The European Commission announced several changes to its landmark digital laws as it hopes to "unleash innovation" – but insisted it is not ripping up its global standard-setting data protection rules.
On Wednesday, European Commissioners Henna Virkunnen, Valdis Dombrovskis and Michael McGrath presented the much-anticipated Digital Simplification Package, proposing to "simplify" (or deregulate) existing rules on Artificial Intelligence (AI), cybersecurity, and data.
At its core, the package streamlines rules on AI, cybersecurity and data, complemented by a Data Union Strategy to "unlock high-quality data for AI."
It also announced the introduction of European Business Wallets, offering companies a single digital identity to simplify paperwork and make it much easier to do business across EU Member States.
Changes to cookies
Among the key changes to GDPR, internet users could now face fewer cookie banners, with users being able to save their cookie preferences with one click and for a period of six months. They say this will modernise cookie rules to improve users' experience online.
However, the Brussels-based NGO European Digital Rights Initiative (EDRi) clarifies that consent would no longer be required for tracking, as a wide set of exceptions will let businesses read data on phones and browsers without asking.
Campaigners are concerned about the undoing of tech policy and human rights. EDRi called the announcement "a massive reopening of the EU’s core digital protections," while Max Scherms, a lawyer and digital rights advocate at NOYB called it "the biggest attack on European’s digital rights in years."
During the announcement, the European Commissioners adamantly argued that these rule changes are designed to give space for innovation in Europe, particularly in AI, while also seeking to find a "balance" with protecting citizens’ data.
On 19 November 2025, European Commissioners Henna Virkkunen, Valdis Dombrovskis, Michael McGrath give a press conference on the digital simplification package. Credit: EU
"The objective of the targeted amendments to GDPR is to maintain the effectiveness and integrity of this landmark regulation while also addressing calls to clarify, simplify and harmonise it," said McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, on Wednesday.
Importantly, the latest digital package aims to improve access to personal data for AI companies, as a key driver of innovation. This has been a big bone of contention with civil society groups.
EDRi argues that the European Commission's proposal rewrites essential parts of the GDPR, narrowing the definition of personal data through a new recital that allows companies "to mark their own homework."
This would allow the unchecked use of people’s most intimate data for training AI systems, while also reshaping automated decision-making.
AI grace period
Changes to the AI Act will also now give companies more time to comply with the rules for high-risk AI applications for a period of 16 months, meaning they would only apply in August 2027.
According to EDRi, this means that AI systems could exempt themselves from fundamental rules, turning the EU’s flagship legislation into a carte blanche for high-risk algorithmic technologies.
On the other side, a leading industry group believes that the reform package does not go far enough.
The Computer & Communications Industry Association (CCIA), whose members include Amazon, Apple, Cloudflare, Google, Meta and Uber, responded by saying the European Commission "must be bolder" in simplifying the EU’s regulatory landscape for digital and tech.
Illustration shows the Berlaymont which houses the headquarters of the European Commission. Credit: Belga / James Arthur Gekiere
While welcoming it as a first step, CCIA said in response that the package must only be the starting point for deeper reform of the EU’s digital rulebook.
On AI, it said the proposal misses an opportunity to raise the threshold for identifying AI models which pose a "systemic risk," and fails to fix problematic wording on the extraterritoriality of copyright provisions.
"CCIA Europe looks forward to the Commission moving into a higher gear with a more ambitious, all-encompassing review of the EU’s entire digital rulebook, and urges Member States and the European Parliament to back even bolder simplification measures," said CCIA Europe’s Head of Policy and Deputy Head of Office, Alexandre Roure.
Staying alert
While industry believes the rules do not go far enough, the European Commission also did not rule out further changes to its digital regulations in the future, including GDPR or the AI Act – with campaigners staying alert.
A leaked document from last week revealed how the European Commission was preparing widespread changes to the GDPR, most notably to allow the use of European citizens’ data to be used to train AI models of Big Tech companies, which had alarmed campaigners.
Campaigners from People vs Big Tech, WeMove Europe, and EDRi launched four mobile billboards driving across Brussels, calling on Ursula von der Leyen to stand up to Trump and Big Tech, and defend Europe’s digital laws, Wednesday 19 November 2025.
On Wednesday, NGOs the People vs Big Tech, WeMove Europe, and EDRi launched four mobile billboards driving across Brussels, calling on Commission President Ursula von der Leyen to stand up to US President Donald Trump and Big Tech, and defend Europe’s digital laws.
Another NGO, Corporate Observatory Europe (CEO), announced it has filed a complaint with the European Ombudsman over the digital package presented today. It argues the deregulation package in the digital area is "an attack on people’s rights, and it was developed in secret with business lobbyists."
Either way, the European Commission estimates that the adoption of the digital package could save €5 billion in administrative costs by 2029.
These proposals are still subject to consultations with the European Parliament and the European Council.
