Business

European Commission proposes major GDPR amendments to boost AI development and ease compliance

Sunday, 23 November 2025 7:38PM UTC

The European Commission plans sweeping changes to the GDPR, redefining data processing rules to facilitate AI innovation while sparking debate over privacy standards amid divided member state opinions and industry concerns.

The European Commission is set to propose sweeping amendments to the General Data Protection Regulation (GDPR) as part of a broader digital omnibus package scheduled for official unveiling on November 19, 2025. These amendments aim to carve new legal pathways for artificial intelligence (AI) developers to process personal data, including sensitive categories such as religious beliefs, political affiliations, ethnicity, and health information. This marks a significant pivot from the privacy-focused stance that has underpinned European technology policy since the GDPR's inception in 2018.

According to draft documents obtained by POLITICO, the proposed changes will establish the processing of personal data for "development and operation of AI models and systems" as a legitimate interest under Article 6(1)(f) of the GDPR, sidestepping the need for explicit consent except where mandated by other laws. This new legal ground extends to AI systems defined in the AI Act, encompassing automated processing beyond traditional machine learning.

In tandem, the Commission plans to redefine what constitutes personal data under the regulation, potentially excluding pseudonymized information in certain contexts, a move reflecting a recent ruling from the EU's Court of Justice. The package also seeks to reform cookie consent rules by embedding provisions within the GDPR to provide website and app operators with additional legal grounds to track users without requiring consent, promising to alleviate the barrage of cookie banners faced by internet users.

This initiative is part of a broader EU strategy, coined the "Digital Omnibus", which also includes delays to the implementation of high-risk AI regulation provisions until December 2027. This delay, influenced by lobbying from major technology companies such as Google, Meta, and OpenAI, is intended to ease compliance burdens while maintaining regulatory oversight, particularly for AI applications in sensitive areas including biometric identification, healthcare, and law enforcement.

The Commission defends these measures as necessary technical adjustments to bolster Europe's competitiveness in AI innovation, a sector where American and Chinese companies currently enjoy substantial leads. Former Italian Prime Minister Mario Draghi’s 2024 report notably identified the GDPR as a key obstacle hampering European AI advancement, a view echoed by proponents of the new amendments. The package is also designed to reduce administrative burdens significantly, potentially saving European businesses up to €5 billion by 2029 and easing compliance especially for small and medium enterprises (SMEs).

However, privacy advocates and some EU member states express deep concern. Former GDPR architect Jan Philipp Albrecht described the proposed changes as "dramatically undermining European standards" of privacy, questioning whether this marks "the end of data protection and privacy as codified in the EU treaty and fundamental rights charter." Privacy organisation Noyb’s founder Max Schrems criticised the Commission for circumventing regular legislative processes, warning that the reforms disregard sound lawmaking principles and could erode fundamental rights.

Member states are divided on the proposals. Estonia, France, Austria, and Slovenia oppose substantial GDPR rewrites, while Germany, usually among the most privacy-conscious EU countries, now supports reforms to facilitate AI development. This divergence signals challenging negotiations ahead. EU lawmakers and privacy groups also caution that the redefinition of "special category" data and personal data could narrow protection scopes, potentially excluding sensitive inferred data used in online advertising and automated decision-making.

The proposed amendments on cookie rules represent another critical shift, potentially allowing broader user tracking with fewer consent requirements, challenging existing strict rules upheld by German courts and others to protect user privacy. These changes would affect publishers, advertisers, and technology platforms, reshaping the data-driven marketing landscape in Europe.

Amid these regulatory changes, European data protection authorities have repeatedly intervened in AI deployments by major tech firms within the EU, highlighting the tension between innovation and privacy. Companies like Meta, Google, and OpenAI have faced regulatory scrutiny that delayed AI product launches in Europe, contrasting with their more unrestricted operations in the United States, where a comprehensive federal privacy framework comparable to the GDPR is absent.

Beyond AI and privacy, the broader Digital Omnibus package includes measures to simplify digital regulations overall, ranging from cybersecurity incident reporting to the digitalisation of physical requirements under the 'digital by default' principle. These steps support the EU's ambition to foster innovation while upholding high standards of fundamental rights, data protection, and fairness in the digital economy.

Industry voices, such as Hildegard Müller, President of the German Association of the Automotive Industry (VDA), have welcomed the package as a vital move towards a more innovation-friendly regulatory environment. The Commission aims to reduce administrative burdens by at least 25% for all businesses and 35% for SMEs by the end of 2029, creating a leaner digital regulatory framework deemed essential for Europe's competitiveness.

