Under Pressure, EU Loosens Grip on Privacy and AI Rules

With input from the Verge, Reuters, and Bloomberg.

After years of playing tech sheriff to the world, the European Union is quietly easing off the trigger. Under heavy lobbying from Big Tech, US officials and its own business leaders, Brussels is moving to soften parts of its landmark privacy and AI laws — including those infamous cookie pop-ups — in the name of cutting red tape and boosting growth.

The changes, proposed by the European Commission, touch the core of two flagship laws: the General Data Protection Regulation (GDPR) and the AI Act.

The proposal would make it easier for companies to use and share data, especially for AI:

• Companies could share anonymized and pseudonymized personal data more freely.
• AI firms would be allowed to train models on personal data without asking for fresh consent, as long as they can justify it under “legitimate interest” and still respect other GDPR safeguards.
• The idea is to give European firms more access to the massive datasets needed for modern AI, without completely shredding privacy rules.

Critics, however, see the move as opening the door to much broader commercial use of people’s data — with less control and transparency for users.

Europe’s headline AI law, the AI Act, only fully kicked in this year, but key parts were due to start biting next summer — especially on so-called “high-risk” AI systems used in areas like healthcare, transport, policing and employment.

Brussels now wants to:

• Delay those high-risk rules by up to 16 months, until the “needed standards and support tools” for companies are in place.
• Exempt some systems from strict registration obligations if they’re only used for narrow or procedural tasks.
• Simplify paperwork and compliance requirements for smaller companies and startups.

The Commission is pitching this as making rules “simpler and more predictable” so innovators don’t suffocate under regulation before they even launch a product.

Privacy and civil rights groups see it very differently, calling it a major weakening of hard-won safeguards.

One change ordinary people will actually feel: fewer cookie pop-ups.

Under the new plan:

• “Non-risk” cookies — like those just counting basic site visits — wouldn’t need banners at all.
• People could set central privacy preferences in their browser, and websites would have to respect those choices for at least six months.
• Where banners remain, they’d be simplified to a clear yes/no, instead of dark-pattern riddled click mazes.

The Commission basically admits the current system is broken: users are so bombarded by pop-ups that they just click anything to get to content — which isn’t real consent.

The cookie and AI tweaks are part of a broader “Digital Omnibus” package aimed at smoothing out overlaps between the GDPR, AI Act, e-Privacy rules and the Data Act. Among other changes, the proposal would:

• Centralize AI oversight in the new EU AI Office.
• Simplify documentation for smaller AI firms.
• Create a single interface for reporting cybersecurity incidents.
• Introduce a “European Business Wallet” to digitize company interactions with public authorities.

“We have all the ingredients in the EU to succeed. But our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules,” said Henna Virkkunen, the Commission’s executive vice-president for tech and “digital sovereignty.”

She insists this is being done “in the European way” — freeing up innovation while keeping “fundamental rights fully protected.”

Behind the technical language is a blunt political reality:

Europe is lagging badly in the global AI race.

With a few exceptions, the cutting-edge AI players are American and Chinese — think Google, OpenAI, DeepSeek and co. European leaders, from Mario Draghi to top business groups, have been warning that the bloc’s dense rulebook is choking its own tech sector.

At the same time, the Trump administration and US industry have spent years attacking EU rules as protectionist and anti-American. Big European corporates — Siemens, SAP and others — have joined US giants like Google and Meta in pushing for looser AI obligations and clearer, lighter rules.

The Commission’s message now: we’re streamlining, not surrendering.

Civil society groups are furious.

More than 120 NGOs and rights organizations have signed an open letter calling the package “the biggest rollback of digital fundamental rights in EU history.” Privacy group noyb and other campaigners say the changes gut key protections under GDPR and hollow out the AI Act before it’s even fully applied.

In Brussels, campaigners have rolled mobile billboards and posters around the EU district, urging Commission President Ursula von der Leyen to “stand up to Big Tech and the US President,” not cave to lobbying.

“It is disappointing to see the European Commission cave under the pressure of the Trump administration and Big Tech lobbies,” Dutch Green MEP Kim van Sparrentak said in a statement.

This is only a proposal for now.

• It now goes to the European Parliament and the 27 member states.
• It needs a qualified majority of governments and a deal with MEPs.
• That process could take months, and both sides can still rewrite big chunks of the text.

Given how bitter the original GDPR and AI Act battles were, Brussels is bracing for another bruising political and lobbying fight.

One thing is clear, though: after years of proudly setting the world’s toughest tech rules, the EU is openly recalibrating — trying to prove it can be both the world’s privacy cop and an AI powerhouse, without scaring off the very companies it wants to nurture. Whether it can pull off that balancing act is now the big question.