EU's reforms of GDPR, AI slated by privacy activists for 'playing into Big Tech’s hands'
(2025/11/11)
- Reference: 1762871413
- News link: https://www.theregister.co.uk/2025/11/11/eu_leaked_gdpr_ai_reforms/
- Source link:
Privacy advocates are condemning the European Commission's leaked plans to overhaul digital privacy legislation, accusing officials of bypassing proper legislative processes to favor Big Tech interests.
Max Schrems, founder of privacy group Noyb, [1]warned : "One part of the European Commission (EC) seems to try overrunning everyone else in Brussels, disregarding rules on good lawmaking, with potentially terrible results."
He compared the approach to Trump administration tactics, arguing the proposals masquerade as small business relief while actually benefiting tech and advertising giants.
[2]
As first reported by [3]MLex , the EC's proposed legislative changes are manifold, and in Noyb's view these would poke so many holes in existing rules to "make [GDPR] overall unusable for most cases."
[4]
[5]
The EC is planning to introduce the "Digital Omnibus" package on November 19, introducing amendments to legislation covering AI regulation, cybersecurity, data protection, and privacy.
An overview of the [6]leaked proposals [PDF], shared by Noyb, includes details on the most potentially impactful ideas to existing laws and regulations.
[7]
One of the proposed changes covers an amendment to the GDPR, which the privacy group claims would introduce a loophole that affords a company freer rein to use personal data for its commercial benefit.
The current [8]GDPR stipulates that even if personal data is tied to a pseudonomized user (ie, "John Doe" is changed to "User12345"), then the data must still be treated as if it belongs to an identifiable, natural person, and data protection rules should still apply.
Under the new proposals, this stipulation would no longer be enforced, potentially allowing data controllers to be more lax with protecting users' personal data. "This could apply to almost all online tracking, online advertisement, and most data brokers," Noyb said.
[9]
The EC may also propose a "purposes limitation" on [10]data access rights , hindering an individual's right to access, correct, or delete the data an organization or company has on them.
Noyb's interpretation is that data controllers would have greater powers to reject data access requests. "This means that if an employee uses an access request in a labor dispute over unpaid hours – for example, to obtain a record of the hours they have worked – the employer could reject it as 'abusive.' The same would be true for journalists or researchers."
The proposals weaken GDPR's Article 9 sensitive data protections - sexual orientation, health status, political views - would only apply when "directly revealed." Companies could infer this data from other sources without triggering protections.
Noyb warned this could enable employers to deduce pregnancies and terminate employees before legal protections attach, or discriminate based on inferred sexual orientation.
All of these measures are, in part, being framed by the EC as a means to alleviate the [11]administrative burden placed on small businesses, but Schrems instead labeled this a "side-show to get public support."
Whether these proposals do indeed attract the public support, the EC will need for them to pass could have consequences for policymaking beyond Europe.
The current US administration has taken a more pro-innovation approach to regulating technology, such as AI, but it is not inconceivable that the way in which the EC's proposals are received later this month could later inform similar policy decisions – at least at state level – as they have done previously.
For example, the GDPR, introduced in 2018, inspired the landmark California Consumer Privacy Act (CCPA), which passed in the same year and became enforceable in 2020.
AI reforms
Big Tech and other EU companies have [12]lobbied the EU to weaken the AI Act since it passed and partially came into force last year.
Core to their arguments is that the regulations are too restrictive on innovation, and the reforms may give AI systems a special exemption, allowing them to process data that would otherwise require a legitimate legal basis.
According to Noyb's interpretation, "this would lead to a grotesque situation: If personal data is processed via a traditional database, Excel sheet or software, a company has to find a legal basis under Article 6(1) GDPR. However, if the same processing is done via an AI system, it can qualify as a 'legitimate interest' under Article 6(1)(f) GDPR."
The org adds: "This would privilege one (risky) technology over all other forms of data processing and be contrary to the 'tech neutral' approach of the GDPR."
The proposals additionally aim to introduce amendments that make it easier for data controllers to comply with data protection laws, while being allowed to use people's data to train their models.
Various protections are outlined in the leaked draft, such as the requirement for data minimization and safeguards to be implemented, although the document does not specify what safeguards mean in this context.
[13]Proton trains new service to expose corporate infosec cover-ups
[14]Clearview AI sees red as UK tribunal sides with regulator over $10M GDPR fine
[15]Your AI conversations are a secret new treasure trove for marketers
[16]Data destruction done wrong could cost your company millions
Noyb also said certain interpretations of the proposals could allow companies to gather more data from users' personal devices that could then be used to train Big Tech's [17]AI models .
Such data is currently protected by Article 5(3) of the GDPR, which is underpinned by Article 7 of the Charter of Fundamental Rights of the European Union – respect for private and family life, home, and communications.
