EU's reforms of GDPR, AI slated by privacy activists for 'playing into Big Tech’s hands' Privacy advocates are condemning the European Commission's leaked plans to overhaul digital privacy legislation, accusing officials of bypassing proper legislative processes to favor Big Tech interests. Max Schrems, founder of privacy group Noyb, warned: "One part of the European Commission (EC) seems to try overrunning …
EU/EC decision making happens at such a glacial pace that the AI bubble will have burst, and several huge AI-related personal data scandals will have occurred long before any changes are ratified.
Whether that will make any difference to the idealogues who seem to think that AI will cure all known ills, bring world peace, and finally reveal the question to which the answer is 42, remains to be seen...
I observe GDPR violations on daily basis. Conclusion: it typically does now work. Mostly because of missing expertise.
The actual challenge is IT security, not privacy. Most people had their data stolen multiple times already. GDPR does not help much.
The biggest negative side effect is enormous bureaucracy added to both business and gov sides. It costs taxpayers money, and companies to keep compliance departments. Law enforcement is overloaded or non scalable.
Reallocating resources from privacy (bureaucracy?) to security may lead to improvement of both.
… and not fit for purpose regulators like UK ICO allegedly working only to a harm inflicted basis - *largely ignoring small breaches - yet repeatedly allowing companies with massive breaches to legally bully them into fine reduction sweetheart deals.
British Airways the most egregious, but add Meta, M&S and hundreds of others.
* I don’t see the same dismissal of small scale breaches of the law being an excuse accepted by the Police, HMRC, DWP etc when pursuing ‘little people’ over minor road offences, 50p over earnings for Carer Allowance recipients, minor Self Assessment corrections or submission date misses. Indeed I see the mendacious wielding of the full Powers - and resources - of the State (or Crown Exemption) to bash little people into submission whilst allowing the wealthy to negotiate cut-price non-prosecute deals.
Yes the ICO isn't fit for purpose (or at least the current Commissioner isn't) but they fined BA the maximum they could under the law so I am not sure what else they could have done.
Last time I checked the ICO wasn't responsible for the pandemic and the financial crash of the aviation industry. Had there been no pandemic then the penalty would have been higher as it is based on the company profits st the time the MPN is issued
BA pleaded pandemic parsimony and saw their Magecart fine reduced from GBP183m to 20m:
https://www.theregister.com/2020/10/16/british_airways_ico_fine_20m
Quite what happened to all of the idiots responsible for Magecart getting in to begin with the stories do not tell. We can hope they all died of the plague, but I suspect not. From memory there were about six levels of mismanagement from the board decision to outsource down to the dodgy devs that let the criminals in. Again the tales do not tell if that was by intent or inept copy-and-paste.
My beef is that the fine originally issued in 2021 was for £183m, and BA plea bargained it down to £20m ‘due to Covid’.
I personally would have levied it as 10% profit share plus interest - until paid off. 25 year instalment plan. Fines are supposed to punitive to force behaviour adjustments..
That’s BA who
2020 Loss £2.33bn
2021 Loss £1.77bn
2022 profits £322’
2023 Profits £1.34bn
2024 Profits £2.05bn
BA got a free £2bn loan and other government support.
I didn’t get a pass on my taxes during Covid, and any financial support that was obtained was pretty miserable do the 3 months of furlough…. and HMRc fucked up my self-assessment.
Sorry but unless I misunderstand your point, I have to fundamentally disagree.
What "actual challenge" are we talking about? The whole purpose of the legislation was to safeguard the personal data of individuals. Of course it costs time and money to anyone processing personal data, because the alternative is that there are no safeguards, and that any one can do anything with anyone else's personal data.
Of course IT Security is a challenge, but the reason it's a challenge is BECAUSE of the need to try uphold privacy. To claim that because people have had data stolen before, we should just give up trying to protect it, would simply allow unrestricted abuse.
And that is why NOYB have an issue with this, because certain individuals in the EC seem to be saying currently that they think that the rights of "AI" to have unfettered access to every last possible piece of data about everything and everyone, everywhere, due to some nebulous idea that it is the panacea to all the world's problems, is more important than the ongoing battle to keep people's private date private.
Maybe we should start by releasing into the public domain every possible piece of information about those members of the EC - what they lied about on their CV's, how little time they spend actually doing their jobs, what embarrassing little medical problems they've had, how much they get paid including their side-hustles, what tax avoidance/evasion schemes they're involved in, all the affairs they've had - and then when they are shunned by their families and colleagues and laughed at in the street, they can explain what on earth they were thinking...
Sure, especially from parties that had not reason to store those data in the first place. Anyway, a lot of personal data use is not from stolen data, but from data captured without user consent, without users being informed, and using sleazy tactics. That's what GDPR is about.
