After years of staring down the world’s biggest tech companies and setting the bar for tough regulation worldwide, Europe has blinked. Under intense pressure from industry and the US government, Brussels is stripping protections from its flagship General Data Protection Regulation (GDPR) — including simplifying its infamous cookie permission pop-ups — and relaxing or delaying landmark AI rules in an effort to cut red tape and revive sluggish economic growth.
The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.
The proposal also waters down a key part of Europe’s sweeping artificial intelligence rules, the AI Act, which came into force in 2024 but had many elements that would only come into effect later. The change extends the grace period for rules governing high-risk AI systems that pose “serious risks” to health, safety, or fundamental rights, which were due to come into effect next summer. The rules will now only apply once it’s confirmed that “the needed standards and support tools are available” to AI companies.
One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.
Other amendments in the new Digital Omnibus include simplified AI documentation requirements for smaller companies, a unified interface for companies to report cybersecurity incidents, and centralizing oversight of AI into the bloc’s AI Office.
“This is being done in the European way.”
“We have all the ingredients in the EU to succeed. But our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules,” said Henna Virkkunen, executive vice-president for tech sovereignty at the European Commission. “By cutting red tape, simplifying EU laws, opening access to data and introducing a common European Business Wallet we are giving space for innovation to happen and to be marketed in Europe. This is being done in the European way: by making sure that fundamental rights of users remain fully protected.”
The proposal now heads to the European Parliament and the EU’s 27 member states — where it will need a qualified majority — for approval, a process that could drag on for months and potentially introduce significant changes.
The proposed overhaul won’t land quietly in Brussels, and if the development of the GDPR and AI Act are anything to go by, a political and lobbying firestorm is on its way. The GDPR is a cornerstone of Europe’s tech strategy and as close to sacred as a policy can be. Leaked drafts have already provoked outrage among civil rights groups and politicians, who have accused the Commission of weakening fundamental safeguards and bowing to pressure from Big Tech.
The decision follows months of intense pressure from Big Tech and Donald Trump — as well as high-profile internal figures like ex-Italian prime minister and former head of the European Central Bank Mario Draghi — urging the bloc to weaken burdensome tech regulation. The Commission has sought to frame the changes as simplifying the EU’s tech laws, not weakening them – a way of soothing growing fears in Brussels that its tough rules are hampering its ability to compete globally. With very few exceptions, Europe doesn’t have any credible competitors in the global AI race, which is dominated by US and Chinese companies like DeepSeek, Google, and OpenAI.