The European Commission announced on Wednesday a major digital law reform that would ease certain requirements of its data protection regulation.
The aim is to reduce the proliferation of cookie consent banners that clutter websites across the internet.
What is GDPR?
The General Data Protection Regulation (GDPR), which came into force across the EU in 2018, has fundamentally changed how companies handle personal data.
By requiring greater transparency about how data is collected and used, GDPR has reshaped online practices throughout the bloc.
An accompanying ePrivacy directive brought cookies into public view by requiring all platforms to obtain explicit consent before using them.
Cookies are the trackers that monitor users’ online behaviour, enabling companies to target them with personalised advertising.
Since the rise of artificial intelligence, the big tech companies have repeatedly expressed concerns that European regulations are too restrictive.
However, some companies have found ways to use European data. In April, Meta, which owns Instagram and Facebook, announced it would train its AI models on user data unless users specifically opt out.
Why is the Commission proposing changes?
The Commission has presented its proposals as an effort to simplify and clarify European digital law.
“A regulatory solution on the consent fatigue and the proliferation of cookies banners is long overdue.”
It said it also aims to “stimulate opportunities for a vibrant business environment, creating more legal certainty and opportunities, in particular in sharing and re-using data, in processing personal data or training Artificial Intelligence systems and models.”
The end of cookie banners?
The main aim of the proposed changes to the Commission’s ePrivacy directive is to reduce the number of systematic requests for cookie permission.
Under the new rules, consent would be centralised within GDPR itself. Users would be able to register their preferences directly in their browser or another application, eliminating the need for repeated pop-ups on every website they visit.
However, “considering the importance of online revenue streams for independent journalism”, news media companies would still be allowed to request consent directly from visitors to their sites.
Will AI be able to use personal data?
The Commission is introducing a new legal basis for using personal data to train AI models.
By invoking “legitimate interest”, companies could feed their AI models during training or testing phases, provided they don’t override the “interests or fundamental rights and freedoms” of users.
Wednesday’s proposal includes other relaxations and simplifications of the current regulation.
For example, notifications about leaks of personal data would change. Companies would only need to alert authorities when the risk level reaches a higher threshold, and would be given more time to do so.
Why is the change concerning?
Several digital rights associations have come out strongly against the plan.
Austrian association Noyb blasted the proposed changes as “a gift to US big tech as they open up many new loopholes for their law departments to exploit”.
Last week, 127 European associations and organisations expressed concern at the move in a letter to the Commission.
“Unless the European Commission changes course, this would be the biggest rollback of digital fundamental rights in EU history,” the grouping said.
They said the GDPR was one of the few laws “that gives members of the public mechanisms to challenge powerful companies or authorities when they overstep”.
Published – November 20, 2025 10:07 am IST