The European Union set the global standard for digital rights with the General Data Protection Regulation. Countries from Brazil to Japan to California borrowed its structure, principles, even its acronyms. For a while, it seemed like Brussels had won the data war.
But now, the EU appears to be somewhat unpicking its own legacy. On November 10, the European Commission will unveil the “Digital Omnibus” – a sweeping legislative package that proposes to amend not just GDPR but also the AI Act and ePrivacy Directive. What officials describe as “simplification” privacy experts are calling “strategic retreat.”
Three Moves That Change Everything
Leaked drafts of the Omnibus reforms indicate three major shifts:
Redefining Personal Data
The first proposed change is perhaps the most legally significant – a narrower definition of what constitutes personal data. Under the current GDPR, the concept is interpreted broadly to include any information relating to an identified or identifiable individual, either directly or indirectly.
The draft reforms may narrow this scope, particularly where identifiability is probabilistic or context dependent. For example, behavioural and clickstream data that previously required full GDPR safeguards might fall outside this redefinition placing significant categories of digital activity beyond the reach of data subjects’ rights.
This would not only reduce the compliance burden for platforms and processors, it could also eliminate legal protections for billions of data points used in profiling, advertising and predictive analytics. It’s a definitional shift with functional consequences.
AI Training Under ‘Legitimate Interest’
Perhaps the most controversial change is a proposed reinterpretation of ‘legitimate interest’- one of the lawful bases under Article 6 of the GDPR – to explicitly include AI model training on personal data without prior consent.
This would represent a dramatic departure from current practice. Today, training machine learning models on personal data typically requires anonymisation, explicit consent or a narrowly tailored legitimate interest justification subject to a balancing test. The Omnibus appears poised to streamline or eliminate that balancing requirement in certain contexts.
This could unlock a flood of data for AI model training, particularly for foundation models and sector specific LLMs but at the cost of bypassing core GDPR protections. It raises hard questions about fairness, bias and control. Would individuals even know their data was used? Could they object? What would redress look like?
For companies looking to scale AI systems trained on rich European datasets, this is a green light. For privacy advocates, it’s a red flag.
Cookie Consent Flip
Each of these, on its own, would be significant. Together, they signal a fundamental recalibration of the EU’s posture toward privacy, platform power and innovation.
The third shift may feel more cosmetic but it’s no less consequential. The Omnibus proposes reversing the default cookie rule from opt-in to opt-out.
Since GDPR and the ePrivacy Directive came into effect users must actively consent before most tracking cookies can be placed on their devices. Under the proposed change, consent could be presumed unless actively refused, with general browser settings possibly sufficing to indicate preference.
This is a long-standing ask from the adtech industry who argue that consent banners erode user experience and lead to ‘consent fatigue.’ But an opt-out regime fundamentally alters the power dynamic especially when users may not fully understand what they’re consenting to.
The Political Wind Shift
The timing is not coincidental. A year ago, former ECB President Mario Draghi warned that EU regulation was choking European competitiveness. Last year, former ECB President Mario Draghi warned that Europe’s innovation potential was being chocked by overregulation. Member states, particularly France and Germany, home to powerful industrial lobbies, have pushed for regulatory agility to compete in the age of AI. The war in Ukraine, growing strategic dependencies on U.S. cloud and AI infrastructure and a sluggish tech sector have all added pressure.
The GDPR became the de facto privacy template for much of the world. If the EU now reinterprets its own rules or relaxes their scope then the consequences cascade globally:
Brazil’s LGPD, modelled heavily on GDPR, may face pressure to liberalise.
California’s CCPA/CPRA drew directly from GDPR principles like purpose limitation and data minimisation.
African Union and ASEAN states, which referenced GDPR in drafting guidance, may rethink their trajectory.
Data adequacy decisions – especially between the EU and UK – could be re-contested.
If the EU, the architect of modern privacy law, starts watering down its own framework, the very idea of “high-standard” data governance risks becoming politically negotiable rather than principle-based.
The GDPR took six years of negotiation and enforcement calibration to embed. The Omnibus could begin to undo key protections in six months.
For Irish Firms: Opportunity or Uncertainty?
Because so many global tech companies are based in Ireland, and because of how GDPR’s enforcement system works, the Irish Data Protection Commission has become a central player in regulating digital privacy for the whole EU. The DPC has already faced criticism for slow enforcement and protracted investigations. The Omnibus could either reduce that burden or complicate it further by layering in new ambiguity.
For Irish firms, particularly those working in legal tech, compliance, AI development, and cross border services the implications are mixed:
Compliance strategies built on high certainty interpretations may need to be retooled or revalidated.
Privacy notices, DPA clauses and internal governance processes may need reworking to align with the new lawful bases and definitions.
AI deployments previously stymied by GDPR constraints may suddenly be viable with all the ethical, reputational and technical responsibility that entails.
What Happens Next?
The Omnibus is expected to enter formal legislative debate in early 2026 facing scrutiny from the European Parliament, Member States and industry coalitions.
This will trigger months of legislative debate, industry lobbying and pushback. But the direction is already clear – the EU appears to be pivoting from rights first to risk managed.
For privacy advocates, it feels like a rollback. For businesses, it’s a crossroads. And for legal professionals, it’s a clear signal that even the most principled frameworks can bend under economic and political pressure.
An adequate response to this demands more than a compliance checklist. It requires strategic clarity. As lawmakers redefine what counts as personal data, what counts as lawful use and what counts as consent, firms and practitioners have to move beyond the binary of “allowed/not allowed” and focus on what their own standards are with regard to the underlying values. Compliance can change with politics but trust and reputation, once lost, are much harder to rebuild.