Also, SMBs that don't attempt to make money from reselling data, and limit their gathering only to those required to fulfill sales, don't have a big GDPR overhead. Those who believe they need Facebook, Google, TikTok, Amazon etc. to boos their sales, and start to ask data they don't need "just because" - deserve to feel the weight of the whole GDOR.
GDPR violations are fined. Not all of them, because they need a due process that takes time, but that happens. Especially when people report them properly. They won't be fined otherwise, but in some outsanding cases.
Still big companies are lobbying heavily the politicians, in Italy the Trump-loving government had a fine agains Meta's "smart" glasses heavily reduced. As long as politicians are for sale, enforcing the law can't work.
Some are true, albeit naive, and believe AI could be really useful.
Most of them are just dreaming of the boarloads of money they have been promised, and are willingly to sell everything and everybody to make that dream come true.
Unluckily politicians also see in genrative AI the perfect propaganda machine. And don't want to lose the opportunity to use it at their own advantage - and again are willingly to sell everything and everybody (but themselves, of course) to ensure they keep their well paid seat.
Hey Siri, please generate me a UK stream of F1 Australian Grand Prix 2026 based on Apple having US TV rights from next season.
.. I’m sure if I asked Grok for the same, Princess Peach would be driving for Ferrari as it would have misxombjbed with MaeioKart Switch 2 in it’s LLM.
It was supposed to be exactly what we needed to protect us (or at least those who have not had their European citizenship stolen from them) from the Trumpistani tech bros, but I have never heard of its being used to do that.
Instead it's just used to frighten people who run small websites and email lists,
>> ... and the reforms may give AI systems a special exemption, allowing them to process data that would otherwise require a legitimate legal basis.
Aww. We can't have the poor AI bros having to play by the law, can we?
What is it with people doffing their hat to the clothes-less emperor?
@AC
"What is it with people doffing their hat to the clothes-less emperor?"
.. bribes of some sort probably - often not as unsubtle as brown envelopes full of cash these days*, but future lucrative excessively well remunerated directorships, lecture tours, consultancies etc
* Though UK king likes plastic bags full of cash (for his charities - cough!) rather than envelopes ... Qatar
Trump is only the (very) visible part of the iceberg.
The chipping away at the law and due process has been going on for a long time and, for me, its visibility started with Ajit Pai and his total disregard of established procedure.
Once that asshole demonstrated that law-abiding citizens actually have no recourse against criminals who don't give a damn, the floodgates were opened.
Now, we have the orange shitgibbon who is spreading the filth as far as he can and nobody can do anything about it.
Well, I have a few ideas, but I cannot expose them publicly.
In the end, it's the age-old question of who watches the watchers. Sometimes I think that a benevolent dictator is better than a failed democracy.
Fining a company doesn't return money to citizens - the fine usually goes back to the relevant treasury, and the state apparatus of enforcement (plus the theatre of organisational compliance) costs far more than the fines raise.
So when my data (like probably every single citizen of Europe) has been leaked, I didn't get a f***ing penny or euro-cent, either directly, or in terms of net benefit to the economy.
Largely the GDPR isn't that useful - the responsible companies comply with it, and the irresponsible ones flout the law and have very few consequences.
However, seeing as most decent companies have changed all their systems to cope with it, might as well keep it now.
Additionally it will *really annoy Zuckerberg, Musk, Altman, and a whole load of other tech bros* as they have to dedicate legal and technical resources, after they break the rules for the fifth time.
For that reason alone, we should keep it.
We don't have the Do Not Track flag any more, now we have the Global Privacy Control flag, in spite of DNT being legally recognised in Germany.
A few years from now that'll be removed and something else which does the same thing will be invented, and with all the messing about (new setting, implement client side, implement on servers, new legal backing) the uptake will be low which is the intention.
The legislative power in the EU is the council of ministers. Nowadays the claim is that parliament shares that legislative power with the council on equal footing as parliament has to approve the laws in the normal process. Why the council should have the same (or in some cases more) power than the parliament that is directly elected by the people is still a valid question. I do not see a compelling reason why parliament needs the commission to put forward a proposal either.
The bigger problem for votes on changes to GDPR that benefit big companies is that big companies can afford more lobbyists than the ordinary people in the EU. Most members of the european parliament act in a way that suggests they are not aware their primary job is to represent the people and act in the peoples interest.
Quote: ".....proposals carve myriad holes into regulations....."
They don't need to "carve" holes........
Link: https://www.theguardian.com/technology/2025/nov/24/civil-liberties-groups-call-for-inquiry-into-uk-data-protection-watchdog
.........perhaps the people who object to my description of GDPR as "a joke" might like to reconsider.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
