A “digital omnibus” package would carve out new exceptions within the GDPR that make it easier for companies to collect and process personal data for AI development and deployment.
The European Union is preparing to make sweeping changes to its flagship data protection framework, the General Data Protection Regulation (GDPR), in an effort to strengthen its position in the global race for artificial intelligence.
According to draft proposals seen by POLITICO, the European Commission’s forthcoming “digital omnibus” package would carve out new exceptions within the GDPR that make it easier for companies to collect and process personal data — including sensitive information — for AI development and deployment.
The Commission has framed the initiative as a simplification exercise, claiming that only unnecessary legal complexity will be removed. However, privacy advocates and lawmakers warn the plans could dismantle fundamental data rights enshrined in EU law.
“Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” asked German politician Jan Philipp Albrecht, one of the original architects of the GDPR. “The Commission should be fully aware that this is undermining European standards dramatically.”
Brussels’ renewed focus on deregulation reflects deep concern over Europe’s fading economic competitiveness. Former Italian Prime Minister Mario Draghi explicitly cited the GDPR as a constraint on innovation in his 2024 report on European competitiveness, arguing that rigid privacy rules were holding back AI research and commercial deployment.
EU policymakers now appear determined to close the gap with the US and China, where looser data laws have helped fuel rapid AI expansion.
The move follows years of tension between European privacy regulators and US tech giants. Meta, Google, X, and LinkedIn have all faced investigations or delays in launching AI features in Europe after interventions by national watchdogs. Italy’s regulator even temporarily blocked ChatGPT and Chinese-developed DeepSeek over privacy violations.
By contrast, these same firms have advanced unimpeded elsewhere — a contrast that EU leaders see as evidence of self-imposed regulatory disadvantage.
The GDPR, which came into effect in 2018, is widely regarded as a cornerstone of global data protection. Its original drafting from 2012 to 2016 triggered one of the most intense lobbying battles in EU history.
Officials had long resisted re-opening the text, aware that doing so would reignite industry pressure. Yet the digital omnibus proposal appears poised to do exactly that.
The Commission is “secretly trying to overrun everyone else in Brussels,” said Max Schrems, founder of Austrian privacy group Noyb, whose legal campaigns helped overturn multiple EU-US data transfer frameworks. “This disregards every rule on good lawmaking, with terrible results,” he added.
Civil society groups argue that the speed of the process — with public consultation closing only in October — and the lack of impact assessments show an alarming rush to please industry. Schrems described the Commission’s approach as a “poorly drafted ‘quick shot’ in a highly complex and sensitive area.”
The leaked draft reveals several key modifications. Among them are provisions that would:
Privacy experts warn these changes could fundamentally weaken safeguards that have been central to Europe’s data rights framework for nearly a decade. Critics say that once pseudonymized or sensitive data is released into AI training systems, it becomes effectively impossible to control or retrieve, exposing individuals to potential misuse and profiling.
The Commission is expected to officially present its digital omnibus package on November 19, but the proposals already face fierce opposition from several member states.
Documents reviewed by POLITICO show that Estonia, France, Austria, and Slovenia are firmly against reopening the GDPR. Germany — traditionally one of Europe’s strongest defenders of privacy — has surprisingly aligned with those calling for reform to support AI development.
In the European Parliament, reactions are mixed. Czech Greens lawmaker Markéta Gregorová said she is “surprised and concerned” that the GDPR is being reopened, warning that Europeans’ fundamental rights “must carry more weight than financial interests.”
Others, however, see an opportunity for modernization. Finnish center-right MEP Aura Salla, formerly head of Meta’s Brussels lobbying office, said she would “warmly” welcome the changes “if done correctly,” arguing they could bring legal certainty for AI companies.
Salla emphasized that the Commission will have to “ensure it is European researchers and companies, not just third country giants that gain a competitive edge from our own rules.”
Whether the digital omnibus succeeds or fails, the proposal marks a defining moment for European digital policy. The EU has long prided itself on setting global standards for privacy through the GDPR, exporting its model to jurisdictions around the world.
By reopening the law, Brussels risks undermining that legacy — and, critics say, its moral authority to advocate for data rights internationally.
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
