EU Privacy Law Reform Sparks Activist Backlash

Critics warn changes could weaken GDPR protections

Privacy advocates are raising alarms over proposed revisions to Europe’s landmark data protection rules, arguing they would erode safeguards established under the General Data Protection Regulation (GDPR). The European Commission has introduced the “Digital Omnibus,” a package designed to streamline overlapping laws covering technology, environment, and finance. Among the proposals is a provision allowing major tech firms such as Google, Meta, and OpenAI to use Europeans’ personal data for AI training under the principle of “legitimate interest.” Activists say the changes would undermine established case law and dilute privacy rights.

Simplification or Erosion?

EU antitrust chief Henna Virkkunen is set to present the Digital Omnibus on November 19. The initiative aims to reduce regulatory complexity by merging or modifying existing frameworks, including the GDPR, the Artificial Intelligence Act, the e-Privacy Directive, and the Data Act. While the Commission argues this will cut red tape, critics see it as a backdoor for Big Tech to expand data use. Companies may also be exempted from restrictions on processing sensitive categories of personal data if they can demonstrate safeguards.

Austrian privacy group noyb described the proposals as “a death by a thousand cuts,” warning that cumulative changes across multiple GDPR articles would amount to a significant downgrade. Max Schrems, a leading privacy campaigner, said the reforms would roll back protections just a decade after the GDPR was adopted. Noyb has previously filed complaints against Apple, Alphabet, and Meta, leading to investigations and billions in fines. Activists fear the new framework could weaken enforcement and accountability.

Concerns Over Device Access

European Digital Rights (EDRi), a coalition of civil and human rights organizations, criticized the plan to merge the ePrivacy Directive into the GDPR. Known as the “cookie law,” the directive gave rise to widespread consent pop-ups across websites. EDRi policy advisor Itxaso Dominguez de Olazabal warned that under the new rules, access to devices could be justified by broad exemptions such as security or fraud detection. She argued this would fundamentally change how the EU protects personal data on phones, computers, and connected devices.

The proposals would still need approval from EU member states and the European Parliament before implementation. Negotiations are expected to be contentious, with privacy groups lobbying against what they see as a weakening of digital rights. Industry representatives, however, are likely to support the reforms as a way to reduce compliance burdens. The debate highlights the tension between fostering innovation and safeguarding individual privacy.

Next Steps in the Debate

The Commission’s proposals reflect growing pressure to balance regulatory oversight with technological development. Supporters argue that easing restrictions will help Europe remain competitive in AI and digital services. Opponents counter that privacy protections are a cornerstone of trust in the digital economy and should not be compromised. The outcome of parliamentary discussions will determine whether the reforms proceed in their current form or face significant revisions.