EU's proposed shift on GDPR and AI: what legal teams need to know
The European Commission is preparing a package that would ease parts of the GDPR and delay pieces of the AI law. A leaked draft suggests a narrower definition of personal data, fewer consent prompts, and a longer runway for AI compliance.
For in-house counsel and DPOs, this is both an opportunity and a risk. The rules may get simpler for product and data teams, but litigation, political pushback, and uncertainty are about to spike.
The headline changes
- Personal data narrowed + AI training under "legitimate interests": Companies could process personal data to train AI models under a legitimate interest basis, with a tighter overall definition of personal data.
- Consent and cookies dialed back: Familiar consent pop-ups could fade. More data collection would proceed without upfront consent, shifting the burden to users to opt out and request removal later.
- Article 9 (special categories) trimmed: Direct statements about health, sexuality, religion, etc. stay protected. Inferred signals (like browsing behavior suggesting sensitive traits) would get weaker protection.
- Biometric and genetic data unchanged: The draft keeps enhanced protections for these categories.
- AI Act delay: Parts of the EU AI law would be pushed by a further year, moving to 2027. Large firms pushed for more time to implement AI at speed; Lufthansa has already announced plans to replace about 4,000 jobs with AI.
Why now
The Commission frames this as a competitiveness fix: too many overlapping rules, too much cost, slower innovation. The stated aim is a "more cost-effective and innovation-friendly" application of existing standards-without lowering them.
Critics argue there's political pressure from the US and large platforms. US Vice-President JD Vance warned this year that "onerous international rules" could hinder AI progress. The Commission denies US influence, saying the process predates the current US administration.
Pushback to expect
Jan Philipp Albrecht, a key architect of the original GDPR, warned this could be "the end of data protection and privacy" as anchored in EU law. A coalition of 127 civil society groups, including Amnesty International, called the move a covert dismantling of core safeguards against surveillance and automated decision-making.
The Commission insists the goal is not to lower privacy standards. As its digital affairs spokesman put it: "I can confirm 100 percent that the objective⦠is not to lower the high privacy standards we have for our citizens."
Legal implications to model now
- Legitimate interests for AI training: Expect a bigger role for LIAs, balancing tests, and documented safeguards. You'll need clear risk mitigations, especially for vulnerable groups and large-scale profiling.
- Shift from opt-in to opt-out for tracking: Consent flows and CMPs may be redesigned. Plan for higher volumes of opt-out and deletion requests and more scrutiny of user friction in opt-out paths.
- Inferred sensitive data exposure: If browsing-derived traits lose Article 9 protection, enforcement may pivot to fairness, transparency, and discrimination rules. Watch national regulators' positions on profiling and inference harms.
- Biometric/genetic carve-outs: No change there. High-risk and high-sensitivity uses still demand strict controls, purpose limits, and tight DPIA practices.
- ePrivacy interplay: Changes to cookie consent won't erase obligations under ePrivacy for certain tracking technologies. Expect uneven national interpretations during the transition.
- Employment and labor risk: With AI scaling and job impact in the spotlight, coordinate with HR, works councils, and labor counsel. Algorithmic transparency and consultation duties will matter.
Enforcement and litigation outlook
If adopted, expect test cases fast. Narrowing "personal data" and weakening inference protections invites CJEU challenges and interim guidance battles at the EDPB level. NGOs are signaling aggressive action.
Member States and the Parliament still need to approve any changes. Reports suggest skepticism within the Commission President's coalition. The final text may swing back toward stronger protections or add carve-outs in response to political pressure.
Timeline and what happens next
- Proposal publication: The Commission plans to table the draft this week.
- EU legislative process: Parliament and Council review, amendments, and trilogues to follow. Expect months of negotiation.
- AI Act delay: Targeted provisions slip to 2027. Companies get an extra year, but supervisory expectations won't stand still.
Action checklist for counsel and DPOs
- Map data used or proposed for AI training. Flag sources that rely on consent today and model a pivot to legitimate interests, with safeguards.
- Refresh LIAs for AI training and large-scale analytics. Document necessity, proportionality, and mitigations (pseudonymization, purpose limits, access controls).
- Rework privacy notices to explain AI training use, opt-out mechanisms, and data subject rights. Minimize friction in opt-out flows.
- Update DPIAs for profiling and high-impact models. Include discrimination testing and downstream risk controls.
- Renegotiate vendor DPAs and TIAs. Make sure training, fine-tuning, and model improvement clauses match your lawful basis and opt-out commitments.
- Prepare a surge plan for access, deletion, and opt-out requests. Automate verification, suppression, and retraining/exclusion workflows where feasible.
- Coordinate with HR on AI-driven workforce decisions. Ensure labor consultations and transparency obligations are met before deployment.
- Track national authority statements. Expect uneven enforcement during the transition; harmonize to the strictest likely interpretation.
Open questions to monitor
- How narrowly will "personal data" be redrawn, especially for pseudonymous identifiers and online IDs?
- Where will regulators land on inferred sensitive traits and profiling safeguards?
- What stays under ePrivacy versus GDPR after cookie consent shifts?
- How will legitimate interests for AI training interact with purpose limitation and data minimization duties?
- Will Parliament restore stronger consent standards or add guardrails for vulnerable groups?
Authoritative resources
Skills and readiness
Legal teams that can speak "data + model" fluently will move faster and cut risk. If you're building internal AI fluency for counsel, privacy, or compliance teams, these curated programs can help.
Your membership also unlocks:
