European Commission proposes reforms to simplify GDPR and reduce cookie pop-ups on websites.
New rules allow AI models to use personal data under “legitimate interest” with safeguards.
Digital rights groups warn the plan could weaken fundamental online privacy protections.
The European Commission on Wednesday unveiled a major reform of digital law aimed at easing some requirements of its data protection regulation, in a move intended to simplify online compliance and reduce the clutter of cookie consent banners, AFP reported.
Since its introduction in 2018, the General Data Protection Regulation (GDPR) has transformed how companies in the EU handle personal data, requiring greater transparency on collection and usage. Alongside GDPR, the ePrivacy directive has made cookies—trackers that monitor user behaviour for personalised advertising—subject to explicit consent, leading to repeated pop-ups across websites.
According to AFP, big tech companies have repeatedly argued that Europe’s data rules are too restrictive, especially with the rise of artificial intelligence. In practice, some firms have found ways to work within the rules; for instance, Meta, which owns Facebook and Instagram, announced in April that it would train AI models on user data unless users opted out.
The Commission says its proposals aim to simplify and clarify European digital law. “A regulatory solution on the consent fatigue and the proliferation of cookies banners is long overdue,” it said, adding that the reforms are intended to “stimulate opportunities for a vibrant business environment, creating more legal certainty and opportunities, in particular in sharing and re-using data, in processing personal data or training Artificial Intelligence systems and models.”
AFP reported that the most visible change would be a reduction in systematic cookie consent requests. Under the proposals, consent would be centralised within GDPR itself, allowing users to set their preferences directly in browsers or other applications, removing the need for repeated pop-ups on individual websites. However, news media companies would still be allowed to request consent directly, “considering the importance of online revenue streams for independent journalism.”
A key aspect of the reforms is a new legal basis for using personal data in AI training. Companies could invoke “legitimate interest” to feed AI models during training or testing, provided they do not override the “interests or fundamental rights and freedoms” of users. Other changes include easing the rules on personal data breach notifications: companies would report only when risks reach a higher threshold and would have more time to notify authorities.
The proposals have drawn sharp criticism from digital rights groups. AFP reported that Austrian association Noyb called the changes “a gift to US big tech as they open up many new loopholes for their law departments to exploit.” Last week, 127 European organisations warned in a letter to the Commission that “unless the European Commission changes course, this would be the biggest rollback of digital fundamental rights in EU history,” adding that GDPR remains one of the few laws that allow the public to challenge powerful companies or authorities when they overstep.
(With inputs from PTI)
