Privacy advocates have condemned proposed changes to Europe’s landmark data protection law, saying they would hand Big Tech greater power to exploit personal data for artificial intelligence training and dismantle hard-won privacy rights.
The proposals, part of the European Commission’s upcoming Digital Omnibus package, aim to simplify a web of overlapping technology and data laws, including the General Data Protection Regulation (GDPR), the Artificial Intelligence Act, and the ePrivacy Directive.
The reforms are expected to be unveiled by EU antitrust chief Henna Virkkunen on November 19.
According to draft documents, tech giants such as Google, Meta, and OpenAI could be allowed to use Europeans’ personal data to train AI models under the justification of “legitimate interest.”
The proposals would also permit companies to process sensitive personal data in certain cases if full compliance was deemed to “disproportionately hinder” AI development.
Privacy campaigners say the plan would hollow out the GDPR, which came into force in 2018 and has since become a global benchmark for data protection.
Austrian group noyb, led by privacy activist Max Schrems, said the package amounted to “a death by a thousand cuts.” Schrems warned that it represented “a massive downgrading of Europeans’ privacy ten years after the GDPR was adopted.”
European Digital Rights (EDRi), a coalition of civil and human rights groups, criticised a separate proposal to fold the ePrivacy Directive—often called the “cookie law”—into the GDPR.
Policy adviser Itxaso Dominguez de Olazabal said the move could allow companies to access users’ devices based on vague justifications such as “security” or “fraud detection.”
The Commission’s plans will now face negotiations with EU member states and the European Parliament, where privacy advocates are expected to mount strong opposition.
