Brussels proposes sweeping GDPR changes to benefit AI developers

The European Commission plans to introduce substantial amendments to the General Data Protection Regulation through a digital omnibus package scheduled for November 19, 2025, according to draft documents obtained by POLITICO. The proposed changes would create new legal pathways for artificial intelligence developers to process personal data, marking a significant departure from the privacy-first approach that has defined European technology policy since 2018.

Draft proposals show Brussels officials preparing to allow AI companies to legally process special categories of personal data—including religious beliefs, political affiliations, ethnicity, and health information—specifically for training and operating artificial intelligence systems. The Commission also plans to redefine what constitutes personal data under the regulation, potentially excluding pseudonymized information from GDPR protections in certain circumstances. These changes reflect a recent ruling from the EU's Court of Justice.

According to the draft documents, the Commission will reform cookie banner rules by inserting provisions into the GDPR that would give website and app operators additional legal grounds for tracking users beyond obtaining consent. The package arrives as European officials express concern about the continent's declining economic competitiveness, particularly in artificial intelligence development where American and Chinese companies have established substantial leads.

Former Italian Prime Minister Mario Draghi identified the General Data Protection Regulation as an obstacle to European AI innovation in his competitiveness report released in 2024. The landmark report specifically called out privacy regulations for hampering Europe's ability to compete in artificial intelligence development.

The proposed amendments would establish that processing personal data for "development and operation of AI models and systems" constitutes legitimate interest under Article 6(1)(f) GDPR, except where other EU or national laws explicitly require consent. This provision would apply to AI systems as defined in the AI Act, encompassing automated processing activities beyond traditional machine learning models.

"Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?" said Jan Philipp Albrecht, a former European Parliament member who served as one of the chief architects of the GDPR, according to POLITICO. "The Commission should be fully aware that this is undermining European standards dramatically."

Privacy advocates argue the Commission's approach circumvents established legislative procedures. Max Schrems, founder of Austrian privacy organization Noyb, said the Commission is "secretly trying to overrun everyone else in Brussels," according to POLITICO. "This disregards every rule on good lawmaking, with terrible results."

The draft proposal shows officials planning to create exceptions allowing AI companies to process special categories of data that currently receive enhanced protections under privacy rules. The Commission also intends to reframe the definition of such special category data, potentially narrowing the scope of information subject to the strictest regulatory requirements.

Public consultation on the digital omnibus concluded in October 2025. The Commission has not prepared impact assessments to accompany its proposals, stating the changes represent targeted technical modifications rather than fundamental policy shifts. Privacy campaigners dispute this characterization, arguing the amendments would fundamentally alter how organizations can collect and use personal data.

European privacy regulators have intervened in multiple AI deployment attempts in recent years. Meta, X, and LinkedIn all delayed artificial intelligence application rollouts in Europe after interventions by the Irish Data Protection Commission. Google faced inquiries from the same regulator and previously paused its Bard chatbot release. Italy's data protection authority imposed temporary blocks on OpenAI's ChatGPT and Chinese DeepSeek over privacy concerns.

Those technology companies have proceeded with AI deployments in the United States, which lacks comprehensive federal privacy legislation comparable to the GDPR. The regulatory disparity has fueled arguments that European privacy rules place local companies at a competitive disadvantage against American and Asian rivals operating with fewer restrictions.

Documents seen by POLITICO indicate that Estonia, France, Austria, and Slovenia firmly oppose rewriting the General Data Protection Regulation. Germany, traditionally among Europe's most privacy-conscious nations, now pushes for substantial changes to support AI development. The divergent positions suggest difficult negotiations ahead as member states and lawmakers debate the proposals.

Finnish center-right lawmaker Aura Salla, who previously led Meta's Brussels lobbying office, said she would "warmly" welcome the proposal "if done correctly," according to POLITICO. Salla emphasized that the Commission must "ensure it is European researchers and companies, not just third country giants that gain a competitive edge from our own rules."

Czech Greens lawmaker Markéta Gregorová expressed concern about reopening the privacy regulation. She warned that Europeans' fundamental rights "must carry more weight than financial interests," according to POLITICO.

The European Commission's earlier proposal for major GDPR changes revealed plans to narrow the definition of personal data under Article 4(1) by introducing a subjective "relativity" approach based on controllers' reasonable means of identification. Privacy organization Noyb warned the narrower definition could eliminate protections for inferred sensitive data commonly used in online advertising and automated decision-making.

The Commission's draft would regulate processing of personal data "on or from terminal equipment" under GDPR rather than the ePrivacy Directive. Such processing would require consent unless necessary for transmission, explicitly requested services, audience measurement by service controllers, or security maintenance. These provisions would affect how publishers and advertisers implement tracking technologies across websites and mobile applications.

