BRUSSELS — A fresh proposal by European Commission President Ursula von der Leyen to reform digital laws on Wednesday was welcomed by lawmakers on the right but shunned on the left. It signals a possible repeat of a pivotal parliamentary clash last week in which von der Leyen’s center-right European People’s Party sided with the far right to pass her first omnibus proposal on green rules — sidelining the centrist coalition that voted the Commission president into office last year. The EU executive on Wednesday presented plans to overhaul everything from its flagship General Data Protection Regulation to data rules and its fledgling Artificial Intelligence Act. The reforms aim to help businesses using data and AI, in an effort to catch up with the United States, China and other regions in the global tech race. Drafts of the plans obtained by POLITICO caused an uproar in Brussels in the past two weeks, as everyone from liberal to left-leaning political groups and privacy-minded national governments rang the alarm. Von der Leyen sought to extend an olive branch with last-minute tweaks to her proposal, but she’s still a long way away from center-left groups. The Progressive Alliance of Socialists and Democrats, Greens and The Left all slamming the plans in recent days. Tom Vandendriessche, a Belgian member of the far-right Patriots for Europe group, said the GDPR is not “untouchable,” and that there needs to be simplification “to ensure our European companies can compete again.” He added: “If EPP supports that course, we’re happy to collaborate on that.” Charlie Weimers a Swedish member of the right-wing European Conservatives and Reformists, welcomed the plan for “cleaning up overlapping data rules, cutting double reporting and finally tackling the cookie banner circus.” Weimers argued von der Leyen could go further, saying it falls short of being “the regulatory U-turn the EU actually needs” to catch up in the AI race. Those early rapprochements on the right are what Europe’s centrists and left fear most. The digital omnibus “should not be a repetition of omnibus one,” German Greens lawmaker Sergey Lagodinsky told reporters on Wednesday. Lagodinsky warned EPP leader Manfred Weber that “there should be no games with anti-democratic and anti-European parties.” BIG REFORMS, SMALL CONCESSIONS The Commission’s double-decker digital omnibus package includes one plan to simplify the EU’s data-related laws (including the GDPR as well as rules for nonpersonal data), and another specifically targeting the AI Act. A Commission official, briefing reporters without being authorized to speak on the record, said the omnibus’ impact on the GDPR was subject to “intense discussion” internally in the run up to Wednesday’s presentation, after its rough reception from some parliament groups and privacy organizations. Much in the EU executive’s final text remained unchanged. Among the proposals, the Commission wants to insert an affirmation into the GDPR that AI developers can rely on their “legitimate interest” to legally process Europeans’ data. That would give AI companies more confidence that they don’t always have to ask for consent. It also wants to change the definition of personal data in the GDPR to allow pseudonymized data — where a person’s details have been obscured so they can’t be identified — to be more easily processed. The omnibus proposals also aim to reduce the number of cookie banners that crop up across Europe’s internet. To assuage privacy concerns, Commission officials scrapped a hotly contested clause that would have redefined what is considered “special category” data, like a person’s religious or political beliefs, ethnicity or health data, which are afforded extra protections under the GDPR. The new cookie provision will also contain an explicit statement that website and app operators still need to get consent to access information on people’s devices. SEEKING POLITICAL SUPPORT The final texts will now be scrutinized by the Parliament and Council of the European Union. Von der Leyen’s center-right EPP welcomed the digital simplification plans as a “a critical boost for Europe’s industrial competitiveness.” Parliament’s group of center-left Socialists and Democrats came out critical of the reforms. Birgit Sippel, a prominent German member of the group, said in a statement the Commission “wants to undermine its own standards of protection in the area of data protection and privacy in order to facilitate data use, surveillance, and AI tools ‘made in the U.S.’” On the EPP’s immediate left, the liberal Renew group cited “important concerns” about the final texts but said it was “delighted” that the Commission backtracked on changing the definition of sensitive data, one idea in the leaked drafts that triggered a backlash. Renew said it would “support changes in the digital omnibus that will make life easier for our European companies.” If von der Leyen goes looking for votes for her digital omnibus among far-right groups, she will find support but it might not be a united front. German lawmaker Christine Anderson of the Alternative for Germany party, part of the far-right Europe of Sovereign Nations group, warned the digital omnibus could end up boosting “the ability to track and profile people.” Weaker privacy rules would “enable enhanced surveillance architecture,” she said, adding her party had “always opposed” such changes. “On these issues, we find ourselves much closer to the groups on the left in the Parliament,” she said. Pieter Haeck contributed reporting.

