Dutch Data Privacy Authority flags risks in EU proposals on AI and data rules

The Dutch Data Protection Authority (AP) supports the European Commission’s push to streamline rules on AI, cybersecurity, and data flows, but stresses that human rights protection must not be weakened, the AP said Wednesday.

The European Commission aims to reduce the regulatory burden on European companies, giving them more time for technological innovation. On Wednesday, it unveiled a proposal that would allow consumers to accept or reject cookies just once every six months, addressing what is known as “cookie fatigue.”

The AP warns that the proposal contains changes that could affect both people’s rights and the protection of their personal data. “Even small tweaks on paper can have a major impact in practice, undermining individuals’ control over their own data,” the authority said.

The Commission also plans to create a single reporting point for data incidents, replacing the current system where companies must notify multiple regulators and authorities.

According to the Commission, the proposal will not weaken personal data protection or other security standards. The AP, however, notes that the Commission has not examined the possible impacts and cautions against rushing the changes.

“New applications using data and artificial intelligence are welcome,” the AP said, “as long as people remain in control of their data and these applications are safe.” The AP believes such applications should be designed “from the start” with human privacy and autonomy in mind.

The AP also warned that it is risky for the government to gather public information on citizens to check compliance with rules. The Ministry of Justice plans to use specialized software to gather information from public sources, including social media, classified ads, and online forums, a practice known as open source intelligence (OSINT).

AP chair Aleid Wolfsen warned that this can be highly intrusive, even when the data is publicly available. “The key question is under what circumstances such surveillance is justified,” Wolfsen said, “and at the moment, there is no legal framework to provide guidance."

According to the regulator, collecting data without firm safeguards could lead to a situation that mirrors “a surveillance society where citizens may be under continuous observation.”