European Commission proposes major GDPR changes for AI and data processing

The European Commission is preparing substantial amendments to the General Data Protection Regulation through the Digital Omnibus initiative, according to internal draft documents circulated in November 2025. The proposed changes would fundamentally alter how organizations process personal data, particularly concerning artificial intelligence development and individual privacy rights enforcement.

According to the draft amendments, the Commission seeks to narrow the definition of personal data under Article 4(1) GDPR by introducing a subjective "relativity" approach based on a controller's reasonable means of identification. The proposal states that "information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person."

This represents a significant departure from existing interpretations. The change attempts to codify elements from the Court of Justice of the European Union's C-413/23 P ruling in EDPS v. SRB, though legal experts suggest the proposed text extends beyond that judgment's scope.

Sensitive data protections face substantial limitations

The amendments would restrict Article 9 protections for special categories of personal data to information that "directly reveals in relation to a specific data subject" characteristics such as health status or sexual orientation. According to the draft recital 26, enhanced protection would only apply when processing creates "significant risks" and concerns "a specific person with certainty."

The proposal explicitly excludes information derived through "intellectual operation involving comparison, cross-referencing, collation or deduction" from Article 9 protections. This change contradicts recent CJEU rulings including C-101/01 Lindqvist, C-184/20 Vyriausioji tarnybinės etikos komisija, and C-21/23 Lindenapotheke, which established broader interpretations of sensitive data processing.

Privacy organization noyb's preliminary analysis warns that the narrower definition could eliminate protections for inferred sensitive data commonly used in online advertising and automated decision-making. The analysis notes that most targeted advertising relies on statistical inferences about user characteristics rather than explicit declarations, potentially removing such processing from enhanced protections.

AI training receives explicit legitimate interest basis

The draft introduces Article 88c, establishing that processing personal data for "development and operation of an AI system" may constitute a legitimate interest under Article 6(1)(f) GDPR. According to the proposal, such processing is permissible "except where such interests are overridden by the interests, or fundamental rights and freedoms of the data subject."

The provision would apply to AI systems as defined in the AI Act, encompassing a broad range of automated processing activities beyond traditional machine learning models. Connected recital 27 emphasizes that "trustworthy AI is key in providing for economic growth and supporting innovation with socially beneficial outcomes."

For special categories of personal data, the amendments add Article 9(2)(k), permitting sensitive data processing for AI development subject to "appropriate organizational and technical measures." According to the draft, controllers must implement measures to "avoid, to the greatest possible extent" collecting special categories of data, and remove such data when identified.

However, Germany has pushed for sweeping data protection simplification beyond the EU proposal, requesting even broader AI training exemptions in an October 2025 policy document. The German Federal Government emphasized examining "how regulatory frictions between GDPR and AIA could be reduced, how uncertainties about the legal basis for training AI and similar activities could be removed."

The proposed AI training provisions conflict with recent research published June 2025 establishing that large language models qualify as personal data. Researchers from the University of Tübingen demonstrated that LLMs memorize between 0.1 and 10 percent of training data verbatim, creating ongoing data protection obligations throughout the AI lifecycle.

Data subject access rights face new restrictions

Article 12(3) would add grounds for controllers to refuse or charge fees for data subject rights requests when individuals "exploit the rights conferred by this regulation for purposes other than the protection of their data." According to the amendment, controllers need only show "reasonable grounds to believe" a request is excessive, lowering the burden of proof from current requirements.

The draft recital 31 cites examples including requests designed to provoke refusals enabling subsequent damages claims, or requests where data subjects offer to withdraw them "in return for some form of benefit from the controller." The recital also characterizes "overly broad and undifferentiated requests" as excessive.

This change attempts to address Court of Justice rulings in C-307/22 (FT) and the pending C-526/24 Brillen Rottler case, which established that Article 15 access rights cannot be conditioned on requesters' motivations. The CJEU held that access rights constitute fundamental rights under Article 8 of the Charter, not merely ancillary provisions.

Privacy advocates warn the amendments could undermine access requests used for employment disputes, consumer litigation, and journalistic investigations. The European Data Protection Board's coordinated enforcement framework on access rights, published earlier in 2025, identified widespread controller non-compliance as the primary problem rather than abusive requests.

Terminal equipment processing split between regulations

The proposed Article 88a would regulate processing of personal data "on or from terminal equipment" under GDPR rather than the ePrivacy Directive. According to the amendments, such processing requires consent unless necessary for transmission, explicitly requested services, audience measurement by service controllers, or security maintenance.

