Plans by the EU to trim back its tomes of legislation could very well help tech companies grab much more data to train artificial intelligence – but that also poses a massive privacy problem.

A leaked draft of the Commission’s grand plans for revamping the EU’s digital rules last week, a part of the Digital Omnibus in the simplification agenda, points to an appetite inside the Berlaymont to go all-in on AI, with proposals to centralise AI oversight power inside the European Commission itself and strip back privacy protections to make it easier for companies to use people’s information to train models.

The direction of travel the draft text signals on privacy – that EU citizens should expect less protection in the name of AI-driven innovation – is familiar because the proposed changes to privacy rules would rubber-stamp actions that were already being taken by tech giants like Facebook owner Meta.

Since May, Meta has been feeding Instagram and Facebook posts into its AI models. The move to train the system on people’s data without explicit consent sparked outrage among the privacy community. But the Irish data watchdog – which is in charge of GDPR oversight on Meta – ended up clearing the approach, despite earlier regulatory concerns putting Meta’s initial AI training push on pause last summer.

Other tech giants have followed suit – making use of a so-called “legitimate interest” basis set out in the bloc’s General Data Protection Regulation (GDPR) to train AIs on Europeans’ information without having to ask people for consent first.

If the Commission’s final digital omnibus proposal – which is expected to be presented on 19 November – cements this approach the EU will be giving big tech exactly what it’s been asking for.

Big tech attacks

Meta’s then-president of global affairs, Nick Clegg, penned an op-ed in Le Monde last December – attacking European data protection authorities for having “dragged their feet” on data-for-AI decisions. Their regulatory “snail’s pace” was blocking “growth and innovation”, the former MEP (and ex-deputy UK prime minister) wrote, harping on Brussels’ soul-searching about the state of European competitiveness and productivity in the wake of the Letta and Draghi reports.

Judging by the draft omnibus, the Commission has been keenly listening to big tech’s lobbying.

While the Commission’s initial plans for the digital simplification package did not mention the GDPR being in scope of the reforms, big tech companies and their Brussels-based lobbies used the public consultation on the omnibus plan to attack EU privacy laws, urging long-standing rules be ripped up to clear the road for AI.

Mario Draghi echoed calls for drastic GDPR revamps in September, accusing the law of being an obstacle to AI development.

In her September State of the Union speech, Commission President Ursula von der Leyen foreshadowed what was brewing inside the Berlaymont, framing AI as fundamental to the bloc’s competitiveness agenda. Europe must go AI-first to be a contender in this global tech race, von der Leyen suggested.

Huge changes

The omnibus had originally been characterised by the Commission as a package of targeted amendments. But the draft proposal sets out substantial changes to EU privacy laws.

“The changes are huge,” Lukasz Olejnik, an independent consultant and privacy researcher, told Euractiv. “This is a very ambitious package. It’s going to be the Olympic Games of lobbying.”

Privacy rights campaigner, Max Schrems, is critical of the Commission’s lack of transparency over the omnibus process. “One part of the EU Commission is secretly trying to overrun everyone else in Brussels,” he told Euractiv. “This disregards every rule on good lawmaking, with terrible results.”

If the final omnibus text aligns with the leaked draft the Commission will be proposing to explicitly recognise that AI developers can rely on the GDPR’s legitimate interest (LI) legal basis to use personal data to train their systems.

The LI legal basis can be used in lieu of first asking for users’ consent, making it far easier for companies to use personal data. Instead of having to ask people’s permission to feed their information into AI, developers will be able to justify the use as necessary, provided users’ rights don’t supersede their aims (LI requires a so-called “balance of interests” test).

Users can still actively opt-out. But defaults are powerful in digital settings. In other words, fewer people are likely to opt out of AI training than would say no if you had to ask them in the first place.

Olejnik told Euractiv that the change will support AI development. But he warned that companies will be the ones interpreting the rules. “While the GDPR still has the balancing test to weigh in the risk/benefits for the user, it is a matter of interpretation,” he said.

Fewer pop-ups

The draft plan also targets consent banners that pop up when a user visits a website – seeking permission to drop cookies.

Such pop-ups have riddled the European internet and are widely seen as a headache for ordinary web users. The Commission plan floats changes to the ePrivacy Directive – the long-standing EU privacy law that sets out rules for cookies – simplifying the current requirement for consent to drop tracking cookies on a user’s device (or any other types of cookies not strictly necessary for providing the service) to allow for other legal bases, such as LI.

Tech companies have also been pushing for this, claiming users are suffering “cookie fatigue” from seeing endless consent banners. Though privacy activists counter that by pointing out it’s tech companies designing such tedious consent flows.

The omnibus also redefines what constitutes personal data – a far-reaching change that could have even bigger implications for online tracking.

“If companies turn people into mere numbers, they could bypass the GDPR, while continuing to track and manipulate them,” warned Schrems, suggesting this could give entire industries – like online advertising – a carve-out from EU privacy rules.

(nl, jp)