EU Proposes Major Reforms to GDPR and AI Act

In what analysts are calling the most significant pivot in European digital policy since the introduction of the GDPR in 2018, the European Commission has officially unveiled the Digital Omnibus Package.

Announced on Wednesday, November 19, this sprawling legislative proposal aims to harmonize and, crucially, simplify the chaotic web of digital regulations that has enveloped the continent over the last decade. Combined with the Council of the EU’s final adoption of the GDPR Procedural Regulation on November 17, Brussels is sending a stark message: The era of “regulation at all costs” is over; the era of “competitiveness” has begun.

This is no longer just about privacy. It is a frantic attempt to ensure Europe does not become a digital museum in the age of AI.

Executive Summary: What Changed This Week?

• The Core Shift: The Commission is proposing to lower GDPR barriers for AI development, specifically allowing “legitimate interest” to replace “user consent” for training data.

• The Speed: New procedural rules (finalized Nov 17) impose a 15-month hard deadline on cross-border investigations, aiming to end the years-long delays in cases against Big Tech.

• The Relief: A proposal to abolish cookie banners for low-risk activities and streamline reporting for data breaches (moving from 72 to 96 hours).

• The Goal: To implement the recommendations of the Mario Draghi Report, which warned that Europe is facing an “existential challenge” due to low productivity and over-regulation.

1. The “Draghi Effect”: Why Now?

To understand this regulatory U-turn, one must look at the economic backdrop. In September 2024, former ECB President Mario Draghi published a landmark report on European competitiveness. His diagnosis was brutal: Europe is stuck in a “static industrial structure,” missing the AI revolution because its companies are paralyzed by inconsistent rules.

The Digital Omnibus Package is the direct legislative answer to Draghi’s warning.

“The Commission has realized that you cannot have digital sovereignty without digital companies,” explains Dr. Thomas Webber, a regulatory analyst at the Bruegel think tank. “We have created the world’s strictest rules, but we have no European Google or OpenAI to show for it. This Omnibus is an attempt to clear the brush so European startups can actually grow.”

Key Statistic: According to Commission data cited in the proposal, European SMEs currently spend an estimated €5,000 to €15,000 annually just on basic GDPR compliance—funds that could otherwise be spent on R&D.

2. The AI “Legitimate Interest” Clause: A Game Changer

The most explosive part of the Omnibus is the proposed amendment to Article 6 of the GDPR regarding Artificial Intelligence training.

Currently, companies training Large Language Models (LLMs) exist in a legal gray zone. Do they need to ask every user for consent to use their public posts for training? The new proposal suggests a radical clarification: Training AI models is a “legitimate interest.”

How it works:

• No Opt-In Required: Companies would not need explicit consent to process data for model training, provided the data is not “sensitive” (e.g., health or biometric data).

• Safeguards: Companies must implement “appropriate safeguards,” such as pseudonymization (replacing names with codes) and allowing users a simple way to opt-out after the fact.

• The Impact: This aligns EU law more closely with the US concept of “Fair Use,” potentially allowing European AI labs (like France’s Mistral AI or Germany’s Aleph Alpha) to scrape data at the speed of their Silicon Valley rivals.

“This removes the Sword of Damocles hanging over European AI. Until now, every European AI startup was technically breaking the law just by training their models. This proposal legalizes reality.”

— Cecilia Bonefeld-Dahl, Director General of DigitalEurope (Industry Association).

3. The End of “Consent Fatigue” (Cookie Banners)

Perhaps the most consumer-friendly aspect of the proposal is the attack on the hated “Cookie Banner.”

The Omnibus admits that the current system—where users are bombarded with pop-ups on every website—has failed. It proposes a shift toward “automated browser signals.”

• The New Vision: Instead of clicking “Accept” on every site, users would set their privacy preferences once in their browser or device settings (e.g., “Reject all tracking”).

• Legal Weight: Websites would be legally required to respect this signal without asking again.

• Exemptions: The proposal also removes the need for consent entirely for basic functionality, such as audience measurement (analytics) and security updates.

The Risk: Ad-tech companies are expected to lobby fiercely against this, arguing it destroys the “ad-funded internet” model.

4. The “GDPR 2.0” Procedural Rules (Adopted Nov 17)

While the Omnibus is a proposal for the future, the Council of the EU has already adopted the GDPR Procedural Regulation this week. This law addresses the enforcement mechanism itself.

Fixing the “Irish Bottleneck”

For years, the Irish Data Protection Commission (DPC) has been the lead regulator for Meta (Facebook/Instagram), Google, and Apple, because their EU HQs are in Dublin. Critics, including the German and French regulators, have accused Ireland of moving too slowly and being too soft to protect its corporate tax base.

The New Rules Fix This By:

1. Hard Deadlines: Investigations must now be concluded within 12 to 15 months. No more indefinite delays.

2. Early Consensus: The lead regulator (e.g., Ireland) must share its findings with other EU regulators early in the process. If they disagree, the European Data Protection Board (EDPB) steps in much faster to force a decision.

3. Common Case Files: Standardizing what evidence is required, so cases aren’t thrown out on technicalities.

5. Cheat Sheet: Before vs. After (Proposed)

For business leaders and compliance officers, here is how the landscape shifts if the Omnibus passes:

6. The Backlash: Selling Out Privacy?

The reception has not been universally positive. Privacy watchdogs view the “legitimate interest” expansion as a capitulation to Big Tech lobbying.

The “Noyb” Reaction

Max Schrems, the Austrian activist behind the noyb (None of Your Business) organization, issued a scathing critique. “The Commission is trying to fix the economy by selling our data,” Schrems stated. “Calling AI training a ‘legitimate interest’ effectively wipes out the user’s right to say no. You cannot opt-out of a model once your data is already inside the neural network. It is irreversible.”

Regulatory Friction

Even within the EU apparatus, there is tension. The European Data Protection Supervisor (EDPS) has previously warned that loosening definitions of “personal data” to help AI could violate the EU Charter of Fundamental Rights. A legal showdown in the European Court of Justice (CJEU) seems inevitable.

7. What to Watch Next

The Digital Omnibus is currently a legislative draft. It enters the “co-decision” process, where the European Parliament and the Council will amend it.

• The Timeline: Expect intense debate throughout 2026, with implementation likely not before 2027.

• The Battleground: The European Parliament, traditionally more pro-privacy than the Commission, may try to strip out the “legitimate interest” clause for AI.

• Immediate Action: However, the Procedural Regulation (adopted Nov 17) enters into force in 20 days. Businesses facing cross-border complaints should expect a sudden acceleration in enforcement actions starting early 2026.

Conclusion: A calculated Risk

The EU has long prided itself on being the world’s “regulatory superpower.” With the Digital Omnibus, it is attempting a difficult pivot: maintaining its high standards while admitting that those standards may have come at an economic cost.

For the first time, Brussels is saying that speed and innovation are valid regulatory goals alongside privacy. Whether this gamble creates a thriving European AI ecosystem—or simply erodes the rights of its citizens—will be the defining story of the next decade.