A legitimate interest protection for gathering data related to "security purposes" and "aggregated information" could be interpreted broadly by AI companies if the EC does not apply strict definitions, potentially leading to excessive searches of data subjects' devices, the privacy campaigners argued. ®
Get our [18]Tech Resources
[1] https://noyb.eu/en/eu-commission-about-wreck-core-principles-gdpr
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.mlex.com/mlex/articles/2407305/eu-commission-eyes-codifying-legitimate-interest-as-legal-basis-for-ai-training
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://noyb.eu/sites/default/files/2025-11/GDPR_Reform_Draft_Analysis_v2.pdf
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/01/13/data_broker_hacked/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2019/09/24/eu_court_justice_right_to_be_forgotten_ruling/
[11] https://www.theregister.com/2022/05/16/brexit_data_law/
[12] https://www.theregister.com/2025/07/04/eu_businesses_push_for_freedom/
[13] https://www.theregister.com/2025/10/30/proton_data_breach_observatory/
[14] https://www.theregister.com/2025/10/09/ico_clearview_ai_tribunal/
[15] https://www.theregister.com/2025/09/29/profound_browser_extension_privacy_concern/
[16] https://www.theregister.com/2025/09/14/destroy_data_company_laptops_or_else/
[17] https://www.theregister.com/2025/07/03/ai_models_potemkin_understanding/
[18] https://whitepapers.theregister.com/
Max Schrems, founder of privacy group Noyb, [1]warned : "One part of the European Commission (EC) seems to try overrunning everyone else in Brussels, disregarding rules on good lawmaking, with potentially terrible results."
He compared the approach to Trump administration tactics, arguing the proposals masquerade as small business relief while actually benefiting tech and advertising giants.
[2]
As first reported by [3]MLex , the EC's proposed legislative changes are manifold, and in Noyb's view these would poke so many holes in existing rules to "make [GDPR] overall unusable for most cases."
[4]
[5]
The EC is planning to introduce the "Digital Omnibus" package on November 19, introducing amendments to legislation covering AI regulation, cybersecurity, data protection, and privacy.
An overview of the [6]leaked proposals [PDF], shared by Noyb, includes details on the most potentially impactful ideas to existing laws and regulations.
[7]
One of the proposed changes covers an amendment to the GDPR, which the privacy group claims would introduce a loophole that affords a company freer rein to use personal data for its commercial benefit.
The current [8]GDPR stipulates that even if personal data is tied to a pseudonomized user (ie, "John Doe" is changed to "User12345"), then the data must still be treated as if it belongs to an identifiable, natural person, and data protection rules should still apply.
Under the new proposals, this stipulation would no longer be enforced, potentially allowing data controllers to be more lax with protecting users' personal data. "This could apply to almost all online tracking, online advertisement, and most data brokers," Noyb said.
[9]
The EC may also propose a "purposes limitation" on [10]data access rights , hindering an individual's right to access, correct, or delete the data an organization or company has on them.
Noyb's interpretation is that data controllers would have greater powers to reject data access requests. "This means that if an employee uses an access request in a labor dispute over unpaid hours – for example, to obtain a record of the hours they have worked – the employer could reject it as 'abusive.' The same would be true for journalists or researchers."
The proposals weaken GDPR's Article 9 sensitive data protections - sexual orientation, health status, political views - would only apply when "directly revealed." Companies could infer this data from other sources without triggering protections.
Noyb warned this could enable employers to deduce pregnancies and terminate employees before legal protections attach, or discriminate based on inferred sexual orientation.
All of these measures are, in part, being framed by the EC as a means to alleviate the [11]administrative burden placed on small businesses, but Schrems instead labeled this a "side-show to get public support."
Whether these proposals do indeed attract the public support, the EC will need for them to pass could have consequences for policymaking beyond Europe.
The current US administration has taken a more pro-innovation approach to regulating technology, such as AI, but it is not inconceivable that the way in which the EC's proposals are received later this month could later inform similar policy decisions – at least at state level – as they have done previously.
For example, the GDPR, introduced in 2018, inspired the landmark California Consumer Privacy Act (CCPA), which passed in the same year and became enforceable in 2020.
AI reforms
Big Tech and other EU companies have [12]lobbied the EU to weaken the AI Act since it passed and partially came into force last year.
Core to their arguments is that the regulations are too restrictive on innovation, and the reforms may give AI systems a special exemption, allowing them to process data that would otherwise require a legitimate legal basis.
According to Noyb's interpretation, "this would lead to a grotesque situation: If personal data is processed via a traditional database, Excel sheet or software, a company has to find a legal basis under Article 6(1) GDPR. However, if the same processing is done via an AI system, it can qualify as a 'legitimate interest' under Article 6(1)(f) GDPR."
