{"id":5728,"date":"2025-11-10T12:27:58","date_gmt":"2025-11-10T12:27:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5728"},"modified":"2025-11-10T12:27:58","modified_gmt":"2025-11-10T12:27:58","slug":"european-commission-moves-to-loosen-gdpr-for-ai-and-cookie-tracking","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5728","title":{"rendered":"European Commission moves to loosen GDPR for AI and cookie tracking"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The European Commission is preparing sweeping revisions to the General Data Protection Regulation (GDPR) that could redefine how enterprises handle personal data \u2014 from cookie tracking to AI model training \u2014 in what privacy advocates warn could weaken the EU\u2019s privacy framework.<\/p>\n<p>According to a leaked draft reported by German advocacy group\u00a0<a href=\"https:\/\/netzpolitik.org\/2025\/digitaler-omnibus-eu-kommission-will-datenschutzgrundverordnung-und-ki-regulierung-schleifen\/\">Netzpolitik.org<\/a>, the Commission\u2019s upcoming \u201cDigital Omnibus\u201d package would end the requirement for websites to seek explicit consent before setting tracking cookies and explicitly permit AI training on personal data when justified by companies\u2019 \u201clegitimate interests.\u201d<\/p>\n<p>The proposal is expected to be formally unveiled on November 19.<\/p>\n<h2 class=\"wp-block-heading\">Cookies move under GDPR<\/h2>\n<p>The draft would introduce Article 88a into the GDPR to cover the \u201cprocessing of personal data on and from terminal equipment,\u201d effectively moving cookie regulation from the ePrivacy Directive to the GDPR itself.<\/p>\n<p>Currently, Article 5(3) of the ePrivacy Directive requires websites to obtain explicit consent before storing or accessing non-essential cookies on users\u2019 devices. The Commission argued this has led to legal uncertainty and \u201chigher compliance costs\u201d due to overlapping oversight by national authorities.<\/p>\n<p>Under the proposed change, websites could process data collected through cookies based on a \u201cclosed list of low-risk purposes\u201d or on any legal basis under GDPR, including legitimate interest. That would mark a major shift from opt-in to opt-out tracking.<\/p>\n<p>Instead of asking users for permission upfront, companies could track them by default \u2014 leaving individuals to object afterward.<\/p>\n<p>\u201cWhile consent is required to ensure data subjects\u2019 control, it is not always the most appropriate legal basis for subsequent processing,\u201d\u00a0<a href=\"https:\/\/cdn.netzpolitik.org\/wp-upload\/2025\/11\/EU-Kommission-Digital-Omnibus-A-Data-Act-und-DSGVO.pdf\" target=\"_blank\" rel=\"noopener\">the draft said<\/a>. \u201cMoreover, the dual regime of ePrivacy and General Data Protection Regulation led to different national authorities being competent to supervise the rules of the two legal frameworks.\u201d<\/p>\n<p>Privacy groups said the Commission is using \u201ccookie fatigue\u201d as a pretext to dilute privacy standards.<\/p>\n<p>\u201cThe GDPR, the ePrivacy framework and the AI Act are not obstacles to innovation \u2014 they are the foundation of Europe\u2019s human-centric digital model,\u201d\u00a0<a href=\"https:\/\/edri.org\/our-work\/consultation-response-to-the-european-commissions-call-for-evidence-on-the-digital-omnibus\/\" target=\"_blank\" rel=\"noopener\">European Digital Rights (EDRi)<\/a>\u00a0wrote in an October blog. \u201cYet, under the pretext of coherence, the Commission seems prepared to weaken ePrivacy protections.\u201d<\/p>\n<p>The draft also outlined Article 88b, which would require browsers or operating systems to transmit user consent preferences automatically once technical standards are defined, potentially phasing out the current wave of cookie banners.<\/p>\n<p>There\u2019s a carve-out for media companies, though. News organizations could continue requiring explicit consent, which the Commission justified as protecting journalism\u2019s \u201ceconomic basis.\u201d<\/p>\n<h2 class=\"wp-block-heading\">AI training gets green light<\/h2>\n<p>The proposal directly addressed one of the most contentious issues in EU privacy law: whether companies can train AI systems using personal data.<\/p>\n<p>The draft stated that AI training, testing, and validation may be conducted under the GDPR\u2019s \u201clegitimate interest\u201d basis, as long as companies implement safeguards such as data minimization, transparency, and an unconditional right to object.<\/p>\n<p>\u201cProcessing of personal data for AI training may therefore be carried out for purposes of a legitimate interest,\u201d the draft said, adding that developers must ensure the training is \u201cbeneficial for the data subject and society at large.\u201d<\/p>\n<p>The Commission cited the need to detect bias and ensure accurate model outputs as examples of \u201cbeneficial\u201d purposes.<\/p>\n<p>However, privacy lawyers said invoking legitimate interest for AI processing could open the door to large-scale data mining without individual consent, something GDPR was originally designed to prevent.<\/p>\n<p>The draft would also introduce a limited exemption for special category (sensitive) data that inadvertently appears in AI datasets. If removing such data would require \u201cdisproportionate effort,\u201d companies could retain it under protective measures preventing its use or disclosure.<\/p>\n<h2 class=\"wp-block-heading\">Sensitive data protections narrowed<\/h2>\n<p>In another controversial shift, the proposal would narrow the definition of sensitive data under Article 9 of the GDPR. Stronger protections would apply only when information directly reveals characteristics like race, religion, or health, excluding data that only implies those traits through analysis or inference.<\/p>\n<p>\u201cFor most types of personal data listed in Article 9(1), there are no such significant risks where the data are not inherently sensitive,\u201d the draft said.<\/p>\n<p>Critics warn this could allow companies to infer protected characteristics\u2014such as sexual orientation or political opinions\u2014from seemingly neutral data without triggering higher legal protections.<\/p>\n<p>The\u00a0<a href=\"https:\/\/www.europeanlawinstitute.eu\/fileadmin\/user_upload\/p_eli\/Publications\/ELI_Response_-_Simpler__fairer__more_effective.pdf\" target=\"_blank\" rel=\"noopener\">European Law Institute<\/a>\u00a0acknowledged in its October 14 feedback that limited GDPR updates may be necessary, but cautioned that \u201cimprovements must not come at the expense of fundamental rights protection.\u201d<\/p>\n<p>The proposed changes could significantly alter corporate data governance across Europe. Companies would no longer need consent management systems for most tracking cookies, but would have to maintain detailed documentation to justify processing under \u201clegitimate interest.\u201d<\/p>\n<p>The European Digital Rights network criticized the consultation as \u201cexclusion by design\u201d with \u201cextraordinarily short\u201d timelines and reality checks focused \u201calmost exclusively on industry voices.\u201d<\/p>\n<p>The Commission did not immediately respond to a request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The European Commission is preparing sweeping revisions to the General Data Protection Regulation (GDPR) that could redefine how enterprises handle personal data \u2014 from cookie tracking to AI model training \u2014 in what privacy advocates warn could weaken the EU\u2019s privacy framework. According to a leaked draft reported by German advocacy group\u00a0Netzpolitik.org, the Commission\u2019s upcoming [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5729,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5728","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5728"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5728"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5728\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5729"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}