The European Commission is preparing a comprehensive package of legislative reforms that could challenge the foundations of European privacy protection. Under the guise of "administrative simplification," Brussels wants to streamline existing rules - including the AVG (GDPR), the AI Act, the ePrivacy Directive and the Data Act - through a so-called Digital Omnibus. According to leaked documents seen by Politico and Reuters, however, the plans go far beyond technical tweaks: they would create major exemptions for companies developing artificial intelligence.
Specifically, tech giants such as Google, Meta and OpenAI would soon be allowed to use Europeans' personal data to train AI models on the basis of a "legitimate interest" - even if it involves special categories of data, such as political beliefs, religion or health. It is also considering that pseudonymous data (where identifying details are concealed) will no longer always be considered personal data, and that the strict cookie rules from the ePrivacy Directive will be subsumed into the AVG (GDPR). That would make it easier for websites to track users without explicit consent.
Privacy activists speak of an outright attack on Europe's data protection system. The Austrian organization noyb, led by privacy lawyer Max Schrems, warns of "a massive deterioration of European privacy rights a decade after the introduction of the GDPR." European Digital Rights (EDRi) also strongly criticizes the plan: it would "fundamentally erode" the protection of what happens on a person's phone or computer.
The European reform plans deeply affect the foundation of Dutch privacy and data policy. They directly touch core laws such as the AVG (GDPR), the AI Act, the ePrivacy Directive and the Data Act, which together form the legal framework within which Dutch companies, institutions and governments handle personal data. These reforms require organizations to thoroughly review the way they process data - not only legally, for example around the use of "legitimate interest" as a basis, but also technically, with stricter transparency and security requirements.
Noteworthy is the merging of cookie rules and the adjustment of definitions of personal data, which mainly affect sectors such as healthcare, education and digitale overheid. In these domains, the Autoriteit Persoonsgegevens (AP) is likely to increase its oversight. At the same time, the Data Act introduces new obligations around data sharing and governance, forcing both companies and governments to take additional compliance measures.
In practice, these developments mean that Dutch privacy rules, supervision and user rights are becoming increasingly intertwined with European decision-making. The national playing field is influenced more than ever by Brussels choices and harmonization. Moreover, the broadening of the "legitimate interest" and the reclassification of personal data offer companies and international platforms more room to use data for AI applications. This may lead to changes in supervision and policy, especially in sectors where confidentiality and data minimization are paramount.
For citizens, this means a shift in the daily handling of their data: new forms of data use are becoming more common, while transparency and explicit consent are no longer always taken for granted. In doing so, the European reform plans mark an important turning point in the Dutch approach to privacy - one that reignites the debate about digital rights, innovation and surveillance.
According to Politico, the proposal is intended to make the European economy more competitive against the U.S. and China. Critics, however, see it as a panic reaction to Europe falling behind in the AI race. Former Prime Minister of Italy, Mario Draghi previously pointed to the AVG (GDPR) as a brake on innovation in his report on European competitiveness. Some member states, including Germany, are said to be open to relaxing it to help industry, while countries such as Austria, Slovenia, France and Estonia are vehemently opposed.
Former MEP Jan Philipp Albrecht, one of the architects of the AVG (GDPR), warns that the Commission is "dramatically undermining European standards." Privacy organizations also denounced the lack of transparency: no impact assessment was conducted, and the public consultation was completed in record time.
The Digital Omnibus will be officially presented on Nov. 19. After that, the European Parliament and member states must consider it - a process that insiders say will culminate in a "political and lobbying storm of historic proportions."
