Privacy groups warn that the proposed changes could erode fundamental protections, while the Commission argues they will simplify compliance and support innovation.
EU seeks to modernize the GDPR — but risks weakening privacy safeguards
The European Commission is preparing a major revision of the General Data Protection Regulation (GDPR) that could reshape how companies handle personal data — from cookie tracking to AI training. The proposal, expected to be published on 19 November, has already drawn strong reactions from privacy advocates who warn it could undermine the EU’s data protection framework.
According to a leaked draft reported by the German outlet Netzpolitik.org, the Commission plans to include the changes in a new “Digital Omnibus” package. Among other measures, the draft would remove the requirement for websites to obtain explicit consent before placing cookies and would allow the use of personal data for AI training when justified by a company’s “legitimate interest.”
Cookies moved under the GDPR — less consent required
The proposal introduces a new article, 88a, covering “processing of personal data on and from terminal equipment.” In practice, this would shift regulation of cookies from the ePrivacy Directive to the GDPR.
Today, Article 5(3) of the ePrivacy Directive requires explicit consent for all non-essential cookies. The Commission argues this has created unnecessary complexity and higher compliance costs. Under the new proposal, companies could process data via cookies based on a list of “low-risk purposes” or on the legal basis of legitimate interest — meaning tracking could become the default, with users given the opportunity to object afterwards.
“Although consent ensures control, it is not always the most appropriate legal basis for processing,” the draft states.
Privacy organizations contend this change risks rolling back European data protection. European Digital Rights (EDRi) warned in October that GDPR, ePrivacy and the AI Act are not obstacles to innovation but the foundation of Europe’s human-centered digital model, and that the Commission appears ready to weaken e-privacy protections.
“GDPR, ePrivacy and the AI Act are not barriers to innovation — they are the basis of Europe’s human-centered digital model. The Commission now appears ready to weaken e-privacy protection.”
Exceptions for the media and AI training
The draft makes an exception for the media sector. News organizations would still be able to require consent for cookies, citing the need to protect the economic foundations of journalism.
At the same time, AI training receives the green light. The draft proposes that companies be allowed to train, test and validate AI systems using personal data on the basis of legitimate interest — provided they implement safeguards such as data minimization, transparency and a right to object. The Commission cites examples like detecting bias or improving model accuracy.
Privacy lawyers, however, caution that this change could open the door to extensive data extraction without consent — precisely the kind of practice GDPR was designed to prevent.
Narrowing protection for sensitive data
One of the most controversial elements is a proposed narrowing of what counts as sensitive personal data under Article 9. Only data that directly reveals sensitive attributes such as religion or health would be covered. Information that merely indicates these attributes through analysis or profiling would no longer receive the same protection.
Critics argue this change could allow companies to infer political opinions or sexual orientation without those inferred data being protected as sensitive.
The European Law Institute warned in its feedback on 14 October that improvements must not come at the expense of protecting fundamental rights.
“Improvements must not be made at the expense of the protection of fundamental rights.”
What happens next?
If adopted, the proposal would relieve companies across the EU from maintaining extensive consent management systems for cookies and instead require them to document their legal basis under legitimate interest. Privacy groups also warn that the consultation process has been “exclusive” and overly focused on industry voices.
The revision could mark a turning point for Europe’s data protection landscape — either moving toward a more flexible regime that favors innovation, or weakening privacy protections for millions of users. Ongoing debate between regulators, civil society and industry will shape the final outcome as the proposal proceeds through the EU legislative process.