By using this website , you agree to our use of cookies. We use cookies to provide you with a great experience and to help our website run effectively.
Visit our Privacy Policy to find out more.
PreferencesAccept cookiesDeny cookies

Download Magazine

Kindly provide the details below
Thank you for the download!
Oops! Something went wrong while submitting the form.
Download Magazine

PriCyai Magazine

Chapter  
2

Europe’s Privacy Turn: Is the General Data Protection Regulation (GDPR) Losing Its Teeth?

How Brussels’ “Digital Omnibus” could reshape the global privacy landscape

For more than a decade, the General Data Protection Regulation (GDPR) has been hailed as a landmark in digital rights, giving European citizens power over their data, influencing legal frameworks around the world, and standing as a symbol of how privacy and technology can coexist. But in November 2025, the mood in Brussels has shifted. A proposed package of reforms, commonly referred to as the “Digital Omnibus”, signals a potential pulling back of parts of Europe’s strict digital rules, raising alarm bells for privacy advocates and reshaping what global data protection might look like for years to come.

What’s happening

The European Commission is preparing a reform package scheduled to be unveiled around November 19, 2025, which aims to simplify or streamline several high-profile pieces of EU regulation: the GDPR, the Artificial Intelligence Act, the ePrivacy Directive (the so-called “cookie law”), and the Data Act. Among the changes being floated:

  1. Narrowing the definition of “personal data,” which could exclude certain identifiers (e.g., ad IDs, cookies) from automatic protection under the GDPR.
  2. Allowing companies to process Europeans’ personal data for AI-training purposes under the “legitimate interest” legal basis (rather than requiring explicit consent) in certain cases.
  3. Changing notification obligations, data-protection impact assessment (DPIA) thresholds, and enforcement timelines to reduce what the Commission describes as “duplication” or “bureaucracy.”
  4. Possibly reducing or pausing parts of the AI Act, effectively giving firms more time or slack before compliance burdens bite.
  5. Getting rid of or modifying cookie-consent banners and tracking-based obligations in the ePrivacy regime.

Why now?

The Commission is framing this as a competitiveness move. As Europe sees pressure from US and Chinese tech powers, and as startups and SMEs cite the complexity of EU rules as a deterrent, Brussels is signalling that it wants to “cut red tape” and help European businesses scale faster.

On the other hand, civil society sees a very different motive: a covert rollback of hard-won digital rights. A coalition of 127 human-rights, privacy and trade-union groups called the reforms “the biggest rollback of digital fundamental rights in EU history.”

What it means for privacy & AI

  1. For Europeans: The protections they’ve come to assume, control over personal data, transparency of profiling, and restraints on sensitive data use, may become weaker or more conditional. Users could see less notice, fewer rights to opt out of profiling, and more data being used for AI without explicit consent.
  2. For AI development: Firms, especially those doing large-scale AI training, may gain greater leeway to process sensitive or pseudonymous data, reducing one barrier to innovation. But that may raise risk: inference algorithms, profiling, automated decision-making on large personal datasets, the issues the GDPR was drafted to tame,  may become more common or more opaque.
  3. Globally: GDPR has served as a model (or aspiration) for many non-EU jurisdictions. If the regulation is softened, it might embolden other jurisdictions to lower their standards or delay new privacy laws. Alternatively, companies might use EU changes as a precedent to press for looser rules elsewhere.
  4. Regulatory & enforcement risk: Even with changes, enforcement could become more complex, if definitions shift, if obligations are delayed or modified, there may be a transition phase where what counts as compliance is unclear. Firms may gain flexibility in the short term, but also face uncertainty and adversarial scrutiny from rights organisations.

The tensions

  1. Innovation vs rights: The heart of the debate is classic: can Europe encourage AI and digital competitiveness and protect individual rights? The Commission argues the current regime weighs too heavily on innovation; critics argue rights are being traded away.
  2. Transparency & democratic oversight: A recurring complaint is that the process is being done “under the radar,” with leaks and draft texts before full democratic debate. The opacity of revision-mechanisms may undermine trust.
  3. Diverging member-state views: Some EU member states (e.g., Germany, Finland) may support easing some burdens to boost competitiveness, while others (e.g., France, Austria) resist such loosening, fearing dilution of rights.
  4. Corporate vs public interest: Big tech firms may benefit from looser data and AI rules, but public interest advocates warn of more surveillance, profiling, and loss of data-agency.

Editor’s take

For PriCyAI Magazine, this is a pivotal moment. The story of “Europe as global privacy standard-setter” may be shifting. As your readership is tech/privacy savvy, here are angles worth emphasising:

  1. Map out what specific articles of the GDPR and ePrivacy might change, and what that means for data-flows and consent regimes.
  2. Explore case-studies: If firms can train AI on European personal data more freely, what might change in e-commerce, health tech, advertising?
  3. Interview or quote voices on both sides: rights groups (e.g., European Digital Rights, noyb) vs business/lobby groups.
  4. Lay out what this means for global firms operating in Europe, and for non-EU regulators looking at EU as benchmark.
  5. Ask: if protections are loosened, what then is the new baseline for privacy? What should users know and what should firms plan for?