BRUSSELS — European Union officials are ready to sacrifice some of their most prized privacy rules for the sake of AI, as they seek to turbocharge business in Europe by slashing red tape.  The European Commission will unveil a “digital omnibus” package later this month to simplify many of its tech laws. The executive has insisted that it is only trimming excess fat through “targeted” amendments, but draft documents obtained by POLITICO show that officials are planning far-reaching changes to the General Data Protection Regulation (GDPR) to the benefit of artificial intelligence developers.   The proposed overhaul will come as a boon to businesses working with AI, as Europe scrambles to stay economically competitive on the world stage. But touching the flagship privacy law — seen as the “third rail” of EU tech policy — is expected to trigger a massive political and lobbying storm in Brussels. “Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” said German politician Jan Philipp Albrecht, who as a former European Parliament member was one of the chief architects of the GDPR. “The Commission should be fully aware that this is undermining European standards dramatically.” Brussels’ shift on privacy comes as it frets over Europe’s waning economic power. Former Italian Prime Minister Mario Draghi namechecked the General Data Protection Regulation as holding back European innovation on artificial intelligence in his landmark competitiveness report last year. European privacy regulators have already been spoiling Big Tech’s AI party in recent years. Meta, X and LinkedIn have all delayed rollouts of artificial intelligence applications in Europe after interventions by the Irish Data Protection Commission. Google is facing an inquiry by the same regulator and was previously forced to pause the release of its Bard chatbot. Italy’s regulator has previously imposed temporary blocks on OpenAI’s ChatGPT and Chinese DeepSeek over privacy concerns. Those same tech giants are racing ahead in the U.S., without an equivalent blanket privacy law barring them from feeding AI with citizens’ data. UNLEASH THE LOBBYISTS The General Data Protection Regulation’s initial drafting in 2012-2016 triggered one of the biggest lobbying efforts Brussels has ever seen. Since taking effect in 2018, the EU has steered clear of amending it, fearing it would reignite the vicious lobbying war.  In past months, Commission officials have sought to preempt worries that it was overhauling the privacy rulebook. It insisted that its simplification proposals wouldn’t touch the underlying principles of the GDPR.  Now that draft plans are out, civil society campaigners have begun sounding the alarm. The Commission is “secretly trying to overrun everyone else in Brussels,” said Max Schrems, founder of Austrian privacy group Noyb — and Europe’s infamous privacy campaigner who was behind court cases that brought down major data transfer deals with the United States in the past. “This disregards every rule on good lawmaking, with terrible results,” he said. “Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” said German politician Jan Philipp Albrecht. | Heiko Rebsch/picture alliance via Getty Images One line of attack from privacy groups is to poke holes in what they say is a rushed omnibus process. While the GDPR took years to negotiate, public consultation on the digital omnibus only ended in October. The Commission has not prepared impact assessments to accompany its proposals, as it says the changes are only targeted and technical. The Commission’s tunnel vision on the AI race has resulted in a “poorly drafted ‘quick shot’ in a highly complex and sensitive area,” said Schrems. LOOSENING PRIVACY RULES The draft proposal obtained by POLITICO shows how far the European Commission is willing to go to placate industry on AI. Draft changes would create new exceptions for AI companies that would allow them to legally process special categories of data (like a person’s religious or political beliefs, ethnicity or health data) to train and operate their tech. The Commission is also planning to reframe the definition of such special category data, which are afforded extra protections under the privacy rules.   Officials also want to redefine what constitutes as personal data, saying that pseudonymized data (where personal details have been obscured so a person can’t be identified) might not always be subject to the GDPR’s protections, a change that reflects a recent ruling from the EU’s top court. Finally, it wants to reform Europe’s pesky cookie banner rules by inserting a provision into the GDPR that would give website and app owners more legal grounds to justify tracking users beyond simply obtaining their consent. The draft proposal could still change before the Commission officially unveils its plans on Nov. 19. Once presented, the omnibus package has to pass muster with EU countries and lawmakers, who are already sharply divided on whether to touch privacy protections.   But Finnish center-right lawmaker Aura Salla said she would “warmly” welcome the proposal “if done correctly,” as it could bring legal certainty for AI companies. | Alexis Haulot/European Parliament Documents seen by POLITICO show that Estonia, France, Austria and Slovenia are firmly against any rewrite of the General Data Protection Regulation. Germany — usually seen as one of the most privacy-minded countries — on the other hand is pushing for big changes to help AI. In the European Parliament, the issue is expected to divide groups. Czech Greens lawmaker Markéta Gregorová said she is “surprised and concerned” that the GDPR is being reopened. She warned that Europeans’ fundamental rights “must carry more weight than financial interests.”  But Finnish center-right lawmaker Aura Salla — who previously led Meta’s Brussels lobbying office — said she would “warmly” welcome the proposal “if done correctly,” as it could bring legal certainty for AI companies. Salla emphasized that the Commission will have to “ensure it is European researchers and companies, not just third country giants that gain a competitive edge from our own rules.” 

