What you need to know about EU plans to scale back GDPR law

The European Commission is planning to scale back General Data Protection Regulations (GDPR) across the political bloc. What would the changes mean for you?

EU plans to slim down existing GDPR laws

According to a leaked document originally seen by German digital rights website Netzpolitik.org, the European Commission plans to make significant changes to the GDPR laws that apply in EU countries.

GDPR laws came into effect across the EU in 2018 and set an international precedent for protecting EU residents’ personal data, from collection to storage. Personal data is highly valuable because it is used to influence consumer and user behaviour. 

Fundamentally, GDPR law restricts companies operating in the EU from collecting personal data without a valid reason and from processing data which can be used to identify an individual, unless the individual consents (e.g. by accepting cookies).

Under the EU’s new plans, also known as the “Digital Omnibus”, websites operating in the EU would no longer have to ask for users’ explicit consent to track their cookies and companies would be able to train AI on this personal data if it was justified by “legitimate interests”, “beneficial for the data subject and society at large”.

In the following BBC video, Aral Balkan of the Small Technology Foundation explains why our personal data is valuable.

Why should I care that GDPR laws are being scaled back?

So if, in future, private companies can only use your personal data to train AI models if it is beneficial to you and “society at large”, surely that’s fine? Why should you care?

Lawyers specialising in data privacy believe that if companies can gather much more data by claiming “legitimate interest” to process personal data to train AI models, the EU would open the floodgates to large-scale data mining, to which individuals haven’t consented.

Large-scale data mining is when companies, organisations or authorities analyse huge amounts of personal data to understand patterns - this is widely considered to be a privacy violation. This is exactly what GDPR laws were initially designed to prevent.

Several high-profile cases involving large-scale data mining include the Facebook-Cambridge Analytica scandal and Russian disinformation campaigns on social media.

What are EU politicians and experts saying?

EU politicians are justifying the move to slim down GDPR law on the basis that it “has sometimes had an adverse effect on competitiveness”, according to the draft seen by Netzpoliktik.org.

“Fast and visible improvements are needed for people and businesses, through a more cost-effective and innovation-friendly implementation of our rules – all the while maintaining high standards and agreed objectives," the document explains.

The European Law Institute is in agreement that parts of the GDPR law are due an update, but that “improvements must not come at the expense of fundamental rights protection”. Meanwhile, European Digital Rights (EDRi) and Amnesty International say the EU’s protections are wrongly being painted as obstacles.

"What is being presented as a 'technical streamlining' of EU digital laws is, in reality, an attempt to covertly dismantle Europe's strongest protections against digital threats," Amnesty International wrote in an open letter.

German politician Jan Philipp Albrecht (Greens) accused the EU of undermining its own standards. More broadly, EU politicians are being accused of bending to President Donald Trump and US-based technology companies. 

Senior figures in the Trump administration have often condemned the EU for fining US-based technology companies for breaking GDPR laws and lamented the “onerous international rules” that fetter business competition to protect citizens and residents.

Before anything changes, the EU parliament and member states must approve the law.