EU to partially scrap cookie banners, enable AI training with personal data

The EU Commission has published its proposal for the “Digital Omnibus” – a package designed to modernize the GDPR and simplify cookie banners. The Commission promises over €800 million in annual savings for companies through new cookie rules, plus an additional €1.5 billion in one-time savings for cloud providers.

Users will soon be able to reject all cookies with a single click (at device level via OS or browser), and websites must respect this decision for at least six months. Additionally, banner pop-ups will no longer be required for “non-risky” purposes such as counting website visits.

“The amendments will reduce the number of times cookie banners pop up and allow users to indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers and operating system”, is stated by the EU commission. The cookie rules will be integrated into the GDPR framework, meaning violations can be penalized with fines of up to 4 percent of global turnover.

AI Training with Personal Data and Simplified Compliance

The proposal explicitly clarifies for the first time how personal data may be used to train AI models. Companies can invoke “legitimate interest” as long as processing violates no EU or national laws and meets all GDPR requirements. The Commission says:

“Under the GDPR, the entity responsible for the processing of personal data may lawfully process personal data for “legitimate interest”. The proposal clarifies how this applies to AI systems.

In line with the EDPB Opinion, personal data can be processed for AI models as long as any use in a specific situation does not break any EU or national law, and that the processing complies with all requirements of the GDPR.

The proposal submits this processing to strong safeguards and ensures that data subjects have the unconditional right to object to the processing of their personal data.”

The Commission emphasizes that users retain an “unconditional right to object.” Additionally, the proposal codifies a recent CJEU ruling: datasets can be shared if the recipient is unable to re-identify individuals. The original data controller continues to bear all GDPR obligations.

Various compliance obligations for companies are to be simplified. The Commission wants to clarify when data protection impact assessments must be conducted and how data breaches should be reported to supervisory authorities. Small businesses – such as tradespeople or sports clubs – will no longer need to inform users about every data processing activity if there are “reasonable grounds to assume” the person already possesses this information. The definition of personal data is to be refined, with the Commission promising to maintain “the highest level of protection.”

Massive Criticism from Data Protection Advocates

Data protection activist Max Schrems of the organization noyb fundamentally disputes this characterization: “This is the biggest attack on the digital rights of Europeans in years. When the Commission claims it is ‘maintaining the highest standards,’ that is simply false. The Commission’s proposals would undermine these standards.” Schrems argues that the changes primarily benefit Big Tech, while average European SMEs gain no real benefit.

127 civil society organizations and several factions in the EU Parliament (S&D, Renew, Greens) have already sharply criticized the proposal. Most EU member states had explicitly asked the Commission not to reopen the GDPR.

“Defenseless Against Opaque Algorithms”

Schrems views the planned changes for AI training particularly critically: “Artificial intelligence may be one of the most influential and dangerous technologies for our democracy and society. Yet the narrative of an ‘AI race’ has led the Commission to discard even those measures that should actually protect us from being defenseless against large opaque algorithms.” A recent noyb survey shows that only 7 percent of Germans want Meta to use their personal data to train AI. The proposed opt-out approach does not work, since companies and users typically do not know whose data is contained in training datasets.

The Commission is driving the reform under President Ursula von der Leyen, Vice President Henna Virkkunen, and Justice Commissioner Michael McGrath – without the originally planned impact assessment or evidence gathering. Schrems calls it a “panic reaction” and criticizes: “We cannot enact laws affecting the lives of 450 million people according to the motto ‘Move Fast and Break Things.'” According to available documents, political pressure comes in part from Germany, with reports also existing of pressure from the Trump administration to dismantle EU laws that stand in the way of US companies. The European Parliament and member states must still approve the proposal – resistance is substantial.