Enrico Letta is president of the Jacques Delors Institute and a former prime minister of Italy. Pascal Lamy is vice-president of the Paris Peace Forum and a former European commissioner for Trade. Kolinda Grabar-Kitarović is co-chair of the Global Preparedness Monitoring Board and a former president of Croatia. They are all members of the Governing Board of the new Jacques Delors Friends of Europe Foundation. For too long, the European project has been treated like an à la carte menu. Leaders cherry-pick advantages, blame Brussels for the compromises they’ve accepted, and leave citizens to bear the consequences of watered-down decisions and years-long delays. This habit of the political dodge, of agreeing in public and unraveling at home, has dented public trust, and it must stop. By 2028, Europe must complete the single market — not in slogans but in the concrete areas that shape everyday life, like energy, telecommunications, savings and investments, and the free circulation of knowledge and innovation. A real single market in these fields will deliver tangible benefits for citizens: Harmonized energy markets mean cross-border trade of electricity and gas, stabilized supplies and lower bills when markets work properly. Unified telecoms will reduce roaming and domestic price monopolies, improve service and widen access. Integrated capital markets will give savers better returns, channel funds to growing firms and make loans cheaper for small businesses. And removing barriers to research and data flows will allow students, scientists and entrepreneurs to collaborate and scale up without coming up against national borders. In short: more choice, lower costs, better opportunities and faster innovation. Alongside these priorities, Europe must also adopt what Enrico Letta and others call the “28th regime” — a mechanism that allows individuals and businesses to operate under uniform EU standards when national rules obstruct progress. Voluntary pioneers shouldn’t be hostage to vetoes from lone capitals. Where national foot-dragging denies benefits to citizens elsewhere, European law should offer an alternate path to deliver those benefits. This is about fairness and security. The fragmented status quo leaves households overpaying for energy, students facing unequal digital access and entrepreneurs boxed into tiny domestic markets. It also weakens Europe geopolitically: Fragmented energy systems increase vulnerability to hostile suppliers; disjointed capital markets amplify financial shocks; and splintered telecoms and digital rules hamper our ability to control critical infrastructure and data flows. Deadlines force choices and sharpen political will — without them, the default remains delay. Europe’s leaders thus need to set a clear, nonnegotiable deadline to complete the single market in energy, telecoms, capital and knowledge by 2028. And here are the concrete steps they must take: First, they must institutionalize the fifth freedom — the free circulation of knowledge and innovation — by removing regulatory barriers to research collaboration, data exchange, university partnerships and mobility for knowledge workers. Next, they need to adopt EU-wide rules where national governments block progress. Activating the 28th-regime concept will allow willing member countries and their citizens to benefit, even if one or two vetoers refuse to move. Then, break energy silos by fast-tracking cross-border interconnectors, harmonizing grid and wholesale market rules, and prioritizing joint procurement to prevent costly duplication. Also, unify telecoms by eliminating burdensome national licensing, promoting Pan-European operators, and creating a regulatory environment that rewards competition and coverage. Europe’s leaders thus need to set a clear, nonnegotiable deadline to complete the single market in energy, telecoms, capital and knowledge by 2028. | Thierry Monasse/Getty Images Finally, complete the capital markets union through the Savings and Investments Union, linking finance to the real economy and fostering investments in the common goods that Europe needs, such as innovation and digital, security, and the fight against climate change. Completing the single market must also go hand in hand with security and resilience. If Europe is to spend billions on defense, those investments must translate to more than trophies for national procurement agencies. We need a single market for defense, with interoperable equipment, joint procurement, shared standards and industrial cooperation. Defense purchases need to build common capabilities — not 27 bespoke systems that can’t communicate with each other. Societal resilience matters too. Authoritarian and malign actors weaponize disinformation, exploit social divisions and erode trust in institutions. Fighting disinformation is as much about strengthening communities as it is about policing platforms, and Europe must invest in civic resilience. We must also be clear-eyed about enlargement. Ukraine’s and Moldova’s resilience have shown democratic determination in the face of Russian aggression, and their efforts should inspire concrete progress. Former European Commission President Jacques Delors called enlargement “our duty” — and he was right. Widening the single market to include the Western Balkans, Ukraine and Moldova, while rigorously enforcing rule of law and democratic standards, is not charity. It’s a strategic investment in Europe’s security and prosperity. Europe now faces a stark choice: Inertia on the one hand, meaning fragmented markets, stranded talent, fragile societies and rising illiberalism; or integration on the other — a single market that lowers costs, boosts competitiveness, enhances security and renews citizens’ trust. The 2028 deadline shouldn’t be seen as a slogan. It’s a contract with Europeans who want results, not reassurances. And leaders must treat it as such. Delors said Europe needs a soul. Today, it needs delivery. Let’s strengthen our defenses and societies, meet our duty to our neighbors and finish the job. Let’s do it by 2028.

A corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators. Niamh Sweeney will take up her role as one of three chief regulators at Ireland’s powerful Data Protection Commission (DPC) next week. Her previous experience as a lobbyist for Facebook and WhatsApp has reignited concerns that Ireland’s top data regulator is too close to Big Tech. Now, new details about her appointment process seen by POLITICO show that a lawyer representing tech giants at a prominent law firm in Ireland was a member of a small panel that picked Sweeney. The inclusion of that lawyer on the panel triggered a conflict of interest complaint by a candidate that competed with her for the job earlier this year. The Irish Data Protection Commissioner enforces Europe’s mighty General Data Protection Regulation (GDPR) on many of the world’s largest technology companies, including Meta, X, Google, TikTok and others that have their European headquarters in Ireland. For years, the Irish authority has faced criticism for being too soft on tech giants, with critics pointing to Ireland’s heavy reliance on Big Tech for its domestic economy. After the GDPR took effect in 2018, it took years before the DPC started imposing sizable fines on tech giants. Commissioners at the Irish DPC are appointed by the Irish government on the advice of the Public Appointments Service, the authority that provides recruitment services for public jobs. The authority is known as publicjobs. In a confidential letter dated May 14 and seen by POLITICO, publicjobs said it had assembled a selection panel of five people to pick the newest privacy chief. According to the letter, that panel included consultant Shirley Kavanagh as chair, Department of Justice Deputy Secretary Doncha O’Sullivan, the head of Ireland’s ComReg communications watchdog Garrett Blaney, publicjobs recruitment specialist Louise McEntee, and Leo Moore, a partner at law firm William Fry. Moore heads the firm’s technology group. He has advised domestic and multinational companies, including “several ‘Big Tech’ and social media companies,” the law firm’s own website states. The law firm advised Microsoft in a landmark court case where U.S. authorities wanted to access data on Irish servers, it said in a 2016 press release. Irish media also reported that the firm had advised the Irish government in a case in which the government pushed back on collecting almost €14 billion in back taxes from Apple. Moore did not respond to POLITICO’s requests for comment. William Fry did not provide a comment in time for publication. The Irish Data Protection Commissioner enforces Europe’s mighty General Data Protection Regulation (GDPR) on many of the world’s largest technology companies, including Meta, X, Google, TikTok and others that have their European headquarters in Ireland. | Artur Widak/NurPhoto via Getty Images The chair of the panel, Kavanagh, has previously worked in senior leadership roles in the pharma, financial services, retail and public sectors, including with Inizio, Axa, Primark and Ireland’s central bank, she stated on her website. The site said she has also worked with “technology companies” as a “coach and senior team facilitator.” Kavanagh declined POLITICO’s request for comment, directing questions to the publicjobs service and the Irish justice department. REVOLVING DOOR COMPLAINT Sweeney is set to take office Oct. 13 alongside co-Commissioners Des Hogan and Dale Sunderland. The DPC switched to having three top commissioners after former Data Protection Commissioner Helen Dixon (who carried out the role alone) left office in 2024. Sweeney worked as Facebook’s head of public policy in Ireland from 2015-2019, then as EMEA director of public policy for WhatsApp until 2021, followed by a year working as head of communications for financial technology firm Stripe. She was a director at lobby firm Milltown Partners until this summer, her LinkedIn page showed. Sweeney’s appointment as co-commissioner raised concerns among privacy activists when it was announced in September. Austrian privacy group Noyb described it as Ireland’s “kissing US Big Tech’s backside” and said it left companies like Meta to regulate themselves. A candidate competing with Sweeney for the commissioner role submitted a complaint about the process in April, publicjobs’ May letter seen by POLITICO showed. The complainant’s name was redacted from the documents. The complainant questioned the inclusion of tech lawyer Moore on the panel that selected the former Meta official. They alleged that Moore had a conflict of interest given his role “as a corporate lawyer who represents clients whose business practices are regulated by the very agency this role oversees,” according to the letter, which responded to the complaint. Publicjobs in the letter defended the independence and expertise of the board that it had assembled and said it was “assured that Mr Moore’s professional role was not considered to conflict with his role on the Board.” The complainant also argued that no member of the panel had enough technological expertise to make a fair assessment of applications.   