Data privacy laws and protections against harvesting user data for AI development will be rolled back if new proposals to be released by the EU on Wednesday become law.

A leaked European Commission document, originally published by German advocacy site Netzpolitik.org, shows that the bloc is pushing for substantial changes to its landmark General Data Protection Regulation (GDPR) laws, considered by many to be the global standard, among a host of wider changes.

The motivation is, ostensibly at least, to cut red tape for European businesses struggling to compete on the global stage by simplifying a number of data protection rules. But privacy campaigners argue that profit is being prioritized over citizens' privacy and protection, while other observers feel the influence of Donald Trump's government and the US tech giants is a significant factor. 

What are the major changes to Europe's GDPR law?

Alterations to the EU's GDPR policy, which came into force in 2018, will probably be most noticeable among a number of technical changes. According to the leaked document, the definition of personal data will be narrowed, allowing companies to process such data to train AI models "for purposes of a legitimate interest".

The now-familiar pop-ups asking a user whether they accept cookies will disappear if the proposal becomes law, with more companies able to harvest user data without consent, forcing the user to ask to remove their data after the fact. Companies have complained that the application of laws around cookies has created higher compliance costs, particularly given that it can be enforced by both the EU and national agencies.

What are the implications for personal data?

Article 9 of the law, which deals with more personal data, would also change. While individuals' direct answers to questions on subjects like sexuality, religion or health will still be protected, the scope for defining sensitive data will narrow.

In practice, this would mean that data gleaned from non-direct questions (so browsing habits, for example) would not have the same protections as it previously did. However, the document does say that: "The enhanced protection of genetic data and biometric data should remain untouched because of their unique and specific characteristics."

In AI terms, the other major change is that the EU will advocate a further one-year pause in the implementation of parts of its AI law, meaning they will now come into effect in 2027 rather than 2026. This is a delay that has been pushed by many big businesses, including Lufthansa in Germany, so they can quickly implement changes before tighter regulations. The airline announced earlier this year that they plan to replace about 4,000 jobs with AI.

Why is this happening now?

The EU's position is that red tape has become a burden for companies.

"The accumulation of rules has sometimes had an adverse effect on competitiveness. Fast and visible improvements are needed for people and businesses, through a more cost-effective and innovation-friendly implementation of our rules – all the while maintaining high standards and agreed objectives," the introduction to the document reads.

However, many critics argue that the changes are also driven by a desire to appease the US and its major tech companies. US Vice-President JD Vance complained earlier this year that "onerous international rules" were in danger of hindering AI development, while companies like Meta and Apple have been fined billions of dollars for breaches of EU data rules in recent years.

The EU rejects the notion of American influence on the move, with chief commission spokeswoman Paula Pinho stating that it "started before the mandate of the president of the US" earlier this week.

What are the concerns?

German politician Jan Philipp Albrecht, who as a former European Parliament member was one of the chief architects of GDPR, was one of the first to comment. "Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?" he asked. "The Commission should be fully aware that this is undermining European standards dramatically."

A group of 127 civil society organizations, including Amnesty International, also highlighted their misgivings.

"What is being presented as a 'technical streamlining' of EU digital laws is, in reality, an attempt to covertly dismantle Europe's strongest protections against digital threats," an open letter read.

"These are the protections that keep everyone's data safe, governments accountable, protect people from having artificial intelligence (AI) systems decide their life opportunities, and ultimately keep our societies free from unchecked surveillance. Unless the European Commission changes course, this would be the biggest rollback of digital fundamental rights in EU history."

What happens next?

Commission President Ursula von der Leyen will require the approval of both the EU parliament and member states to get the document into law.

That may prove tricky, with many in her coalition reportedly dubious about the benefits of the plan. Von der Leyen will certainly need to win round both allies and foes to get the document through, but the organization insists this is not an attack on privacy.

"I can confirm 100 percent that the objective... is not to lower the high privacy standards we have for our citizens," said Thomas Regnier, EU spokesman for digital affairs.

Edited by: Jess Smee