Europe Scaling Back GDPR and AI Laws

Robert Hart and Dominic Preston (Hacker News, MacRumors):

Under intense pressure from industry and the US government, Brussels is stripping protections from its flagship General Data Protection Regulation (GDPR) — including simplifying its infamous cookie permission pop-ups — and relaxing or delaying landmark AI rules in an effort to cut red tape and revive sluggish economic growth.

The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.

The proposal also waters down a key part of Europe’s sweeping artificial intelligence rules, the AI Act, which came into force in 2024 but had many elements that would only come into effect later. The change extends the grace period for rules governing high-risk AI systems that pose “serious risks” to health, safety, or fundamental rights, which were due to come into effect next summer. The rules will now only apply once it’s confirmed that “the needed standards and support tools are available” to AI companies.

Update (2025-11-21): noyb (via endl):

As gradually leaked the last days by various news outlets, the EU Commission has secretly set in motion a potentially massive reform of the GDPR. If internal drafts become reality, this would have significant impact on people's fundamental right to privacy and data protection. The reform would be part of the so-called "Digital Omnibus" which was supposed to only bring targeted adjustments to simplify compliance for businesses. Now, the Commission proposes changes to core elements like the definition of "personal data" and all data subject's rights under the GDPR. The leaked draft also suggests to give AI companies (like Google, Meta or OpenAI) a blank check to suck up European's personal data. In addition, the special protection of sensitive data like health data, political views or sexual orientation would be significantly reduced. Also, remote access to personal data on PCs or smart phones without consent of the user would be enabled. Many elements of the envisaged reform would overturn CJEU case law, violate European Conventions and the European Charter of Fundamental Rights.

See also: AFP.

Update (2025-11-25): M.G. Siegler:

Sure, it’s a few seconds here and there, but those add up in aggregate. And I, like everyone who lives in Europe, am doing it many, many times a day. Every day. And some have been doing this for over 15 years now…

And it’s actually worse than tedious or time-wasting, it actually does the exact opposite of what the intent was: to make people more mindful of their privacy and give them more control. No one reads these anymore, no one.

Nick Heer:

If you are annoyed about cookie banners, get ready to have that dialled back — maybe, a bit. The proposed changes will allow users to set their cookie preference in their web browser. But media companies will be free to ignore those automatic signals and ask for your permission to set cookies anyway. Also, the circumstances under which consent is not required will be broadened, but websites will still need to ask before using cookies for targeted advertising. Oh, and consent is still required by laws elsewhere and, until policies are harmonized around the world, consent banners are here to stay. Even if everyone copies the proposed changes for the E.U., you will still see a lot of these banners if you spend a lot of time reading news.

Previously:

• Firefox Removes “Do Not Track”
• Apple Is Removing “Do Not Track” From Safari
• Twitter Abandons “Do Not Track” Privacy Protection

Artificial Intelligence European Union GDPR Legal Privacy Web

3 Comments RSS · Twitter · Mastodon

---

---

---

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