Article 33 amendments would require breach notification only for incidents "likely to result in a high risk to the rights and freedoms of natural persons," aligning with Article 34's data subject notification threshold. Current requirements cover breaches "unlikely to result in a risk," establishing a substantially lower bar for supervisory authority notification. The draft extends notification timeframes from 72 to 96 hours and introduces a single-entry point through the NIS2 Directive infrastructure.

Research has established that large language models themselves qualify as personal data under European privacy law, creating additional compliance obligations for companies developing AI systems. The University of Tübingen study published in June 2025 demonstrated that LLMs memorize training data to varying degrees, meaning personal information persists within model parameters beyond initial processing.

Multiple European data protection authorities have published guidance on AI development under existing GDPR frameworks. French regulator CNIL finalized recommendations for AI system development in July 2025, establishing concrete compliance requirements affecting programmatic advertising platforms utilizing machine learning for audience targeting. German data protection authorities issued guidelines on AI and privacy in May 2024, prioritizing transparency and data minimization throughout system development.

The General Data Protection Regulation's initial drafting between 2012 and 2016 triggered one of Brussels' largest lobbying campaigns. Since taking effect in 2018, EU officials have avoided amending the regulation, recognizing that reopening the text would reignite intense lobbying battles. The Commission's decision to pursue substantial modifications through the digital omnibus package represents a strategic shift in approach.

For the marketing industry, the proposed changes carry significant implications across advertising technology, measurement systems, and customer data platforms. Cookie consent requirements have intensified throughout 2025, with Microsoft Clarity enforcing final deadlines on October 31 and Google implementing consent signal requirements for advertising products in July. The Commission's proposal to expand legal bases for data processing beyond consent could fundamentally reshape how marketing technologies operate in European markets.

German courts have clarified cookie banner compliance requirements, establishing strict limitations on automated data collection during website loading processes. Publishers cannot deploy tracking technologies that activate before obtaining proper user authorization, affecting analytics platforms, advertising attribution systems, and personalization engines. The Commission's proposed amendments would potentially alter this landscape by expanding legitimate interest justifications for certain processing activities.

The proposal arrives as digital advertising faces mounting pressure from privacy enforcement across multiple jurisdictions. Seventy percent of European citizens express concern about technology company data control, according to industry research. Compliance requirements accelerate transitions toward privacy-enhanced advertising approaches, with Gartner forecasting that 75 percent of the global population will be covered by data privacy regulations by 2026.

The Commission has scheduled the digital omnibus package unveiling for November 19, 2025. Following official presentation, proposals must secure approval from EU member states and lawmakers before taking effect. The divergent positions among member states and parliamentary groups suggest extended negotiations before any changes become law.

Timeline

• 2012-2016: General Data Protection Regulation undergoes initial drafting
• May 2018: GDPR takes effect across European Union
• May 6, 2024: German Data Protection Authorities publish first AI guidelines
• September 2024: Mario Draghi releases competitiveness report identifying GDPR as barrier to AI innovation
• December 18, 2024: European Data Protection Board clarifies privacy rules for AI models
• May 23, 2025: Dutch Data Protection Authority releases GDPR preconditions consultation for generative AI
• May 30, 2025: German court clarifies cookie banner compliance requirements
• June 18, 2025: Research establishes that large language models qualify as personal data
• July 26, 2025: French CNIL finalizes AI development recommendations under GDPR
• August 17, 2025: German court confirms Meta AI training includes children's data
• September 1, 2025: France fines Google €325 million for Gmail ads and cookie violations
• September 16, 2025: Former ECB chief demands GDPR cuts and AI Act pause at Brussels conference
• September 29, 2025: Privacy group files complaint against AI surveillance service
• October 2025: Public consultation on digital omnibus concludes
• November 10, 2025: POLITICO obtains draft documents showing Commission's GDPR amendment plans
• November 19, 2025: European Commission scheduled to unveil digital omnibus package

Summary

Who: The European Commission is proposing GDPR amendments affecting AI developers, privacy advocates including Max Schrems and Jan Philipp Albrecht, technology companies operating in Europe, and EU member states with divergent positions on privacy regulation changes.

What: The Commission plans substantial amendments to the General Data Protection Regulation allowing AI companies to process personal data including special categories under legitimate interest provisions, redefining personal data to potentially exclude pseudonymized information, and reforming cookie banner rules to expand legal grounds for tracking beyond consent requirements.

When: Draft documents emerged on November 10, 2025, with official unveiling scheduled for November 19, 2025, following a public consultation period that concluded in October 2025.

Where: The proposals originate from Brussels and would affect all 27 European Union member states, though implementation faces opposition from Estonia, France, Austria, and Slovenia while Germany pushes for changes, creating divergent regulatory positions across the continent.

Why: European officials seek to address the continent's declining economic competitiveness in artificial intelligence development, responding to former Prime Minister Mario Draghi's 2024 report identifying GDPR as an obstacle to innovation while privacy campaigners argue the changes undermine fundamental rights established in EU treaties.