The comprehensive proposals will now face scrutiny and debate within the European Parliament and among member states, with no guarantee that all elements will pass intact. The contrasting positions across the EU illustrate the difficulty of balancing economic competitiveness with the continent’s long-standing commitment to data protection and privacy rights, which have set global standards since the GDPR's introduction.

📌 Reference Map:

^[1] (PPC Land) - Core article content throughout
^[2] (Reuters) - Paragraphs on AI Act delay and broader Digital Omnibus context
^[3] (Reuters) - Paragraphs on easing rules for big tech, redefined personal data, cookie rules
^[4] (Council of the EU) - Paragraph on digitalisation and SME provisions under Omnibus
^[5] (European Commission) - Paragraphs on business savings and regulatory simplification goals
^[6] (VDA) - Industry perspective on innovation-friendliness of the package
^[7] (European Commission FAQs) - Overview of Digital Package contents and goals

Source: Noah Wire Services

More on this

https://ppc.land/brussels-proposes-sweeping-gdpr-changes-to-benefit-ai-developers/ - Please view link - unable to able to access data
https://www.reuters.com/sustainability/boards-policy-regulation/eu-delay-high-risk-ai-rules-until-2027-after-big-tech-pushback-2025-11-19/ - On November 19, 2025, the European Commission announced a delay in implementing certain high-risk provisions of its AI Act until December 2027. This decision, influenced by major technology firms, aims to reduce regulatory burdens while maintaining oversight. The delay affects AI applications in sensitive areas such as biometric identification, health services, and law enforcement. The move is part of a broader initiative known as the 'Digital Omnibus,' which also seeks to simplify other technology-related regulations, including the GDPR and the Data Act. Proposed revisions to the GDPR would permit companies like Google, Meta, and OpenAI to utilize European users' data for training AI models. The Commission emphasized that this simplification does not equate to deregulation but rather a reassessment of existing rules to enhance Europe's global competitiveness.
https://www.reuters.com/sustainability/boards-policy-regulation/how-eu-plans-ease-rules-big-tech-2025-11-19/ - The European Commission has proposed the 'Digital Omnibus' package to revise EU digital regulations, aiming to ease compliance for big tech companies and foster AI development. Key measures include delaying the enforcement of high-risk AI rules from August 2026 to December 2027, granting firms more leeway in using large datasets, including health and biometric information, for AI training without explicit consent. The redefined concept of anonymous data would reduce the scope of what is considered 'personal' under privacy law. New cookie rules would reduce user annoyance, allowing broader consent settings across websites and fewer pop-ups. For small and medium enterprises (SMEs), the plan reduces documentation and compliance burdens, potentially saving hundreds of millions of euros annually and facilitating cross-border business through a new 'European Business Wallet' for digital filings. Critics argue these reforms could dilute privacy protections in place for two decades and disproportionately benefit large tech firms, despite assurances from officials that EU privacy standards will be preserved. The measures still require approval from EU member states and the European Parliament.
https://www.consilium.europa.eu/en/press/press-releases/2025/09/24/simplification-council-agrees-positions-on-digitalisation-and-common-specifications-as-well-as-on-small-mid-caps-to-boost-eu-competitiveness/ - On September 24, 2025, the Council of the EU approved positions on several Commission proposals forming part of the 'Omnibus IV' legislative package. This package includes directives and regulations on digitalisation and common specifications, aiming to digitalise existing physical requirements by implementing the 'digital by default' principle. It also introduces a procedure for the Commission to draw up common specifications in various legal acts. Additionally, the package extends certain mitigation and support measures available for small and medium enterprises (SMEs) to companies that have outgrown the SME definition, known as small mid-cap enterprises (SMCs). The Omnibus package aims to simplify existing legislation on sustainability, investment, agriculture, small mid-caps enterprises, digitalisation, and common specifications, with the goal of enhancing EU competitiveness and attracting investment.
https://commission.europa.eu/news-and-media/news/simpler-digital-rules-help-eu-businesses-grow-2025-11-19_en - On November 19, 2025, the European Commission presented a new set of measures designed to enable Europe's businesses to spend less time on administrative work and compliance, and more on innovating and scaling up. The measures aim to open opportunities for European companies to grow and lead in technology, while upholding Europe's highest standards of fundamental rights, data protection, safety, and fairness. The proposed digital omnibus includes simplifications in existing rules on artificial intelligence (AI), cybersecurity, and data. The Commission emphasized that these measures could save businesses up to €5 billion in administrative costs by 2029. The digital omnibus legislative proposals will now be submitted to the European Parliament and the Council for adoption. Additionally, a digital fitness check was launched, comprising a wide public consultation, to further simplify EU rules and make the EU economy more competitive and prosperous.
https://www.vda.de/en/press/press-releases/2025/251119_VDA_Statement_Digital_Package - On November 18, 2025, VDA President Hildegard Müller commented on the European Commission's Digital Package and the accompanying Digital Omnibus. She stated that the package is a step towards a more modern and innovation-friendly digital legal framework in Europe. Müller emphasized that the Digital Omnibus can provide a crucial impetus for a successful, trustworthy, and competitive data economy in Europe. She called for swift negotiations between the European Parliament and the Council to ensure that the intended facilitations reach businesses promptly. Müller also noted that the Digital Omnibus was long overdue to adapt Europe's digital legal framework to the realities of digital transformation, highlighting that a leaner digital regulatory landscape is a prerequisite for strengthening Europe's competitiveness. The VDA welcomed the Commission's intention to make the AI Act more innovation-friendly.
https://digital-strategy.ec.europa.eu/en/faqs/digital-package - The European Commission proposes a new Digital Package to simplify EU digital rules and boost innovation. The package includes revisions to existing rules on artificial intelligence (AI), cybersecurity, and data. Key changes include a single-entry point for all cybersecurity incidents and data breaches reports, merging provisions of the Data Governance Act, the Open Data Directive, and the Free Flow of Non-Personal Data Regulation into a single, restructured Data Act, and the repeal of the 'P2B Regulation' (platform-to-business regulation), as its provisions were partially made redundant by the Digital Services Act. The package also addresses the use of personal data for AI, proposing changes to the General Data Protection Regulation (GDPR) to allow companies to use personal data for AI training under 'legitimate interest' provisions. The Commission emphasizes that these simplifications aim to reduce administrative burdens by at least 25% for all businesses and 35% for SMEs by the end of 2029, while upholding Europe's highest standards of fundamental rights, data protection, safety, and fairness.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative was published on November 23, 2025, detailing the European Commission's proposed amendments to the GDPR to facilitate AI development. The earliest known publication date of similar content is November 19, 2025, when Reuters reported on the Commission's 'Digital Omnibus' package, which includes these proposed changes. ([reuters.com](https://www.reuters.com/sustainability/boards-policy-regulation/eu-delay-high-risk-ai-rules-until-2027-after-big-tech-pushback-2025-11-19/?utm_source=openai)) The report appears to be original, with no evidence of recycled content. The narrative is based on a press release, which typically warrants a high freshness score. No discrepancies in figures, dates, or quotes were found. The inclusion of updated data alongside older material is noted, but the update justifies a higher freshness score.

