European Union flags flutter outside the EU Commission headquarters in Brussels, Belgium July 16, 2025. REUTERS/Yves Herman

By Foo Yun Chee

BRUSSELS (Reuters) -Privacy activists say proposed changes to Europe's landmark privacy law, including making it easier for Big Tech to harvest Europeans' personal data for AI training, would flout EU case law and gut the legislation.

The changes proposed by the European Commission are part of a drive to simplify a slew of laws adopted in recent years on technology, environmental and financial issues which have in turn faced pushback from companies and the U.S. government.

EU antitrust chief Henna Virkkunen will present the Digital Omnibus, in effect proposals to cut red tape and overlapping legislation such as the General Data Protection Regulation, the Artificial Intelligence Act, the e-Privacy Directive and the Data Act, on November 19.

According to the plans, Google, Meta Platforms, OpenAI and other tech companies may be allowed to use Europeans' personal data to train their AI models based on legitimate interest.

In addition, companies may be exempted from the ban on processing special categories of personal data "in order not to disproportionately hinder the development and operation of AI and taking into account the capabilities of the controller to identify and remove special categories of personal data".

"The draft Digital Omnibus proposes countless changes to many different articles of the GDPR. In combination this amounts to a death by a thousand cuts," Austrian privacy group noyb said in a statement.

Noyb is known for filing complaints against American companies such as Apple, Alphabet and Meta that have triggered several investigations and resulted in billions of dollars in fines.

"This would be a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted," noyb's Max Schrems said.

European Digital Rights, an association of civil and human rights organisations across Europe, slammed a proposal to merge the ePrivacy Directive, known as the cookie law that resulted in the proliferation of cookie consent pop-ups, into the GDPR.

"These proposals would change how the EU protects what happens inside your phone, computer and connected devices," EDRi policy advisor Itxaso Dominguez de Olazabal wrote in a LinkedIn post.

"That means access to your device could rely on legitimate interest or broad exemptions like security, fraud detection or audience measurement," she said.

The proposals would need to be thrashed out with EU countries and European Parliament in the coming months before they can be implemented.

(Reporting by Foo Yun CheeEditing by Alexandra Hudson)