The draft preserves Article 5(3) of the ePrivacy Directive for non-personal data only, creating a bifurcated regulatory framework. According to the proposed amendment, "this paragraph does not apply where personal data is processed on or from terminal equipment in accordance with Article 88a of Regulation (EU) 2016/679."

This split creates complex jurisdiction questions, as GDPR supervisory authorities would regulate personal data device access while telecommunications regulators handle non-personal data under existing ePrivacy rules. The change could paradoxically provide stronger protections for non-personal device information than for personal data.

Article 88b would require controllers to "ensure that their online interfaces are able to interpret the automated and machine-readable indications" for consent refusal and objections. The obligation would apply six months after harmonized standards publication, though the Commission retains authority to mandate browser and operating system providers to implement such features if market adoption proves insufficient.

Media service providers receive explicit exemption from automated consent signal requirements under proposed Article 88b(3), maintaining existing consent banner practices for news websites and streaming platforms.

Automated decision-making permissions expanded

The amendments replace Article 22's structure, changing from individual rights framing to permissible processing conditions. The revised text states decisions based solely on automated processing are allowed when "necessary for entering into, or performance of, a contract between the data subject and a data controller regardless of whether the decision could be taken otherwise than by solely automated means."

According to draft recital 33, this clarifies that "the fact that the decision could also be taken by a human does not prevent the controller from taking the decision by solely automated processing." The change eliminates requirements that automated processing be the only feasible method for contract performance.

The Working Party 29 guidelines on automated decision-making, issued under the original GDPR, established that controllers must demonstrate automated processing represents the least privacy-intrusive method necessary. The proposed amendments explicitly reject this interpretation, granting controllers discretion to choose automated processing regardless of alternative availability.

Data breach notification thresholds raised

Article 33 amendments would require notification only for breaches "likely to result in a high risk to the rights and freedoms of natural persons," aligning with Article 34's data subject notification threshold. The current requirement covers breaches "unlikely to result in a risk," creating a substantially lower bar for supervisory authority notification.

The draft extends notification timeframes from 72 to 96 hours and introduces a single-entry point through the NIS2 Directive infrastructure. According to the proposal, "until the establishment of the single-entry point pursuant to Article 23a of Directive (EU) 2022/2555, controllers shall continue to notify personal data breaches directly to the competent supervisory authority."

The European Data Protection Board would develop common breach notification templates, subject to Commission review and adoption through implementing acts. According to Article 33(7), templates require review every three years with Board assessment and possible updates.

Transparency obligations receive new exemptions

Article 13(4) would exempt controllers from providing privacy information where "personal data have been collected in the context of a clear and circumscribed relationship" with "a controller exercising an activity that is not data-intensive" and "reasonable grounds to assume" data subjects already possess required information.

The exemption would not apply where controllers transmit data to additional recipients, transfer data to third countries, conduct automated decision-making, or engage in high-risk processing requiring data protection impact assessments. According to draft recital 32, the provision targets situations like "the relationship between a craftsman and their clients" with "minimum data necessary to perform the service."

However, the broad language could apply to diverse commercial relationships beyond small-scale service providers. The provision lacks clear definitions for "data-intensive" activities or standards for assessing when "reasonable grounds" exist for assuming data subject knowledge.

Information obligations eliminated under Article 13(4) include legal basis specifications and legitimate interest details, which CJEU rulings in C-252/21 Bundeskartellamt require at data collection time. Data subjects could only obtain missing information through Article 15 access requests, shifting information provision burdens from controllers to individuals.

Impact assessment processes centralize at EU level

The amendments replace national supervisory authority responsibilities for maintaining data protection impact assessment lists with centralized European Data Protection Board processes. According to Article 35(4)-(6), the Board would prepare proposals for processing operation lists requiring assessments and exempted operations, subject to Commission review and adoption through implementing acts.

The Board would additionally develop common templates and methodologies for conducting assessments, replacing diverse national approaches with unified EU-level frameworks. Article 35(6c) provides that existing national lists "remain valid until the Commission adopts the implementing act."

The centralization aims to eliminate inconsistent national requirements that created compliance challenges for cross-border operations. However, the timeline for developing, adopting, and implementing centralized frameworks remains unspecified, potentially creating extended transitional periods.

