After years championing the world’s strictest tech regulations, the European Union (EU) is now poised to soften its landmark privacy and AI laws. The shift reflects sustained pressure from industry, the US government, and internal critics who argue that regulatory burden is slowing innovation and worsening the bloc’s economic stagnation.

The European Commission’s proposal revises core elements of the General Data Protection Regulation (GDPR). Notably, it would make it easier for companies to share anonymized and pseudonymized datasets, and would explicitly permit AI companies to use personal data for model training as long as other GDPR requirements are met.

The proposal also targets the AI Act, which came into force in 2024. While many rules were set to take effect gradually, the Commission now seeks to delay enforcement for high-risk AI systems until “the needed standards and support tools are available” to AI companies. These systems include models posing “serious risks” to health, safety, or fundamental rights.

This shift effectively extends the compliance roadmap for companies building or deploying high-risk AI, a move strongly supported by industry groups who argued that implementation timelines were unrealistic.

One of the most visible changes is the planned overhaul of Europe’s ubiquitous cookie banners and pop-ups.

Under the new proposal:

For millions of consumers — and developers — this could dramatically clean up the browsing experience across the EU.

Other amendments in the EU’s broader digital policy package — often referred to as the Digital Omnibus — include:

Together, these changes aim to reduce compliance complexity while preserving key oversight mechanisms.

“We have all the ingredients in the EU to succeed. But our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules,” said Henna Virkkunen, executive vice-president for tech sovereignty at the European Commission. “By cutting red tape, simplifying EU laws, opening access to data and introducing a common European Business Wallet we are giving space for innovation to happen and to be marketed in Europe. This is being done in the European way: by making sure that fundamental rights of users remain fully protected.”

The proposal now moves to the European Parliament and the EU’s 27 member states, where it must secure a qualified majority. The approval process could take months — and may trigger significant changes as political blocs clash over the balance between innovation and rights protection.

Early reactions suggest a fierce fight is coming. Civil rights organizations and several lawmakers have criticized the draft as a capitulation to Big Tech, warning that it weakens safeguards central to the GDPR’s legacy.

The shift follows months of lobbying by major tech firms and pressure from President Donald Trump, as well as influential EU figures like Mario Draghi, the former Italian prime minister and ex-head of the European Central Bank (ECB). They argue that overly burdensome rules are eroding Europe’s competitiveness in the global AI race — a race overwhelmingly dominated by the United States and China, home to companies like DeepSeek, Google, and OpenAI.

In response to those concerns, the Commission has emphasized that the overhaul is intended to streamline Europe’s regulatory framework rather than weaken it, positioning the revisions as a way to ease fears that strict compliance demands are hindering the bloc’s ability to compete globally.

Q: Why is the European Union scaling back parts of the GDPR and the AI Act now?
A: The European Commission argues that rigid compliance demands are slowing innovation and putting EU companies at a disadvantage in the global AI race. By easing data-sharing rules and delaying high-risk AI system requirements, the bloc hopes to stimulate growth and reduce regulatory friction.

Q: Does the proposal mean AI companies can now use more personal data?
A: Yes — under the updated approach, AI developers would be allowed to train models on personal data as long as processing still aligns with broader GDPR requirements, including safeguards around anonymization, pseudonymization, and lawful basis for use.

Q: How does this affect the AI Act’s timeline?
A: Enforcement for high-risk AI categories — originally due next summer — would be delayed. These rules would only activate once the necessary technical standards and assessment tools are ready, effectively extending the compliance runway for companies building or deploying high-risk systems.

Q: What changes will users notice most?
A: The biggest public-facing change is a dramatic reduction in cookie pop-ups. Non-risk cookies would no longer trigger banners, and browser-level settings would give users centralized control instead of repetitive prompts across websites.

Q: How are civil society groups responding?
A: Advocacy organizations and several EU lawmakers have criticized the proposal, arguing that it weakens hard-won privacy safeguards and responds too directly to pressure from Big Tech and foreign governments.

Europe’s decision to scale back core elements of the GDPR and delay enforcement of the AI Act marks one of the most significant regulatory reversals since these frameworks were introduced. For years, the EU positioned itself as the global standard-setter for digital rights and safe AI development — a counterweight to looser regulatory approaches in the United States and China. Adjusting these rules now signals a recognition that stringent compliance requirements may be slowing European innovation and reducing the bloc’s ability to compete in a rapidly accelerating AI landscape.

At the same time, the retreat raises new questions about how the EU will balance economic competitiveness with public expectations around safety, transparency, and privacy. Many users, civil society groups, and policymakers have long viewed Europe’s regulatory model as a safeguard against unchecked AI deployment and broad data collection. As the debate unfolds, the challenge for Brussels will be determining whether streamlined rules can still offer meaningful protections while giving European companies the flexibility they need to innovate.

Another emerging consideration is the global ripple effect. As the world’s most influential digital rulebook, the GDPR and the AI Act have shaped draft laws across Asia, Latin America, Africa, and several U.S. states. If Europe continues softening its stance, other governments may reassess their own regulatory strategies — either aligning with a more flexible approach or doubling down on stricter AI governance and data protection standards.

For global AI governance, this moment represents a potential turning point. The outcome of this recalibration — and the political fight that follows — will influence not only Europe’s trajectory but also how other regions approach AI regulation in an increasingly high-stakes, high-speed AI race.

Editor’s Note: This article was created by Alicia Shapiro, CMO of AiNews.com, with writing, image, and idea-generation support from ChatGPT, an AI assistant. However, the final perspective and editorial choices are solely Alicia Shapiro’s. Special thanks to ChatGPT for assistance with research and editorial support in crafting this article.