BRUSSELS — European Union officials are ready to sacrifice some of their most prized privacy rules for the sake of AI, as they seek to turbocharge business in Europe by slashing red tape. 

The European Commission will unveil a “digital omnibus” package later this month to simplify many of its tech laws. The executive has insisted that it is only trimming excess fat through “targeted” amendments, but draft documents obtained by POLITICO show that officials are planning far-reaching changes to the General Data Protection Regulation (GDPR) to the benefit of artificial intelligence developers.  

The proposed overhaul will come as a boon to businesses working with AI, as Europe scrambles to stay economically competitive on the world stage.

But touching the flagship privacy law — seen as the “third rail” of EU tech policy — is expected to trigger a massive political and lobbying storm in Brussels.

“Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” said German politician Jan Philipp Albrecht, who as a former European Parliament member was one of the chief architects of the GDPR. “The Commission should be fully aware that this is undermining European standards dramatically.”

Brussels’ shift on privacy comes as it frets over Europe’s waning economic power. Former Italian Prime Minister Mario Draghi namechecked the General Data Protection Regulation as holding back European innovation on artificial intelligence in his landmark competitiveness report last year.

European privacy regulators have already been spoiling Big Tech’s AI party in recent years. Meta, X and LinkedIn have all delayed rollouts of artificial intelligence applications in Europe after interventions by the Irish Data Protection Commission. Google is facing an inquiry by the same regulator and was previously forced to pause the release of its Bard chatbot. Italy’s regulator has previously imposed temporary blocks on OpenAI’s ChatGPT and Chinese DeepSeek over privacy concerns.

Those same tech giants are racing ahead in the U.S., without an equivalent blanket privacy law barring them from feeding AI with citizens’ data.

Unleash the lobbyists

The General Data Protection Regulation’s initial drafting in 2012-2016 triggered one of the biggest lobbying efforts Brussels has ever seen. Since taking effect in 2018, the EU has steered clear of amending it, fearing it would reignite the vicious lobbying war. 

In past months, Commission officials have sought to preempt worries that it was overhauling the privacy rulebook. It insisted that its simplification proposals wouldn’t touch the underlying principles of the GDPR. 

Now that draft plans are out, civil society campaigners have begun sounding the alarm.

The Commission is “secretly trying to overrun everyone else in Brussels,” said Max Schrems, founder of Austrian privacy group Noyb — and Europe’s infamous privacy campaigner who was behind court cases that brought down major data transfer deals with the United States in the past. “This disregards every rule on good lawmaking, with terrible results,” he said.

One line of attack from privacy groups is to poke holes in what they say is a rushed omnibus process. While the GDPR took years to negotiate, public consultation on the digital omnibus only ended in October. The Commission has not prepared impact assessments to accompany its proposals, as it says the changes are only targeted and technical.

The Commission’s tunnel vision on the AI race has resulted in a “poorly drafted ‘quick shot’ in a highly complex and sensitive area,” said Schrems.

Loosening privacy rules

The draft proposal obtained by POLITICO shows how far the European Commission is willing to go to placate industry on AI.

Draft changes would create new exceptions for AI companies that would allow them to legally process special categories of data (like a person’s religious or political beliefs, ethnicity or health data) to train and operate their tech. The Commission is also planning to reframe the definition of such special category data, which are afforded extra protections under the privacy rules.  

Officials also want to redefine what constitutes as personal data, saying that pseudonymized data (where personal details have been obscured so a person can’t be identified) might not always be subject to the GDPR’s protections, a change that reflects a recent ruling from the EU’s top court.

Finally, it wants to reform Europe’s pesky cookie banner rules by inserting a provision into the GDPR that would give website and app owners more legal grounds to justify tracking users beyond simply obtaining their consent.

The draft proposal could still change before the Commission officially unveils its plans on Nov. 19.

Once presented, the omnibus package has to pass muster with EU countries and lawmakers, who are already sharply divided on whether to touch privacy protections.  

Documents seen by POLITICO show that Estonia, France, Austria and Slovenia are firmly against any rewrite of the General Data Protection Regulation. Germany — usually seen as one of the most privacy-minded countries — on the other hand is pushing for big changes to help AI.

In the European Parliament, the issue is expected to divide groups. Czech Greens lawmaker Markéta Gregorová said she is “surprised and concerned” that the GDPR is being reopened. She warned that Europeans’ fundamental rights “must carry more weight than financial interests.” 

But Finnish center-right lawmaker Aura Salla — who previously led Meta’s Brussels lobbying office — said she would “warmly” welcome the proposal “if done correctly,” as it could bring legal certainty for AI companies. Salla emphasized that the Commission will have to “ensure it is European researchers and companies, not just third country giants that gain a competitive edge from our own rules.”