EU Commission Expected to Propose GDPR Changes to Ease AI Training

Report from Computerworld

In Brief – The European Commission is planning to propose revisions of the General Data Protection Regulation (GDPR) intended to ease the ability to train AI systems with data collected in Europe as part of its “Digital Omnibus” simplification proposal. Privacy advocates reacted to a leaked draft with alarm, arguing that it would greatly weaken the EU’s landmark privacy protections. The Digital Omnibus is expected to move cookie regulation from the ePrivacy Directive into the GDPR, creating a new a new Article 88a that would eliminate the current requirement for explicit consent before setting non-essential cookies and allow websites to process data for “low-risk purposes” or under any legal basis recognized by the GDPR. Critics argue that the Commission is using “cookie fatigue” created by user consent pop-ups to justify diluting core privacy standards that prioritize corporate interests over individual rights. A particularly contentious element clarifies that companies would be able to train AI models on personal data under the GDPR’s “legitimate interest” basis if safeguards like transparency and the right to object are observed, which could allow large-scale data mining for AI development. The draft reportedly also narrows the definition of sensitive data, limiting enhanced protection to information that directly reveals protected traits. The Digital Omnibus proposal is expected to be publicly released on November 19.

Context – One growing European “digital sovereignty” concern is that the continent’s AI industry is not keeping pace with the US and China. The Commission is engaged. In October it announced two initiatives to promote AI development and use, which followed the Commission’s April “AI Continent Action Plan”. Many of Europe’s AI tech firms and investors argue that the bloc’s regulatory and tax environment is too cumbersome and is slowing development. Not only is the EU’s AI Act the most aggressive AI regulatory regime, but regulatory overlaps involving other digital regimes, including the GDPR and DMA, continue to crop up, reinforcing regulatory concerns given voice in last year’s Draghi Report.