Europe Weakens AI and Privacy Rules to Compete

The European Commission published the Digital Omnibus package on 19 November 2025, a single legislative proposal that amends the AI Act, GDPR, ePrivacy Directive, Data Act, and several cybersecurity frameworks. The package frames the changes as "simplification," but it proposes consequential concessions, notably delaying certain AI Act obligations for high-risk systems by up to 16 months, creating a new lawful-basis for AI training data under legitimate interest, and narrowing the legal scope of what counts as personal data.

The package contains multiple discrete changes that matter for practitioners and risk teams. Key items include:

• •Delaying enforcement and compliance deadlines for selected AI Act high-risk obligations by up to 16 months, shifting implementation timelines for risk assessments and mitigation obligations.
• •Introducing a legitimate interest basis tailored to training AI models on datasets that include personal data, potentially reducing reliance on consent or anonymization in some use cases.
• •Narrowing the legal definition of personal data, which could change when data protection obligations apply and alter anonymization thresholds.
• •Reducing or postponing prescriptive requirements for staff AI literacy and certain governance duties, lowering immediate operational burdens on deployers.

These changes are paired with cross-references to the Data Act, ePrivacy, and NIS2 to eliminate overlap, but they also create ambiguity about which regime takes precedence in specific deployments.

The Omnibus responds to political and economic pressure to narrow Europe's perceived competitiveness gap with the United States and China. Legal scholars and civil society warn this is effectively a rollback of protections: an open letter called it the largest rollback of digital fundamental rights in EU history. Analysts such as Anu Bradford argue the productivity and innovation gap is driven by deeper structural problems, including fragmented capital markets, weak single-market integration, and restrictive immigration rules, not only regulatory friction. For ML engineering and data governance, the package changes the calculus for dataset composition, lawful-basis selection, and cross-border data flows. Firms building models in or for the EU may see lower immediate compliance costs, but will face legal uncertainty as national regulators and the European Data Protection Board interpret the amendments.

Track the Parliamentary and Council negotiations, EDPB guidance, and potential litigation. Compliance teams should reassess DPIAs, update lawful-basis justifications, tighten provenance and consent logs where relied upon, and prepare for shifting enforcement priorities while engaging with policy-makers.