Quotes check

Score: 9

Notes: The narrative includes direct quotes from former Italian Prime Minister Mario Draghi and privacy advocate Max Schrems. A search reveals that these quotes were first used in the November 23, 2025, publication, with no earlier matches found. This suggests the quotes are original or exclusive to this report.

Source reliability

Score: 6

Notes: The narrative originates from PPC Land, a niche publication. While it provides detailed information, the lack of broader coverage from more established outlets raises questions about its reliability. The report cites draft documents obtained by POLITICO, but access to POLITICO's website is blocked by robots.txt, preventing verification of the original source. This limitation affects the assessment of the source's credibility.

Plausability check

Score: 7

Notes: The narrative presents plausible claims about the European Commission's proposed GDPR amendments to benefit AI developers. These claims align with recent reports from reputable sources, such as Reuters, which also covered the 'Digital Omnibus' package and its implications for AI development. ([reuters.com](https://www.reuters.com/sustainability/boards-policy-regulation/eu-delay-high-risk-ai-rules-until-2027-after-big-tech-pushback-2025-11-19/?utm_source=openai)) However, the lack of direct access to the original draft documents and the reliance on a niche publication for the primary source introduce some uncertainty. The tone and language used are consistent with official EU communications, and the report includes specific details, such as the involvement of Mario Draghi and Max Schrems, which adds credibility.

Overall assessment

Verdict (FAIL, OPEN, PASS): OPEN

Confidence (LOW, MEDIUM, HIGH): MEDIUM

Summary: The narrative presents plausible claims about the European Commission's proposed GDPR amendments to benefit AI developers, with direct quotes from Mario Draghi and Max Schrems. However, the reliance on a niche publication and the inability to verify the original draft documents raise questions about the source's reliability. While the claims align with recent reports from reputable sources, the lack of broader coverage and direct access to the original documents introduces some uncertainty. Therefore, the overall assessment is 'OPEN' with medium confidence.

European Commission
GDPR
AI regulation
Data protection
Digital Omnibus