Overview
- The proposal would let AI developers rely on GDPR 'legitimate interest' to process personal data for training without prior consent, subject to necessity and proportionality checks.
- High‑risk AI duties are deferred by one year, with exemptions from registering narrowly used or procedural systems in the EU database.
- Cookie consent would be overhauled to curb pop‑up fatigue, including preferences set once at the browser or operating system level and less frequent prompts.
- The package adds administrative simplifications such as a single portal for data‑breach notifications and a central AI supervisory authority.
- Privacy regulators and civil‑society groups, including the Dutch AP, Noyb and a 127‑organisation coalition, warn of rights rollbacks and question whether industry and U.S. pressure influenced the draft.