European Commission considering bigger GDPR overhaul to boost AI innovation

A leaked draft of the European Commission's Digital Omnibus proposal signals a move to ease data protection rules to facilitate artificial intelligence (AI) development. In an article for IAPP, Ruth Boardman, co-head of the International Privacy and Data Protection Group at Bird & Bird, provides an analysis of what to expect. 

On 19 November 2025, the Commission is set to publish two legislative instruments to simplify the EU digital rulebook. The first package contains significant legislative changes to the EU General Data Protection Regulation (GDPR), ePrivacy, and Data Act. The second will address the Artificial Intelligence Act (AI Act).

The key GDPR and ePrivacy proposals include establishing a single point for breach reporting, following a "report once, share many" principle, integrating requirements under the GDPR, the Network and Information Security Directive, the Digital Operations Resilience Act, and the Critical Entities Resilience Directive. The threshold for reporting personal data breaches to data protection authorities (DPAs) would also be raised to cover only high-risk incidents, and extend the reporting period to 96 hours.

In relation to subject access requests (SARs), controllers would be allowed to reject or charge a fee for SARs used for purposes other than protecting their data, such as employment disputes.

Cookie consent rules will see substantial reform. Consent would no longer be required for tracking technology used for security or aggregated audience measurement. Where tracking involves personal data processing, the GDPR would trump the ePrivacy Directive, allowing controllers to rely on any lawful basis under the GDPR, not solely consent. In the long term, the Commission would support a mandatory system requiring all publishers to respect universal user preference signals set by browsers or operating systems, however, media service providers would be exempted, given the recognition that advertising revenue is vital for independent journalism.

On the application of data protection impact assessments (DPIAs), the European Data Protection Board (EDPB) would be required to develop EU-wide lists outlining when these assessments are necessary, replacing the existing national lists and establishing a standard template and methodology.

The definition of special category data would also be narrowed, applying only when data "directly revealed" sensitive information, stepping back from the current inference-based approach. Two new derogations for processing special category data would also be introduced: one for AI development and operation (with safeguards), and one for on-device biometrics used for proving ID under the user's sole control.

A controversial new provision would confirm that processing personal data to train AI models is a legitimate interest, provided that a justification and balancing test is conducted.

On data collection, controllers may not be required to provide a privacy notice if there are reasonable grounds to believe the data subject already knows the controller's identity and the purpose of processing, although this exemption is limited to low-risk processing.

Finally, the proposals signal a more subjective approach to defining personal data, under which data would be considered personal only in the hands of the current holder if that entity can reasonably identify the data subject.

In a detailed post responding to the news, privacy activist and chair of NOYB, Max Schrems, said: "This would be a massive downgrading of European's privacy ten years after the GDPR was adopted." He went on to say that: "One part of the EU Commission seems to try overrunning everyone else in Brussels, disregarding rules on good lawmaking, with potentially terrible results. It is very concerning to see Trump'ian lawmaking practices taking hold in Brussels."

A separate statement by Johnny Ryan at the Irish Council for Civil Liberties (ICCL) said that the "cuts to the GDPR would aid U.S. and Chinese tech giants and hurt Europe's innovators."

An open letter to Commission officials, the European Digital Rights group, along with 127 civil society organisations, including NOYB and the ICCL, raised concerns about the proposed digital simplification package. The letter calls the proposals "an attempt to covertly dismantle Europe's strongest protections against digital threats." 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.