How GDPR reform will impact global data protection and privacy

The Future of Privacy Forum (FPF) has published a blog article exploring how a "perfect storm" is converging on global data protection this year, driven by the unexpected reopening of the EU General Data Protection Regulation (GDPR), rapid advancements in artificial intelligence (AI), and a surge in adjacent digital regulations. This shift occurs amidst heightened geopolitical tensions, with digital sovereignty, data localisation, and children's online safety becoming central priorities for policymakers.

The decision to amend the GDPR has surprised the industry, as European Commission representatives had previously indicated no intention to reopen the framework. Initially introduced as a minor administrative tweak as part of a simplification package for smaller businesses in May 2025, the scope of the initiative grew substantially by November with the launch of two Digital Omnibus packages. The proposals, framed under a drive for European competitiveness, signal two major policy shifts.

Firstly, the GDPR reforms move away from technology-neutral legislation. AI technology is mentioned throughout the proposed amendments, with the new rules designed to facilitate the training and operation of AI systems. This includes provisions allowing the use of sensitive data and establishing a specific legitimate interest for processing personal data for AI-related purposes.

Secondly, and more importantly, according to the FPF, the definition of personal data is being narrowed. Guided by the Court of Justice of the EU (CJEU) ruling in case C 413/23 in September 2025, the proposed changes suggest a relative approach to de-identification. Under this approach, data held by an organisation is not considered personal data if the organisation itself does not have reasonable means to identify the individual, even if a subsequent recipient of the data could identify them. 

Because the GDPR has served as a global blueprint for data protection laws in jurisdictions such as Brazil, China, and California, these modifications are expected to have a far-reaching long-term impact. FPF warns that the current legislative process in Brussels represents a fundamental pivot in data protection philosophy that could diminish the reach of privacy rights and supervisory oversight in the years to come.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.