EU Eases AI Regulation
The EU Commission is planning a “simplification” of central rules for artificial intelligence and data protection. This affects what data companies are allowed to collect about you and what they use AI for. At the same time, Europe's economy should be strengthened in the AI race. The question is whether this is about deregulation or a step back for fundamental rights.
Introduction & Context
The EU's protective shield currently consists of three central pillars: the General Data Protection Regulation (GDPR), , the AI Act and ePrivacy rules. The GDPR has been the central data protection law of the EU since May 25, 2018, and regulates the processing and transfer of personal data. It anchors rights such as access, rectification, and deletion of data and obliges companies to maintain transparency and security standards. Legally, this is based on the fundamental right to data protection.
The AI Act is the first comprehensive EU law that categorizes AI by risk levels. Applications with “unacceptable risk” are prohibited, high-risk systems are subject to strict requirements. The law came into force on August 1, 2024, with staggered transition periods. ePrivacy rules supplement the GDPR for electronic communication and are the reason for cookie banners. The EU Commission is reviewing these rules, as they are considered fragmented and difficult to enforce and conflict with GDPR requirements.
A “relaxation” of the rules does not mean an abolition of protection, but rather changes to definitions, exceptions, and deadlines. It concerns what data is considered “personal data”, when companies can use it for AI training without consent, and whether certain parts of the AI Act will take effect later. These adjustments determine whether AI development in Europe is oriented towards rights or data hunger.
Analysis of Changes
The GDPR was adopted in 2016 and has been in force in all EU member states since May 2018. It protects personal data regardless of its form of processing. The AI Act entered into force on August 1, 2024, providing for staggered transition periods. Prohibited applications will be banned from February 2025, general AI models will be subject to requirements from August 2025, and most obligations for high-risk systems will apply from August 2026.
In February 2025, the EU Commission presented two “Omnibus” packages for bureaucracy reduction. It was announced that digital laws would also be reviewed and partly merged. In July 2025, Commission spokespersons rejected calls for a postponement of the AI Act. A few months later, the debate has shifted: an “Omnibus Digital” package is to be presented on November 19, 2025, and will merge changes to GDPR, AI Act, and ePrivacy to reduce bureaucracy and relieve smaller companies. This follows a report by Mario Draghi, who warned of Europe's economic dependence due to overly complex rules.

Source: pro-magazin.de
The EU's Regulation of Artificial Intelligence: A Balancing Act Between Innovation and Security.
Leaked drafts propose narrowing the definition of “personal data” so that pseudonymized identifiers such as advertising IDs or cookies would in many cases no longer fall under full GDPR protection. Companies would be allowed to use personal data to a greater extent for training AI models, citing “legitimate interest.” The NGO noyb warns, that this would undermine central protective mechanisms of the GDPR.
Cookie and tracking rules are to be more closely integrated with the GDPR, and the requirement for consent banners reduced. The Commission plans to abolish many cookie banners by creating broader legal bases for tracking. The handling of the AI Act is particularly controversial. The Commission is considering a one-year postponement of central obligations for high-risk AI. This would be a U-turn from the previous policy. A AFP-Bericht speaks of a “rollback” of central AI and data protection rules, sold with the promise of leaving high European standards untouched.
Important: None of this is already binding law today. The Commission is presenting proposals. For them to become effective, the European Parliament and member states must agree and can still heavily amend or block the draft.

Source: anwaltspraxis-magazin.de
Finding the Balance: Human and Machine at the Focus of the New AI Regulation.
Three major driving forces are recognizable: economic concerns, political pressure, and a conflict of objectives between innovation and fundamental rights. Economically, there is the fear that Europe could fall behind in the AI race. The Draghi Report explicitly names the GDPR as a factor hindering innovation.
At the same time, a broad front of lobby groups has formed. Large US tech corporations point to higher hurdles in Europe. Dozens of European industrial conglomerates have warned that the AI Act could slow down innovation. Smaller European AI providers fear falling behind data-rich US platforms.
On the other hand are civil rights organizations and data protection experts. They argue that the problem is not “too much regulation” but too little enforcement. A joint statement from 127 organizations warns that the Digital Omnibus could mark “the biggest setback for fundamental digital rights in the EU's history.”
Source: YouTube
Reactions & Impact
The EU Commission presents the package as a technical cleanup process. Official documents emphasize that the aim is to eliminate double regulations and make digital regulation “fit for the future” without lowering protection levels. A spokesperson is quoted as saying the goal is “not to lower high data protection standards,” but to clarify their application.
Civil society organizations warn of an “under the radar” process that bypasses democratic control and jeopardizes digital rights. Max Schrems and noyb speak of a „death by a thousand cuts“.
Media coverage ranges from cautiously concerned to clearly disapproving. Analyses emphasize that the EU risks relativizing its exemplary role. A commentary in The Guardian argues that Europe's real weakness is not too much regulation but too little enforcement. A conflict is brewing among member states and in the European Parliament: Ministries of Economic Affairs insist on “unleashing AI potentials,” while civil rights committees do not want to tolerate watering down fundamental rights.

Source: required.com
Europe's Digital Future: The Impact of Relaxed AI Regulation on Economy and Society.
For you as a citizen, nothing has changed yet. Your rights under the GDPR remain unchanged, as does the basic structure of the AI Act. However, it is important to understand where possible shifts might occur: If pseudonymized data is protected less stringently and more processing can be based on “legitimate interest,” it could become more difficult in the future to object to extensive tracking or AI training with your data.
For companies and start-ups, it can be a double-edged sword: on the one hand, the Commission promises less bureaucracy. On the other hand, transition periods and possible postponements create legal uncertainty. Anyone developing or deploying AI systems in Europe must continue to keep an eye on the original timeline of the AI Act as long as nothing has been officially changed.
For your own assessment, it can be helpful to distinguish between three levels: First, what does current law say? Second, what is specifically being proposed? Third, what positions do your national politicians and EU representatives take on this?
Source: YouTube
Outlook
First, it is open how forcefully the European Parliament and the member states will confront the Commission. The plans now presented could still be significantly altered. Second, the legal question arises whether a more narrowly defined “personal data” and new exceptions for AI training would be compatible with existing CJEU rulings and the Charter of Fundamental Rights. Should the new rules make complaint procedures more difficult or lower protection standards, lawsuits and lengthy court proceedings would be expected.
Third, it remains unclear whether a temporary “pause” on parts of the AI Act will actually lead to better preparation and clearer standards – or whether companies will primarily use it to play for time and influence subsequent implementing provisions. Here, it will be crucial how transparent and inclusive the further processes are designed.
Europe stands at a crossroads in its digital policy. On one side are ambitious goals for innovation and competitiveness, on the other, a system of protection for privacy and fundamental rights built up over years. The fact that EU rules for AI and data protection are now to be reviewed and partially relaxed is not a drama in itself – what matters is whether the changes are clear, proportionate, and democratically legitimate, and whether they still allow you to manage your data self-determinedly in the end. Until the political decisions are made, it is worthwhile to follow the debate attentively, consciously check sources, and actively use your own rights according to the current state.