Europe is scaling back GDPR and relaxing AI laws

This is criminal.

> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.

Finally!

> The EU folds under Big Tech’s pressure.

This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.

The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.

I used to live and work in EU, get out of EU before it is too late.

Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).

Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).

What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site

Does anyone have a link to the proposal, preferably on the EU website?

I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.

About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.

But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.

There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.

> users would be able to control others from central browser controls that apply to websites broadly.

Great to see this finally. It’s obviously the way it should have been implemented from the beginning.

We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!

(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)

Poor Europe - lobbyists make sure that Europe stays weak.

That statement includes Ursula by the way.

Companies made cookie banners as obnoxious as possible, because they knew that by making people hate the banners, the population would turn against the GDRP

That's a pity, the government fails to capitalize on its own policies because they fail to set up long term investment. First environmental and e-Mobility and now AI.

Sure, there's way too much bureaucracy. But I see there things like taxes, regulations about the cucumber radius etc.

This is such an important change for Europe. I've worked with 100+ start-ups as a consultant, and I've talked to EU ones who have been strangled by some of the regulations.

Is EU suffering from FOMO?

As an EU citizen, this is shameful and even kind of pathetic to read.

Will we start outsourcing all our IT needs to USA again?

Good, GDPR is useless for the consumer as 99% of the people click "Accept everything". It's only a few of us who care about this kind of thing and we shouldn't have policy made for the 1%.

I hope the changes they implement will actually benefit small startups instead of relaxing regulations for large data hoarders.

I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.

Does this mean that whois information can come back? The destruction of the whois databases by GDPR really made the internet a more closed, proprietary place. No more could one just contact the people behind any domain and communicate... pretty much impossible after GDPR came into effect. Especially if you don't use twitter/corporate crap.

Too late , and it's not just because of the regulations but the whole mentality. This will probably lead to a series of committees about how to scale back the laws which will create new rules which will be put in place, and then the career eurocrats will move on to their next job, without anyone ever being held accountable for the mistakes of the past. Without such accountability every regulation will be excessive, even the scaling-back regulation. Such a process oriented, and feels-over-reals environment is not attractive to competitive business

Europe learn the hard way that you cant have a cake and eat it too

EU introduces Chat Control, then scales back GDPR, what's left? Digital ID and digital currency (with no possibility of paying by cash)?

In comparison with healthcare information systems the GDPR is really not that hard to follow. You can get guides for business owners which can be read and understood in under an hour.

If you design your system according to the guidelines you usually end up with a product where it's easier to service your customer (eg. with full account exports). Deleting inactive accounts is great because it means less migration headaches in the future.

This is also why our privacy statement starts with "We […] don’t really want your personal data."

The news feels bittersweet. With 10+ of experience in healthcare AI, I have seen enough shitty products to genuinely welcome strict regulation for critical sectors; however, this shift threatens to dilute the sense of urgency that was growing in the sector.

We recently built a platform specifically to navigate the complex intersection of MDR (Medical Device Regulation) and the AI Act, relying on the pressure of hard deadlines. By introducing flexible timelines linked to technical standards, the EU risks signaling that compliance is a secondary concern, potentially stalling the momentum... and at this point patient safety is my biggest concern, not our platform

This introduces chaos rather than relief. Companies do not need lower standards; they need clarity.

We can compete effectively against high standards as long as the rules are clear. EU AI Act was clear. This proposal substitutes the certainty of a high bar with the confusion of a sliding scale, which may hinder the industry more than it helps :/

It's crazy how many adults think regulation is free, especially here. All consuming vague regulations like GDPR increase the cost of a startup by 500%. Europe should have just banned startups entirely. It would have the same effect.

Imagine being a college student with 240 hours and $1,000 to release an MVP over the summer. How long would it take to read GDPR yourself, 100 hours? How much would it cost to hire a lawyer verify that your startup meets GDPR guidelines, $5,000? It would be almost impossible for any young person to start a business. GDPR was obviously a failure from the start. Anyone who couldn't see that has a child's understanding of business. Grow up.

> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.

Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)

Does this mean fewer less-annoying cookie pop ups?

The EU is a great example of a spineless paper tiger to Big Tech and is the reason why AI startups run to the US.

Promoting degrowth is the best way to lose the race and the EU have finally admitted that they got it completely wrong.

That is too bad, I had hope in this case regular people would win and get privacy we deserve. But as always big money wins, it just takes time.

@complaintvc on X has been doing amazing work in this area.

The EU, especially the EU post 2008, seems to be infatuated with regulation it has likely bitten them with their lackluster GDP growth and their very lackluster AI developments.

I suspect that this is too little too late, and more importantly I highly doubt it signals a shift in the biases/incentives of the EU regulators. The second the scrutiny is off of them they will go back to their ways. It is their nature.

(I look forward to the loss of karma. I hope that the link to @complaintvc at least makes a few people chuckle).

Let me steelman the new proposal a little bit:

You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)

Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).

Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.

Cowards.

If the EU passed GDPR despite knowing it would be offensive to the US and big tech, why would they now care that it's offensive to the US and big tech?

The article claims this is because of big tech and Donald Trump. It just states that they have applied pressure. I would love to see more information on how those forces specifically are precipitating the change.

Meanwhile the EU commission claims that this is for the benefit the European tech sector.

>our companies, especially our start-ups and small businesses, are often held back by layers of rigid rules

The latter seems like the more obvious explanation and what critics said about GDPR all along.

It would have been nice if we instead had actually enforced these rules and given the world an alternative digital regime. I suspect it would eventually seem quite attractive to most.

"Well, you can say what you like but it doesn't change anything 'Cause the corridors of power, they're an ocean away"

https://www.youtube.com/watch?v=Xpo2-nVc27I

How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.

EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.

[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.

From Europe, I agree with big tech getting it. But i dont agree with random flower shop somewhere getting fined because they dont know how to deal with a fcking complicated, ever-changing law that is designed for megacorps who have the cash to just keep paying the fine and abusing everyone. I also dont agree with dealing with fcking cookie banners on every other website either.

The law got SO convoluted over 9 years of interpretation by the European courts that its now impossible to be 100% compliant. It now requires you to give an easy 'Accept' button to accept the listed cookies at the first pop up, but penalizes you if the user actually uses it to accept cookies because the user has to manually go through all the listed cookies and approve them by hand one by one.

So:

- If you dont provide the easy 'accept' button, you are in violation.

- If you do and the user actually clicks it, you are still in violation because you didnt make the user approve each cookie one by one

- If you give a list of cookies to the users and force the user to manually approve what he wants in the first pop up, you are still in violation because its not easy and your easy 'Accept' button is meaningless as a result

Its a sh*tty law that got more complicated over time and only helped megacorps.

People need to understand that the early days of the Pirate Party are gone and the current crop of tech-savvy politicians that remain from those days are those who made a career out of it. And like every politician who made a career out of something, the only way for those politicians to keep getting elected is by doing 'more' of what they have been doing. So they just keep bloating tech regulation to keep their career, making it difficult for everyone but the large corporations. It must also be noted that some of them sold out and are basically the tech lobbies' henchmen, pushing for American-style legislation to build regulatory moats for big corporations.

While this is being done to boost corporations, it also must be said that GDPR just did not work. It became impossible due to constant reinterpretations and decisions of the Eu courts over time. Big corps just violate it by counting the eventual fines as a cost of doing business. Small corps and individuals get shafted. It ended up like the 'regulatory moat building' that so frequently happens in the US.

While they are at it, the EU should also correct another sh*tty law: The Digital 'Resilience' Act (or whatever it was) that holds the Open Source developers responsible for unlimited fines for security issues in their projects.

The Open Source community fought it, and thought that it won a concession, but it really was not a concession: The Eu commission will 'interpret' the law. So it will be interpreted politically - or worse, lobby-driven - with every other Eu commission that takes office.

The law does not allow you to make any kind of income from your open source project in ANY way, and basically forces you to be free labor for megacorps. Charging for support? Responsible for fines that can go up to millions of Euros. Charging for 'downloads'. Same. Licenses? Same.

It looks like this was another law pushed by Eu big software lobbies: Cripple any small player that may be a competitor by building a moat against small players and those pesky Open Source startups that may challenge your online service, but still keep Open Source developers as the free labor for your company's infrastructure.

The tech legislation landscape in the Eu has been co-opted by Eu megacorps. Like I said in another comment, we arent in the early days of the Pirate Party anymore. Now career politicians and sold-out lobbyists make laws to protect megacorps. Therefore Im against any new tech legislation from the Eu, despite having been an early Pirate Party advocate back when even using the word 'pirate' put you in legal trouble.

the consequences of their laws is pushing their hands

Related:

Europe's cookie nightmare is crumbling. EC wants preference at browser level

https://news.ycombinator.com/item?id=45979527

This is infuriating. Running a startup myself, I don't have GDPR banners on my website, nor do I engage with any of the red tape associated with storing GDPR-regulated data. Why? Despite the flagrant misinformation being sown, GDPR doesn't apply for normal, useful-to-developers data collection. It is perfectly fine to use functional cookies like session storage and collect basic anonymous telemetry about how your site is being used, so long as there is absolutely nothing that ties it to a specific individual. Like the vast majority of businesses, I don't handle payment processing myself, so I have no need for any identifying information to ever grace my database.

From Microsoft's simple overview of GDPR for startups: https://learn.microsoft.com/en-us/microsoft-365/admin/securi...

> The GDPR is concerned with the following types of data:

> Personal data: If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address. The GDPR considers even encoded information (also known as "pseudonymous" information) to be personal data. If the encoded data can be linked to an individual, the data is considered personal, regardless of how obscure or technical the data is.

> Sensitive personal data: This data adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.

So when articles like this say "regulations are strangling small businesses", they aren't talking about the cost of compliance with unnecessary overhead, nor about being "forced" to have an unnecessary cookie banner. They're talking about being required to get consent before collecting and selling your personally identifying information. That is the regulation that's "strangling" them, and what they're aiming to change. If you don't engage in that behaviour, your small business probably isn't regulated by the GDPR in the first place.

It is particularly frustrating to see this proposed change coming after the EU finally started cracking down on cookie banner abuse in court this year. It is now being legally enforced that, if you do have a consent banner, you must have a "reject" button that is equally as prominent as the accept button, not hidden away in a sub-menu. There are still many sites that aren't compliant, but this has been a markedly huge improvement to the web experience. It was disastrously long overdue, and that was a failure on the EU's part, but it vexes me to see people frustrated with cookie banners cheering on the death of GDPR to automate data collection without consent when the actual solution was simply for the existing law to be enforced properly.

Shameful decision, caving to foreign capital interests.

Do better, EU.

Previously:

European Commission plans “digital omnibus” package to simplify its tech laws

https://news.ycombinator.com/item?id=45878311

>One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.

Wait, what? So they are now mandating browsers implement this? Also, something bothers me about the conflation of regulators changing the regulation (accurate) with regulators changing the thing that resulted from the previous version of the regulation (inaccurate). They arent getting rid of the cookie banners. They are changing the underlying rules that gave rise to them. It remains to be seen what the effects of the new rules will be.

Yet again, European countries are showing who their leaders are: US Big Tech

No wonder we default to Google Chrome on Microsoft/Apple systems, and American social platforms, to debate issues affecting EU citizens