The org adds: "This would privilege one (risky) technology over all other forms of data processing and be contrary to the 'tech neutral' approach of the GDPR."
The proposals additionally aim to introduce amendments that make it easier for data controllers to comply with data protection laws, while being allowed to use people's data to train their models.
Various protections are outlined in the leaked draft, such as the requirement for data minimization and safeguards to be implemented, although the document does not specify what safeguards mean in this context.
[13]Proton trains new service to expose corporate infosec cover-ups
[14]Clearview AI sees red as UK tribunal sides with regulator over $10M GDPR fine
[15]Your AI conversations are a secret new treasure trove for marketers
[16]Data destruction done wrong could cost your company millions
Noyb also said certain interpretations of the proposals could allow companies to gather more data from users' personal devices that could then be used to train Big Tech's [17]AI models .
Such data is currently protected by Article 5(3) of the GDPR, which is underpinned by Article 7 of the Charter of Fundamental Rights of the European Union – respect for private and family life, home, and communications.
A legitimate interest protection for gathering data related to "security purposes" and "aggregated information" could be interpreted broadly by AI companies if the EC does not apply strict definitions, potentially leading to excessive searches of data subjects' devices, the privacy campaigners argued. ®
Get our [18]Tech Resources
[1] https://noyb.eu/en/eu-commission-about-wreck-core-principles-gdpr
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.mlex.com/mlex/articles/2407305/eu-commission-eyes-codifying-legitimate-interest-as-legal-basis-for-ai-training
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://noyb.eu/sites/default/files/2025-11/GDPR_Reform_Draft_Analysis_v2.pdf
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/01/13/data_broker_hacked/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRNrpO8BfUWXkmjapjX7DAAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2019/09/24/eu_court_justice_right_to_be_forgotten_ruling/
[11] https://www.theregister.com/2022/05/16/brexit_data_law/
[12] https://www.theregister.com/2025/07/04/eu_businesses_push_for_freedom/
[13] https://www.theregister.com/2025/10/30/proton_data_breach_observatory/
[14] https://www.theregister.com/2025/10/09/ico_clearview_ai_tribunal/
[15] https://www.theregister.com/2025/09/29/profound_browser_extension_privacy_concern/
[16] https://www.theregister.com/2025/09/14/destroy_data_company_laptops_or_else/
[17] https://www.theregister.com/2025/07/03/ai_models_potemkin_understanding/
[18] https://whitepapers.theregister.com/
Wrong priorities of GDPR
Anonymous Coward
I observe GDPR violations on daily basis. Conclusion: it typically does now work. Mostly because of missing expertise.
The actual challenge is IT security, not privacy. Most people had their data stolen multiple times already. GDPR does not help much.
The biggest negative side effect is enormous bureaucracy added to both business and gov sides. It costs taxpayers money, and companies to keep compliance departments. Law enforcement is overloaded or non scalable.
Reallocating resources from privacy (bureaucracy?) to security may lead to improvement of both.
Re: Wrong priorities of GDPR
Cynical Pie
The reason GDPR fails on privacy is because it has never been about privacy, its about the lawful processing of personal data.
Too many people are running around in EU crying "we are losing the AI innovation!!!!!"
kmorwath
Some are true, albeit naive, and believe AI could be really useful.
Most of them are just dreaming of the boarloads of money they have been promised, and are willingly to sell everything and everybody to make that dream come true.
Unluckily politicians also see in genrative AI the perfect propaganda machine. And don't want to lose the opportunity to use it at their own advantage - and again are willingly to sell everything and everybody (but themselves, of course) to ensure they keep their well paid seat.
Special exemption
DarkwavePunk
So if I pirate games and all other media to "train AI" it's all fine right? Don't want to stifle innovation eh? Guess it's time to start my own company.
This torpedoes GDPR
Dr Paul Taylor
It was supposed to be exactly what we needed to protect us (or at least those who have not had their European citizenship stolen from them) from the Trumpistani tech bros, but I have never heard of its being used to do that.
Instead it's just used to frighten people who run small websites and email lists,
Anonymous Coward
>> ... and the reforms may give AI systems a special exemption, allowing them to process data that would otherwise require a legitimate legal basis.
Aww. We can't have the poor AI bros having to play by the law, can we?
What is it with people doffing their hat to the clothes-less emperor?
Under the new proposals, this stipulation would no longer be enforced...
theOtherJT
...what, because it's enforced so reliably now? I don't think I've ever actually seen anyone take this seriously, or be properly punished for not doing so.
EU/EC decision making happens at such a glacial pace that the AI bubble will have burst, and several huge AI-related personal data scandals will have occurred long before any changes are ratified.
Whether that will make any difference to the idealogues who seem to think that AI will cure all known ills, bring world peace, and finally reveal the question to which the answer is 42, remains to be seen...