The European Union, known for implementing some of the strictest laws, is cutting back on privacy protections under its General Data Protection Regulation (GDPR) amid mounting pressure from Big Tech.
Its executive branch, the European Commission, has proposed a new set of changes through a digital package that includes a "Digital Omnibus" to simplify existing rules on artificial intelligence, cybersecurity, and data. These proposed changes target elements of GDPR, the AI Act, and the Data Act.
For starters, changes to cookie rules for web browsers will reduce the number of times cookie banners pop up. Users will be able to show their consent with one click and control cookie settings through their browser"s central controls, which will then apply to websites in general. Cookies used for "non-risk" purposes may not trigger consent pop-ups.
Making changes to the AI Act introduced in 2024, companies will be exempted from registering AI systems used in high-risk areas for tasks that are not considered high risk. The Commission has also proposed simplified AI documentation for small companies and simplifying cybersecurity incident reporting.
The current scenario, where organizations in the EU are obligated to report incidents under multiple legal acts, "may discourage timely or comprehensive reporting." The Commission is introducing a single entry point for entities to submit reports covering all obligations, reducing their burden and speeding up the reporting process.
Proposed changes to the GDPR should make it easier for tech companies to share anonymized personal data and legally use personal data to train AI models, as long as users" identities and other parts of the GDPR are protected.
With changes to the AI Act, Europe"s AI Office will have centralized oversight of AI systems built on general-purpose AI models used by very large platforms and search engines. Some parts of the AI Act are delayed until August 2026 and August 2027.
While the Commission argues that the proposed changes would simplify things for businesses in the EU and spur growth, it"s facing backlash from privacy activists and civil rights groups.
A joint statement from 127 civil organizations says that the "EU must uphold hard-won protections for digital human rights," calling the proposed changes "the biggest rollback of digital fundamental rights in EU history."
On the other hand, the tech lobbying group CCIA Europe has called the digital package a "welcome step towards simplifying the EU’s complex regulatory landscape for digital and tech," adding that "bolder action is still needed." Google, Apple, Meta, Amazon, and other tech companies are among its members.
Moving forward, the proposal will now be submitted to the European Parliament and member EU countries, whose majority approval will be required before the changes are implemented.