Brussels – In a desperate attempt to regain for European companies the much-sought-after economic competitiveness lost to the United States and China, the EU Commission may be about to pummel one of the most important pieces of digital legislation: the General Data Protection Regulation, better known by its acronym, GDPR.
According to rumours circulating in the international press in the last few hours, the so-called “Digital Omnibus” that the EU executive is expected to present in the coming weeks would contain a series of proposals aimed at radically reforming the GDPR, hitherto hailed in Brussels as one of the most advanced legislations in the world in terms of protecting user privacy in the IT world.
The push would come from none other than Mario Draghi. The GDPR, adopted in 2016 and entered into force in 2018, was one of the targets of the European Competitiveness Report he presented in September 2024. On several occasions thereafter, the former Italian prime minister and former number one at the ECB has raked in accusations against the data regulation, criticising, above all, certain aspects of its clumsy implementation.
According to him, the excessive fragmentation and complexity of the implementation framework would create an unsustainable burden for businesses, especially small and medium-sized enterprises (SMEs), generate legal uncertainty (overlapping, moreover, with the rules of the more recent AI Act), and hinder the development of a true digital single market.
Specifically, regarding the training of artificial intelligence (AI) models, the GDPR would slow down the innovation of European companies, creating an artificial ballast from which, de facto, their US and Chinese counterparts benefit. Indeed, Draghi points to a 20 per cent increase in data management costs for economic operators in the EU. On this basis, he has repeatedly defended the need for a “radical simplification” of the regulation, as well as greater harmonisation at the implementation level.
Given that industrial competitiveness is one of the Polar Stars of the Commission’s policy agenda, the Berlaymont would set to work dismantling some central elements of the GDPR to make life easier for developers. The aim is to foster the Union’s emergence as a global hub of artificial intelligence, according to a twelve-star deregulation strategy announced months ago by Ursula von der Leyen herself.
In the race for global hegemony in this critical area, to which Brussels wants to participate building a series of AI Gigafactories where to train “Made in Europe” AI models (
an initiative that seems to have attracted the interest of the industry), the new gold of the 21st century is user data, collected in huge quantities by digital platforms and various services under the pretext of providing a more efficient and personalised experience.
The Commission would thus be making it easier for digital giants to access data by scaling back the rules set by EU lawmakers to protect the citizens of the Twenty-Seven. Among the first sections of the GDPR to come under the axe of simplification would be that relating to the concept of “legitimate interest“. Under the current rules, companies are obliged to obtain users’ explicit consent to collect their data, unless they can demonstrate a legitimate interest to justify a form of “trawling“. The amendments prepared by the EU executive would go in the direction of precisely widening the scope of this legal basis, allowing companies to access a much larger quantity of information (without having to ask for permission).
Recent updates from giants such as Meta and Google, and from platforms such as X and LinkedIn, are going precisely in this direction. For instance, setting, by default, a prior consent from users for the use of the data contained in their posts for the training of their respective artificial intelligences. The informed and aware user can easily deactivate these consents, but it is likely that, statistically, a substantial proportion of consumers are unaware of such mechanisms.
In addition, the Commission would aim to introduce new exceptions for AI companies on the use of so-called sensitive data (such as political beliefs, religious creed, ethnicity or health data), while at the same time revising the legal definition of this category of information, as well as to relax the provisions on user profiling, making tracking by means of cookies easier.
This is, on balance, one of the characteristic ethical dilemmas of our time, at least for post-industrial societies. One in which, if only on the surface, technological progress and protection of basic rights are pitted against each other. On the one hand, the profitability of the tech giants (which to date remain mainly US-based) and the attractiveness of European markets in the digital age. On the other hand, adherence to the EU’s constituent values, including respect for citizens’ privacy.
Yet, some industry experts argue, there are different ways to reform the GDPR. While it is true that a number of improvements can be made through targeted interventions, it is equally true that sacrificing user protection on the altar of unbureaucratisation—for the almost exclusive benefit of a small number of private companies—risks producing consequences that are difficult to foresee.
In catching up with Washington and Beijing, critics of this approach argue, perhaps Brussels should remember what distinguishes the Union from its main global competitors. Namely, the much-proclaimed social market economy, where higher ethical considerations should come before pure economic gain and efficiency. To proceed in the direction suggested by the amendments in question, they warn, would amount to an unconditional surrender to the private interests of the IT giants.
However, as happened with the previous Omnibus packages presented by the Berlaymont, this one too will have to go through the scrutiny of the co-legislators—the European Parliament and the EU Council. Where, in all likelihood, we will witness a heated political clash between those in favour of simplification and those who want nothing to do with reopening the GDPR.
English version by the Translation Service of Withub![[foto: imagoeconomica]](https://www.eunews.it/wp-content/uploads/2025/11/criptovalute-350x250.png)
