Is GDPR About to Change? What the Latest EU Privacy Debate Means for AI, Personal Data, and Compliance

Now, GDPR may be approaching an important fork in the road.

Recent proposals from the European Commission have sparked debate with European data protection regulators over how GDPR should evolve, especially in a digital environment increasingly shaped by AI, pseudonymized data, biometric identification, cookies, and large-scale data processing.

At the center of the debate is a deceptively simple question:

How much should GDPR change to support innovation without weakening privacy protections?

The answer is still unfolding. But the direction of the debate matters for privacy teams, legal teams, marketing teams, AI companies, and any organization that relies on user data to power digital experiences.

The fight over the definition of personal data

One of the most significant proposals centers on how personal data itself should be defined.

According to the discussion, the European Commission proposed that data may not be considered personal data for a company if that company does not have the means to easily reidentify the person behind it. In other words, if a company cannot reasonably connect the data back to an individual, the data could potentially fall outside the scope of GDPR for that organization.

Regulators have pushed back strongly on this idea.

Their concern is that this could create a subjective loophole. If the definition depends heavily on whether a specific company claims it can or cannot reidentify an individual, the scope of GDPR could shrink significantly. That matters because many modern datasets are not obviously identifiable at first glance, but can still become identifiable when combined with other data sources, tools, vendors, or third-party systems.

This is especially important in marketing and advertising environments, where identifiers, behavioral data, device signals, pseudonymized records, and platform-level data can often be stitched together in ways that are not immediately obvious.

The risk, from the regulator perspective, is that companies could treat more data as “non-personal” simply because they do not directly hold the key to reidentification, even if reidentification remains possible elsewhere in the ecosystem.

For businesses, this debate is worth watching closely. A narrower definition of personal data could reduce compliance obligations in some cases, but it could also introduce legal uncertainty. If regulators, courts, and companies interpret identifiability differently, organizations may face more confusion, not less.

AI training and the legitimate interest debate

The second major issue is AI.

As AI systems become more powerful, companies need more data to train, improve, and personalize models. The European Commission appears to be exploring whether companies should be able to rely more heavily on “legitimate interest” as a basis for training AI systems on user data without explicit consent.

Regulators argue that this may not be necessary.

Existing guidance already allows companies to rely on legitimate interest in some AI-related scenarios, but only when the organization can clearly define the interest, prove the data use is necessary, and show that the individual’s rights and interests do not override the company’s purpose.

That is a much narrower standard than a broad permission slip for AI training.

The concern is that a looser rule could give large technology companies and AI platforms too much room to collect and process user data at scale. In the worst-case version of this, companies could use data from websites, advertising tools, marketing platforms, or public internet sources to improve models without meaningful user awareness or control.

That is why this debate is bigger than AI companies alone.

If the rules shift, marketing, privacy, legal, and data teams may need to revisit how user data flows into third-party tools, whether that data could be used for model training, and whether current consent and governance models are strong enough.

Breach reporting may become more practical

Not every proposed change is controversial.

One area where there appears to be more agreement is breach reporting. The current GDPR breach notification window is commonly understood as 72 hours. The discussed update would extend that window to 96 hours and raise the reporting threshold so that minor, harmless breaches may not need to be reported.

For businesses, this could be a practical improvement.

Privacy and security teams often need to move quickly during an incident, but they also need enough time to understand what happened, what data was involved, whether individuals are at risk, and what actions need to be taken. An extra 24 hours could help teams provide more accurate reporting, instead of rushing to submit incomplete information.

Raising the threshold for minor incidents could also help regulators focus on meaningful risks rather than low-impact events that create administrative burden without improving user protection.

This is the kind of change businesses are more likely to welcome: less noise, more clarity, and a better balance between operational reality and regulatory accountability.

Local biometric identification may get clearer rules

Another area of agreement appears to involve biometric identification.

The discussion notes that biometric identification may be considered safe under GDPR without consent if the process happens locally on the user’s device.

This distinction matters.

There is a major difference between biometric data being processed locally, such as on a phone for authentication, and biometric data being collected, stored, transferred, or analyzed by external systems. Local processing can reduce risk because the biometric data does not need to leave the user’s device.

For businesses building authentication, identity, fraud prevention, or security features, this kind of clarification could be helpful. It may give teams more confidence in privacy-preserving biometric use cases, provided the processing remains local and tightly controlled.

DSAR abuse is getting attention

Data Subject Access Requests, or DSARs, are a key part of GDPR. They give individuals the right to access, delete, or understand how their personal data is being used.

But companies have also seen cases where DSAR workflows are abused or automated in questionable ways.

The episode discusses guidance that would allow companies to reject bad faith DSARs, as long as they can provide evidence. This could help organizations deal with requests that appear to come from third parties acting without clear user authorization, or from companies sending mass deletion requests without genuinely representing the individual.

This is a meaningful development for privacy operations teams.

DSARs can be time-consuming and resource-intensive. Organizations still need to respect legitimate user rights, but they also need a way to manage requests that appear abusive, fraudulent, or disconnected from the actual individual.

The key phrase here is “with evidence.”

Businesses should not treat this as permission to dismiss inconvenient requests. Instead, they should strengthen their intake process, authentication workflows, documentation, and audit trails so they can clearly separate legitimate requests from bad faith activity.

Cookie rules remain unresolved

The cookie debate is still very much alive.

One proposal discussed in the episode would move cookie rules from the ePrivacy Directive into GDPR. The Commission also floated the idea that low-risk cookies, such as certain audience measurement cookies, may not require consent.

On paper, that could simplify things.

In practice, it depends entirely on the definitions.

For example, when does an audience measurement cookie become low-risk? What happens if the audience size is small enough that a user could be singled out? How should identifiers, tracking technologies, and consent requirements be defined across different use cases?

This is where privacy rules often get messy. If the language is too vague, businesses may interpret the rules differently, regulators may enforce them differently, and users may end up with less meaningful control.

For marketing and analytics teams, this is an important area to monitor. Cookie rules directly affect measurement, attribution, personalization, audience creation, and campaign performance. Any change could reshape how teams collect and activate data across the digital customer journey.

What happens next?

The transcript suggests that some AI-related decisions connected to the omnibus bill could take effect around August 2026, while the broader package may continue into 2027.

The likely outcome is not a complete rewrite of GDPR. It is more likely to be a selective evolution.

Some proposals, especially around redefining personal data and expanding legitimate interest for AI training, may face significant resistance. Other changes, such as breach reporting extensions, biometric clarification, and bad faith DSAR handling, may have a better chance of moving forward.

For businesses, the takeaway is clear:

Do not assume GDPR is standing still.

The regulation is evolving alongside AI, tracking technologies, identity systems, and digital business models. But that evolution will likely be uneven, contested, and highly nuanced.

What businesses should do now

Companies do not need to panic, but they should prepare.

Privacy, legal, marketing, and security teams should start by reviewing where personal data, pseudonymized data, and user identifiers exist across their systems. They should understand what data flows into AI tools, analytics platforms, advertising systems, tag managers, consent tools, and third-party vendors.

They should also revisit DSAR workflows, breach response processes, biometric use cases, and cookie consent models.

The goal is not to predict every regulatory outcome. The goal is to build enough visibility and control that the business can adapt when the rules become clearer.

Because whether GDPR changes slightly or significantly, one thing is already true:

Organizations will need a clearer understanding of what data they collect, where it goes, how it is used, and whether user choices are being respected across the full digital journey.

That is the new privacy baseline. And as AI increases the pressure on data collection and data use, that baseline is only going to matter more.

Listen to the podcast version below.