Regulatory sandbox frameworks introduced

The draft adds optional supervisory authority tasks under Article 57(1)(w) to "set up regulatory sandboxes" offering controllers and processors opportunities to "test the compliance of specific techniques or technological solutions" with GDPR obligations. According to the proposal, sandboxes would provide "controlled framework[s]" for evaluating "whether the data processing results in data that would be exempt from this Regulation."

The provision remains marked "under discussion" in internal documents, indicating ongoing deliberation about appropriate sandbox scope, structure, and governance mechanisms. No specific parameters, eligibility criteria, or operational procedures appear in the draft text.

Sandbox concepts draw from financial services regulation, where controlled testing environments enable innovation assessment before full deployment. However, data protection sandboxes raise questions about how supervisory authorities would balance innovation facilitation against fundamental rights protection during experimental processing.

Timeline remains uncertain for implementation

The Digital Omnibus initiative represents the European Commission's broader simplification agenda, though specific adoption and implementation timelines for data protection amendments remain unclear. According to recent reporting on GDPR record-keeping relaxation, the European Data Protection Board and European Data Protection Supervisor issued Joint Opinion 01/2025 addressing preliminary Commission proposals dated May 21, 2025.

The EDPB-EDPS opinion expressed support for "targeted initiative" while requesting "additional justification for expanded business eligibility criteria." European Data Protection Supervisor Wojciech Wiewiorowski stated the authorities support "reducing the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals' fundamental rights."

Former ECB chief Mario Draghi demanded GDPR cuts and AI Act pause at a September 2025 Brussels conference, arguing that "legal uncertainty over [data] use creates costly delays, slowing deployment in Europe." Draghi's intervention signals growing political pressure for regulatory simplification beyond technical amendments.

The proposed changes would fundamentally reshape European data protection law seven years after GDPR's May 2018 implementation. Whether the amendments represent proportionate simplification or excessive deregulation remains subject to intense debate among privacy advocates, industry representatives, and regulatory authorities.

Timeline

• May 6, 2025: European Commission sends preliminary consultation letter to EDPB regarding simplification measures
• May 8, 2025: EDPB and EDPS adopt joint response expressing preliminary support
• May 21, 2025: European Commission publishes Proposal for Regulation amending GDPR
• June 18, 2025: Researchers establish that large language models qualify as personal data under GDPR
• July 2025: CNIL finalizes recommendations for AI system development under GDPR
• July 10, 2025: EU publishes final General-Purpose AI Code of Practice
• August 2025: AI Act obligations for general-purpose AI models take effect
• September 16, 2025: Mario Draghi calls for GDPR simplification at Brussels conference
• October 23, 2025: Germany submits comprehensive GDPR reform proposal to European Commission
• November 2025: Internal draft amendments circulated showing Digital Omnibus proposals
• December 18, 2024: European Data Protection Board clarifies privacy rules for AI models

Summary

Who: The European Commission proposes amendments affecting data controllers, processors, AI developers, data subjects, and supervisory authorities across the European Union. Privacy organization noyb published preliminary analysis of internal draft documents, while the European Data Protection Board and European Data Protection Supervisor previously issued joint opinions on related simplification measures.

What: Draft amendments to the General Data Protection Regulation through the Digital Omnibus initiative would narrow personal data and sensitive data definitions, establish explicit legitimate interest basis for AI training, restrict data subject access rights, split terminal equipment processing between regulations, expand automated decision-making permissions, raise breach notification thresholds, create transparency exemptions, and centralize impact assessment processes.

When: Internal documents circulated in November 2025 show proposed amendments, though formal adoption and implementation timelines remain unspecified. Related Commission proposals emerged May 21, 2025, with AI Act enforcement beginning August 2025 and ongoing regulatory developments throughout 2024-2025.

Where: The amendments would apply throughout European Union member states, affecting organizations processing personal data under GDPR jurisdiction regardless of physical location. The proposals particularly impact cross-border processing, AI development activities, and organizations operating terminal equipment or automated decision-making systems.

Why: The Commission characterizes the Digital Omnibus as reducing administrative burdens while maintaining fundamental rights protections, particularly targeting small and medium-sized enterprises. However, the amendments respond to industry pressure regarding AI development costs, legal uncertainty claims, and perceived regulatory friction between GDPR and innovation objectives. Political leaders including Mario Draghi explicitly linked the proposals to European competitiveness concerns against United States and Chinese technology sectors.