies to "to stay at the forefront of technology while at the same time promoting Europe's highest standards of fundamental rights, data protection, safety and fairness".
The proposals include the simplification of so-called "cookie" banners, whereby users can accept or reject pop-up cookie requests on a particular website once, with the option lasting for six months before renewal.
Ireland’s EU Commissioner Michael McGrath told a news conference: "Users…will be able to accept or refuse cookies now with one click, organisations will need to respect users' choices for six months.
"So, when browsing the internet and revisiting a website that you have been on in recent months, if you answered that question within the last six months, you will not be asked again to give such consent," he added.
Consumer data access for Big Tech
More controversial will be rules on freeing up access for Big Tech companies to consumer data to allow the growth of AI models.
The proposals would allow tech firms to use personal data to train AI models based on "legitimate interest" without asking for consent and delaying rules for high-risk AI systems by a year.
Mr McGrath told reporters that already within the GDPR law, both consent and "legitimate interest" were two gateways to enable the processing of personal data.
This meant legitimate interest was already enshrined in EU law and had been clarified by both European Court of Justice (ECJ) rulings and European Data Protection Board (EDPB) opinions.
"That's not changing," Mr McGrath said.
He added: "What is changing here is that the EDPB has already clarified that the use of legitimate interest for AI is already possible in its opinion of December last year, subject to certain conditions."
Other changes to the AI Act include exempting companies from registering their AI systems in an EU database for high-risk systems if these are only used for narrow or procedural tasks.
Furthermore, stricter rules governing high risk use of AI - ie, where it is being used in transport, education, robot-assisted surgery, management of workers, bank loan applications etc - will be deferred until December 2027.
Officials said the delay is intended to allow support structures across 27 member states to evolve to ensure legal certainty on how the AI Act should be applied.
The Commission’s proposals, which will need to secure the approval of member states and the European Parliament, include a so-called European Business Wallet, which will offer companies a single digital identity to simplify paperwork and make it easier to do business across the EU.
Businesses will be able to digitally sign, timestamp and seal documents, securely create, store and exchange verified documents and communicate more securely with other businesses and public administrations across the EU, according to a statement.
'Unlock savings'
Officials said this could "unlock savings" worth €150 billion per year.
There will also be a single-entry point for companies reporting cyberattacks or data breaches.
The proposals have been welcomed by Digital Business Ireland (DBI).
A spokesman said: "The timeline for implementing high-risk rules has been sensibly adjusted to a maximum of 16 months, with obligations only kicking in once the Commission confirms that the necessary standards and support tools are in place.
"This provides businesses with the clarity and practical assistance they need to comply.
"DBI welcomes this pragmatic approach, which will ensure that AI innovators are better equipped to meet their regulatory responsibilities."
However, DBI said simplification could have gone further, and matched the ambition of the report last year by former ECB president Mario Draghi into the EU’s competitiveness problems.
In a submission to the European Commission ahead of publication, the Irish Government said consumer protection should remain central to any updated system, and that simplification be "grounded in evidence to avoid unintended consequences, including through regulatory impact assessments."
In a letter from Niamh Smyth, Minister of State for Trade Promotion, Artificial Intelligence and Digital Transformation, stakeholder consultation "should be a mandatory and transparent part of the formulation of EU digital regulation, to ensure practical, industry-informed rules and implementation".
Proposals condemned
The proposals have been condemned by European Digital Rights (EDRi), a network of some 50 non-governmental organisations, academics and campaigners on online privacy.
In a statement, EDRi said the proposals represented a "massive reopening of EU’s core digital protections - so far including the General Data Protection Regulation (GDPR), ePrivacy Directive and the Artificial Intelligence (AI) Act - a move that risks dismantling the very foundation of human rights and tech policy in the EU."
EDRi accused the Commission of shifting the key provision of smartphone or device access for Big Tech companies into the GDPR, meaning that while consent will remain necessary for most tracking, several exceptions will allow companies to access personal data without permission.
The organisation said the proposed Privacy Signal would give consumers a clear way to refuse access, "but it applies only after two years and does not cover many media sites".
The statement said the Digital Omnibus narrows the definition of personal data through a new recital that "allows companies to mark their own homework, allows the unchecked use of people’s most intimate data for training AI systems, and reshapes automated decision making, leading to discriminatory impacts to allow wider use with fewer limits".
The EDRi said overall such changes would give both state authorities and large companies "more room to collect and process personal information with limited oversight and reduced transparency".
