Over the past five years, businesses have been faced with an increasingly burdensome regulatory environment in the U.S. and European Union when it comes to data privacy and artificial intelligence laws. But pushback from the private sector coupled with lackluster economic growth on both continents could begin to result in some of that regulatory burden easing up. There are some indications by both the U.S. and EU that reflect a turning point as both sides of the Atlantic look to ease the regulatory burden without degrading protections afforded to individuals.

A digital omnibus package introduced this week includes revisions to the EU’s General Data Protection Regulation (GDPR), ePrivacy Directive (ePD), and AI Act that would materially change how key obligations operate in practice, such as narrowing when data is treated as personal data, expanding circumstances in which pseudonymized data may be reused for AI training, and softening certain automated decision-making and consent-related requirements. And in the U.S., President Donald Trump reopened the debate this month about whether state AI laws should be preempted by a federal law to streamline the legal requirements and avoid falling into the same privacy law patchwork.

European Union: Reopening Core Digital Protections

The move towards deregulation was the key theme of the "Draghi Report," which was published last year by Mario Draghi, the former prime minister of Italy and president of the European Central Bank. In a little over 300 pages, the report details the challenges facing the EU economy and how the EU can boost growth. Specifically, the report calls for streamlining GDPR, ePD, and the AI Act and cites to studies showing that GDPR compliance can increase the costs for business by 20% on average. 

On Wednesday, November 19, the European Commission introduced the Digital Omnibus package, which revisits foundational elements of the GDPR, the ePD, and the AI Act. The initiative signals a move toward deregulation. The proposal attempts to narrow the definition of personal data, increase the permitted uses of pseudonymized and anonymized data for AI training, and relax automated decision-making requirements. The package would also postpone compliance deadlines under the AI Act and reduce some consumer-facing requirements, such as cookie-banner obligations.

This recalibration is positioned as a modernization effort for Europe’s digital economy. However, businesses should be careful not to get ahead of themselves and attempt to make changes before the proposal is finalized. The proposal introduces short-term operational uncertainty at a time when many businesses started to feel comfortable with their GDPR compliance posture. Therefore, before upending all the compliance work done over the past seven years, a cautionary approach in the near-term may reduce long-term thrash. 

United States: Push for a Single Federal AI Standard

In the U.S., the president has renewed calls for a national AI regulatory framework that would preempt state laws. The move follows the rapid emergence of state statutes covering automated decision tools, hiring algorithms, transparency requirements, and bias-audit obligations. Businesses operating in multiple states increasingly face inconsistent definitions and compliance burdens.

Several paths for federal action are being discussed: incorporating AI preemption language into the National Defense Authorization Act, advancing standalone legislation with limited carve-outs, or allowing states to continue shaping the regulatory landscape without intervention. Each scenario carries different compliance implications, but the overarching trend is clear: Governance expectations for algorithmic transparency, fairness, and accountability will continue to expand regardless of the level of federal involvement. 

Global Outlook: What These Shifts Signal for the Future of Privacy Regulation

The regulatory shifts underway in both the U.S. and EU point toward a broader realignment of global privacy governance. Rather than expanding already-complex legal frameworks, policymakers appear increasingly willing to revisit foundational rules to accommodate rapid technological change and global competition in AI.

Three forward-looking trends are emerging:

• Easing and streamlining of complex regulatory regimes to promote innovation. Policymakers are reassessing whether rigid, prescriptive frameworks constrain growth in AI, advanced analytics, and data-driven business models. Efforts like the Digital Omnibus package suggest a willingness to simplify compliance requirements, relax certain procedural obligations, and modernize concepts that have become operationally burdensome.
   
• Other jurisdictions may follow suit by delaying or revising implementing regulations. Countries such as India, which is still finalizing rules under its Digital Personal Data Protection Act, may adopt similar delay-and-recalibrate strategies. By slowing implementation or revisiting key definitions, regulators can buy time to align their regimes with fast-moving global AI norms and avoid locking in premature or impractical obligations.
   
• Enforcement approaches may shift as streamlined rules create less patience among regulators. As certain legal requirements become more focused and less prescriptive, regulators may expect faster compliance and stronger operational execution. Simplified frameworks often come with more direct enforcement, fewer excuses for noncompliance, and a greater emphasis on demonstrable governance rather than formalistic documentation.

Taken together, these trends could reflect a turning point: Global privacy laws may become more flexible, iterative, and intertwined with AI governance. Organizations should prepare for a future in which regulatory frameworks evolve more frequently, enforcement becomes more targeted, and compliance obligations require greater operational agility.

Conclusion

Global digital regulation is moving into a new phase, which is defined less by rigid rules and more by continuous recalibration. Companies that invest now in adaptable governance, transparent practices, and resilient cross-border data strategies will be best positioned to navigate the shifting landscape and mitigate risk.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.