The European Commission is preparing sweeping revisions to the General Data Protection Regulation (GDPR) that could redefine how enterprises handle personal data — from cookie tracking to AI model training — in what privacy advocates warn could weaken the EU’s privacy framework.
According to a leaked draft reported by German advocacy group Netzpolitik.org, the Commission’s upcoming “Digital Omnibus” package would end the requirement for websites to seek explicit consent before setting tracking cookies and explicitly permit AI training on personal data when justified by companies’ “legitimate interests.”
The proposal is expected to be formally unveiled on November 19.
Cookies move under GDPR
The draft would introduce Article 88a into the GDPR to cover the “processing of personal data on and from terminal equipment,” effectively moving cookie regulation from the ePrivacy Directive to the GDPR itself.
Currently, Article 5(3) of the ePrivacy Directive requires websites to obtain explicit consent before storing or accessing non-essential cookies on users’ devices. The Commission argued this has led to legal uncertainty and “higher compliance costs” due to overlapping oversight by national authorities.
Under the proposed change, websites could process data collected through cookies based on a “closed list of low-risk purposes” or on any legal basis under GDPR, including legitimate interest. That would mark a major shift from opt-in to opt-out tracking.
Instead of asking users for permission upfront, companies could track them by default — leaving individuals to object afterward.
“While consent is required to ensure data subjects’ control, it is not always the most appropriate legal basis for subsequent processing,” the draft said. “Moreover, the dual regime of ePrivacy and General Data Protection Regulation led to different national authorities being competent to supervise the rules of the two legal frameworks.”
Privacy groups said the Commission is using “cookie fatigue” as a pretext to dilute privacy standards.
“The GDPR, the ePrivacy framework and the AI Act are not obstacles to innovation — they are the foundation of Europe’s human-centric digital model,” European Digital Rights (EDRi) wrote in an October blog. “Yet, under the pretext of coherence, the Commission seems prepared to weaken ePrivacy protections.”
The draft also outlined Article 88b, which would require browsers or operating systems to transmit user consent preferences automatically once technical standards are defined, potentially phasing out the current wave of cookie banners.
There’s a carve-out for media companies, though. News organizations could continue requiring explicit consent, which the Commission justified as protecting journalism’s “economic basis.”
AI training gets green light
The proposal directly addressed one of the most contentious issues in EU privacy law: whether companies can train AI systems using personal data.
The draft stated that AI training, testing, and validation may be conducted under the GDPR’s “legitimate interest” basis, as long as companies implement safeguards such as data minimization, transparency, and an unconditional right to object.
“Processing of personal data for AI training may therefore be carried out for purposes of a legitimate interest,” the draft said, adding that developers must ensure the training is “beneficial for the data subject and society at large.”
The Commission cited the need to detect bias and ensure accurate model outputs as examples of “beneficial” purposes.
However, privacy lawyers said invoking legitimate interest for AI processing could open the door to large-scale data mining without individual consent, something GDPR was originally designed to prevent.
The draft would also introduce a limited exemption for special category (sensitive) data that inadvertently appears in AI datasets. If removing such data would require “disproportionate effort,” companies could retain it under protective measures preventing its use or disclosure.
Sensitive data protections narrowed
In another controversial shift, the proposal would narrow the definition of sensitive data under Article 9 of the GDPR. Stronger protections would apply only when information directly reveals characteristics like race, religion, or health, excluding data that only implies those traits through analysis or inference.
“For most types of personal data listed in Article 9(1), there are no such significant risks where the data are not inherently sensitive,” the draft said.
Critics warn this could allow companies to infer protected characteristics—such as sexual orientation or political opinions—from seemingly neutral data without triggering higher legal protections.
The European Law Institute acknowledged in its October 14 feedback that limited GDPR updates may be necessary, but cautioned that “improvements must not come at the expense of fundamental rights protection.”
The proposed changes could significantly alter corporate data governance across Europe. Companies would no longer need consent management systems for most tracking cookies, but would have to maintain detailed documentation to justify processing under “legitimate interest.”
The European Digital Rights network criticized the consultation as “exclusion by design” with “extraordinarily short” timelines and reality checks focused “almost exclusively on industry voices.”
The Commission did not immediately respond to a request for comment.
No Responses