Go Back
Data Privacy Alerts

EU Proposes Major Reforms to GDPR and AI Act

Read this data privacy alert to learn about the revisions to GDPR and the EU AI Act proposed by the European Commission

Why This Alert Is Important

The European Commission has proposed the most substantial revisions to the GDPR and AI Act to date. These changes aim to reduce compliance burdens, clarify legal bases for AI-related data use, and streamline incident reporting. Organizations operating in or targeting the EU should take note, as the proposals could significantly alter how personal data is processed, consent is managed, and AI is deployed under EU law.

Overview of the Enforcement Action

On 19 November 2025, the European Commission unveiled a legislative package to modernize the EU’s digital regulatory landscape. The package introduces targeted amendments to the GDPR and AI Act, as well as reforms to related frameworks such as the ePrivacy Directive and cybersecurity incident reporting requirements. Framed as a simplification initiative, the changes are designed to foster innovation while preserving fundamental data protection rights.

Among the proposed changes, the Commission seeks to allow organizations to process personal data for AI development under the “legitimate interest” legal basis, provided existing safeguards are observed. The reforms would also standardize cookie consent mechanisms, requiring a one-click accept/refuse option and mandating that user choices be respected for at least six months. Additionally, the Commission proposes a unified portal for reporting data breaches and cybersecurity incidents, aiming to ease the administrative burden on controllers.

With regard to the AI Act, the package delays full compliance for “high-risk” AI systems until December 2027 and introduces exemptions for SMEs and mid-sized companies, including reduced documentation requirements and access to regulatory sandboxes. While some earlier leaked proposals suggesting the relaxation of protections for sensitive data were omitted, the overall direction signals a more flexible approach to AI regulation in the EU.

What It Covers

Key Implications and Developments

  • If adopted, the reforms could significantly reshape compliance strategies. The proposed use of “legitimate interest” for AI-related processing may enable broader data use in training and deploying models, easing restrictions that have hampered development under the current GDPR framework. The cookie consent updates could streamline user experience and reduce friction for businesses reliant on digital advertising, while also introducing new expectations for consent lifecycle management.
  • For organizations deploying high-risk AI, the delayed enforcement deadline offers additional time to operationalize compliance, but also introduces regulatory uncertainty. Companies may need to balance near-term innovation goals with the evolving legal environment. Moreover, the shift toward a single reporting interface for data incidents reflects a push for regulatory efficiency, but it will require adjustments to internal workflows.
  • The legislative process is ongoing and will involve negotiations with the European Parliament and Council. Until finalized, these proposals should be treated as a directional signal rather than settled law—but proactive preparation is advisable.

Expert Analysis

The European Commission’s proposed reforms to the GDPR and AI Act signal a significant shift in the EU’s digital regulatory landscape. The introduction of “legitimate interest” as a lawful basis for certain AI-related data uses can unlock meaningful innovation when paired with robust safeguards and transparent risk assessments. Streamlined cookie-consent requirements and a unified incident-reporting portal may simplify compliance, yet both will require organizations to revisit operational workflows and update internal processes. While the extended compliance timeline for high-risk AI systems provides welcome breathing room, further explanation is needed around scope, technical standards, and supervisory expectations. Privacy leaders should now focus on mapping data flows, reassessing consent and lawful-basis strategies, and strengthening governance structures to balance agility with accountability as these reforms take shape.

Aakritee Tiwari, Head of Legal and Compliance, VeeOne

Data Privacy Tip

Organizations leveraging personal data for AI development or operating in the EU should begin evaluating how the proposed changes might impact existing practices. Updating data flow maps, reviewing legitimate interest assessments, and ensuring cookie consent mechanisms align with the new expectations will help lay the groundwork for compliance, should these reforms be enacted.

Download PDF

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy Policy
Do Not Sell or Share My Personal Information