European Commission accused of ‘massive rollback’ of digital protections

Original article by Jennifer Rankin in Brussels

The European Commission has been accused of “a massive rollback” of the EU’s digital rules after announcing proposals to delay central parts of the Artificial Intelligence Act and water down its landmark data protection regulation.

If agreed, the changes would make it easier for tech firms to use personal data to train AI models without asking for consent, and try to end “cookie banner fatigue” by reducing the number times internet users have to give their permission to being tracked on the internet.

The commission also confirmed the intention to delay the introduction of central parts of the AI Act, which came into force in August 2024 and does not yet fully apply to companies.

Companies making high-risk AI systems, namely those posing risks to health, safety or fundamental rights, such as those used in exam scoring or surgery, would get up to 18 months longer to comply with the rules.

The plans were part of the commission’s “digital omnibus”, which tries to streamline tech rules including GDPR, the AI Act, the ePrivacy directive and the Data Act.

After a long period of rule-making, the EU agenda has shifted since the former Italian prime minister Mario Draghi warned in a report last autumn that Europe had fallen behind the US and China in innovation and was weak in the emerging technologies that would drive future growth, such as AI. The EU has also come under heavy pressure from the Trump administration to rein in digital laws.

The EU’s economy commissioner, Valdis Dombrovskis, said: “Europe has not so far reaped the full benefits of the digital revolution and we cannot afford to continue to pay the price for failing to keep up with a changing world.” He added that the measures would save business and consumers €5bn in administrative costs by 2029.

They are part of the bloc’s wider drive for “simplification”, with plans under way to scale back regulation on the environment, company reporting on supply chains and agriculture. Like these other proposals, the digital omnibus will need to be approved by EU minsters and the European parliament.

European Digital Rights (EDRi), a pan-European network of NGOs, described the plans as “a major rollback of EU digital protections” that risked dismantling “the very foundations of human rights and tech policy in the EU”.

In particular, it said that changes to GDPR would allow “the unchecked use of people’s most intimate data for training AI systems” and that a wide range of exemptions proposed to online privacy rules would mean businesses would be able to read data on phones and browsers without asking.

European business groups welcomed the proposals but said they did not go far enough. A representative from the Computer and Communications Industry Association, whose members include Amazon, Apple, Google and Meta, said: “Efforts to simplify digital and tech rules cannot stop here.” The CCIA urged “a more ambitious, all-encompassing review of the EU’s entire digital rulebook”.

Critics of the shake-up included the EU’s former commissioner for enterprise, Thierry Breton, who wrote in the Guardian that Europe should resist attempts to unravel its digital rulebook “under the pretext of simplification or remedying an alleged ‘anti-innovation’ bias. No one is fooled over the transatlantic origin of these attempts.”

The commission’s vice-president in charge of tech policy, Henna Virkkunen, pushed back against suggestions that Brussels was responding to US pressure. “We want to support our start ups, our SMEs to scale up their businesses to innovate in the EU,” she said. “We are not so much here looking at big industries or the very big tech companies … They have also the resources to comply with different rules.”

She also rejected claims that the AI Act was being watered down, saying that action was needed to prevent European start-ups from moving to other jurisdictions.

Michael McGrath, the EU commissioner responsible for the GDPR, said most of the feedback on the proposals had come from companies in the EU. He said the commission was introducing “targeted amendments to GDPR” that clarified existing concepts and principles while “ensuring a high level of data protection across the EU”.

EU officials said users would remain in control of their data on the internet, but new rules on cookies – the internet files that are stored on a user’s device so a website can remember them – would make life simpler by ensuring one-click consent. “I think we can all agree we have spent too much of our time accepting or rejecting cookies,” Virkkunen said.