In the letter, publicjobs highlighted the “extensive” expertise of Moore in data protection and cybersecurity. GOVERNMENT STANDS BY APPOINTMENT Publicjobs said in the letter that it found “no evidence that the Board convened was inappropriate, or incapable of assessing candidates against the key requirements of the role in question.”  In a written comment to POLITICO, a spokesperson for publicjobs said the authority has “full confidence in the composition, independence, expertise and qualifications of the chosen Assessment Board” to recruit a third data protection commissioner, and that the complaint submitted about the competition had been “fully addressed” by the service’s review process.     A corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators. | Samuel Boivin/Getty Images They said publicjobs works to ensure assessment boards for senior roles are “balanced, diverse and not conflicted, with all panelists required to complete a confidentiality agreement and a conflict-of-interest form.” Boards at this level are approved by the service’s Chief Executive Margaret McCabe and Head of Recruitment Talent Strategy Michelle Noone, the spokesperson added. A spokesperson for Ireland’s Department of Justice, Home Affairs and Migration told POLITICO the ministry is “fully satisfied with the appointment process.” The Irish Data Protection Commission declined to comment, saying it was not involved in the appointment process. Blaney declined to comment, directing POLITICO to publicjobs and Ireland’s justice department. McEntee did not immediately respond to a request for comment.

Microsoft has cut off services it was supplying to Israel’s Defense Ministry, after finding that they were being used for mass surveillance of Palestinians. In August, The Guardian reported that the Israeli military is conducting mass surveillance of Palestinians, by gathering troves of phone call data from civilians in Gaza and the West Bank, and storing it on Microsoft servers in Europe. In a blog post Thursday, Microsoft President Brad Smith said that an internal review has “found evidence that supports elements of The Guardian’s reporting,” including details relating to Israel’s use of Azure storage in the Netherlands and use of AI services. Smith said that Microsoft’s terms of service prohibit the use of its tech for mass surveillance of civilians. He said the company has therefore ceased and disabled certain subscriptions and services it was supplying to Israel’s Defense Ministry, including their use of specific cloud storage, and AI services and technologies. The Guardian investigation said the storage of Palestinians’ phone records on Microsoft’s Azure cloud platform had facilitated deadly airstrikes and shaped military operations in Gaza and the West Bank. After a previous internal review in May, Microsoft said there was “no evidence” that its technologies have been used to target or harm people during the conflict in Gaza. On Thursday, Smith noted that Microsoft has a policy of respecting customer privacy, and that the company does “not access our customers’ content in this type of investigation.” He expressed “appreciation” for The Guardian report which revealed information that couldn’t be accessed in light of those “customer privacy commitments.” Microsoft said the decision will not impact its work protecting the cybersecurity of Israel and other countries in the Middle East, including under the Abraham Accords. Privacy advocates have been ratcheting up pressure on the EU in recent months to reconsider its data-sharing relationship with Israel, partially over concerns about its surveillance activities. The European Commission renewed an adequacy decision for Israel last year, meaning that the EU executive deems Israel’s privacy safeguards to be on par with the EU’s General Data Protection Regulation.

Ireland’s Data Protection Commission (DPC) has launched a fresh inquiry into TikTok’s transfers of personal data to Chinese servers, it said Thursday, following on from its investigation that led to a €530 million fine against the company in April. The Irish regulator in April was informed by TikTok of an issue that meant a limited amount of EU user data had been stored on servers in China, an issue it said it discovered in February. The discovery contradicted the firm’s long-held position that personal data of EU users was only accessed remotely by the platform’s staff in China. But it came only just before the investigation concluded. Because of this, the DPC did not investigate it fully. The regulator in April fined TikTok for not sufficiently protecting EU personal data from Chinese state surveillance. The DPC earlier this year expressed “deep concern” that TikTok submitted “inaccurate information to the inquiry.” In a statement on Thursday, it said it had decided to open a new inquiry into the personal data transfers to servers in China after consulting with other data protection authorities in Europe. The Irish regulator said the inquiry will focus on whether TikTok has complied with its obligations under the EU’s General Data Protection Regulation, including articles relating to accountability, transparency, cooperation with supervisory authorities and compliance with rules around data transfers outside of the EU. TikTok was notified earlier this week about the Irish DPC’s decision to launch a fresh inquiry. The company has been contacted for comment.