Barely ten years after the General Data Protection Regulation (GDPR) came into force, the European Commission is considering a major overhaul of Europe’s flagship privacy framework. Officially, the objective is clear: to adapt regulation to the new age of generative artificial intelligence and enable European companies to compete with American and Chinese giants. But for digital rights advocates, it’s a betrayal of the founding principles of the European model.
“This would constitute an enormous regression for Europeans’ privacy,” denounces Austrian activist Max Schrems, founder of the NOYB association.
Generative AI at the Heart of the Regulatory Shift
For several months, Brussels has been preparing a vast “digital package” of simplification. One of its most sensitive components concerns the overhaul of the GDPR, adopted in 2018. This legislation required obtaining “free and informed” consent before any processing of personal data—a requirement designed to regulate advertising targeting, but which now applies to generative AI models.
Platforms like Meta, LinkedIn, or xAI (Elon Musk’s company) have already crossed the line. In May 2025, Meta began using Facebook and Instagram posts to train its models without explicit consent, invoking the principle of “legitimate interest.” Until now, European data protection authorities contested this interpretation.
The Commission’s revision project, revealed by German media outlet Netzpolitik, would legitimize this practice: training AI on personal data would now be recognized as a “legitimate interest” under the GDPR. Companies would no longer have to seek prior consent, but only offer a “right to object” often buried in privacy settings.
A Weakened GDPR in the Name of Competitiveness
Another major change: the Commission proposes to redefine “personal data.” If a company cannot directly identify a person from data, it would no longer be subject to the GDPR. At the same time, enhanced protection of sensitive data would be limited to cases where it “directly reveals” an individual’s racial origin, political opinions, or health.
These modifications are justified by the desire to “reduce legal uncertainties” for the AI industry. Officially, it’s about freeing European innovation hampered by regulation deemed too burdensome. In practice, they would weaken the legal foundation of the GDPR, considered until now as the global reference for data protection.
“The EU has spent years building a solid ethical framework. Unraveling it under the pretext of competitiveness would be a historic mistake,” estimates a source close to the Austrian data protection authority.
Tensions Between Member States
The issue deeply divides the Twenty-Seven. Germany is pushing for an ambitious reform, believing that Europe must “catch up on industrial lag” in AI. France, on the contrary, advocates for “targeted modifications” without “reopening the GDPR.” Austria, Poland, and Sweden firmly oppose it. Together, these countries could constitute a blocking minority in the European Council. Brussels plans to present its final text before year-end, but negotiations promise to be lengthy. To be adopted, the project must obtain approval from the European Parliament and Member States.
The AI Act, Also Relaxed
The GDPR is not the only framework targeted. The Commission is also considering postponing the application of several provisions of the AI Act, adopted in 2024 after lengthy negotiations. This legislation, which regulates AI systems according to their risk level, was to come into force progressively until 2027. Now, Brussels advocates for a “realistic” timeline, citing delays in publishing technical standards. Certain obligations—particularly those relating to documentation and monitoring—could be deferred by one year. The European executive also plans a grace period for mandatory labeling of AI-generated content. This relaxation contrasts with the line maintained this summer, when the Commission had refused any postponement despite industry pressure. According to a European official quoted by Reuters, the objective is now to “give European actors time to comply without hindering innovation.”
A Major Political Turning Point
All these adjustments occur in a context of exacerbated global competition. The Draghi report on competitiveness, published in 2024, already recommended “modernizing” European frameworks to prevent investment flight to the United States. But this choice carries a risk: weakening what made the European model unique—the primacy of fundamental rights over market logic. For Max Schrems, “Europe is sending a clear message: our data is becoming a commodity like any other. This is exactly what we wanted to avoid.”
Toward a Possible Balance?
Experts nevertheless call for not caricaturing the debate. According to them, it’s possible to reconcile innovation and protection. Among the options considered:
- a temporary derogatory status for European SMEs developing non-commercial AI models;
- the creation of a “GDPR-compliant AI” label, guaranteeing transparency about the data used;
- and strengthening traceability obligations for models trained on personal data.
These approaches would avoid “ethical dumping” while supporting local innovation.
Europe Facing Itself
In 2018, the GDPR made the European Union a global normative power. Seven years later, this ambition wavers. Between the fear of technological decline and the will to preserve its values, Brussels is attempting to redefine its place in the global race for artificial intelligence.
“Legitimate Interest” vs. “Explicit Consent”—What Really Changes
Explicit consent is the cornerstone of the GDPR: it presumes a clear, voluntary, and informed agreement from the user before any use of their personal data. The company must prove that this consent has been given and that the person concerned can withdraw it at any time.
Legitimate interest, on the other hand, allows a company to process certain data without consent, if it demonstrates that its interest (for example, security, research, or innovation) does not infringe on individuals’ fundamental rights. This legal basis therefore requires a balance between economic interest and privacy.
In the case of artificial intelligence, this shift has serious consequences:
- it authorizes massive use of public or semi-public data to train AI models,
- it reduces transparency about the processing performed,
- and it shifts the burden of vigilance onto citizens, who must exercise their “right to object” often hidden in settings.
In other words, what was an active choice would become a passive right—a symbolic but decisive shift for European digital governance.
