Europe is scaling back its landmark privacy and AI laws

54 comments

·November 19, 2025

bitpush

Incredible to see the 180 both from EU and also from the HN sentiment. HN was cheering on as EU went after Big Tech companies, especially Meta. Meta is no perfect company, but the amount of 'please stick it to them' was strong (I reckon that is still a bridge too far for a lot of folks here).

Even extreme proponents of big tech villanery in the US (Lina Khan's FTC) is also facing losses (They just lost their monumental case against Meta yesterday).

What I really want to see is Meta getting irrelevant ON MERIT. People stop using Meta products, and then I want to see it die. But not by forcing the hand - that's bad for everyone, especially the enterpreuer / hacker types on this site

radicalbyte

There has been a change in the community here over the last decade, we've lost a lot of the hacker spirit and have a larger proportion of "chancers", people who are only in tech to "get rich quick". The legacy of ZIRP combined with The Social Network marketing.

GardenLetter27

Hackers should know the government is never on your side.

sandworm101

The hackers are still here, lurking in the shadows. Bananas. They are just tired of being berated by fanboys anytime they criticize the will of the tech bros. There is no fun in typing out a well-researched answer only to face a torrent of one-second "nah, you are wrong" replies mixed in with AI slop. Bananas.

yardie

I believe the FTC had a case years ago. But the market has moved on. YT took off backed by Alphabet capital. Tiktok took off withe Bytedance capital. There was a time when FB/IG/WA commanded most of social media. And Meta did use that clout in some pretty grotesque ways.

Prior to 2020, FTC would have had a much stronger case. But too little too late.

__loam

It's pretty telling that people here think enforcement of anti-trust laws that are already on the books is "extreme". The implicit goal of half of tech startups is basically becoming the platform for whatever and getting a soft monopoly, so I guess it's not surprising that that people who are temporarily embarrassed monopolists have these views.

GardenLetter27

Look at what happened to iRobot vs. Roborock though.

surgical_fire

I live in EU. I am totally in support to force Meta down through government's big stick.

While they are at it, I hope they do it to the other big techs too.

Being a "hacker type" (whatever that means) does not equate to being complacent to these companies abusing their economic power.

jonesjohnson

Then I propose you should support https://noyb.eu/

Their track record is pretty good.

stavros

Yeah, seconded, and I also live in the EU.

kmeisthax

> What I really want to see is Meta getting irrelevant ON MERIT.

That happened a decade ago. Users dropped from Facebook like flies and moved to Instagram. Mark Zuckerberg's response was to buy Instagram. The Obama DOJ waved through what was obviously a blatantly illegal merger.

Likewise, Google's only ever made two successful products: Search and e-mail. Everything else was an acquisition. In fact, Google controlled so much of the M&A market that YCombinator (the company that runs this forum) complained in an amicus brief that they were basically being turned into Google's farm league.

So long as companies can be bought and sold to larger competitors, no tech company will ever become irrelevant. They'll just acquire and rebrand. The only way to stop this is with the appropriate application of legal force.

schnitzelstoat

> One change that’s likely to please almost everyone is a reduction in Europe’s ubiquitous cookie banners and pop-ups. Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.

Finally!

aurareturn

So they finally admit that it was a mistake.

Even EU government websites had annoying giant cookie banners.

Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.

basisword

It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.

GardenLetter27

You can just set your browser not to send whichever cookies you don't want to.

Cookies are a client-side technology.

Why does the government need to be involved?

m00dy

worst implementation ever. I bet it is the reason that most people are now taking anti depressants.

amelius

Can we get the do-not-track header instead?

https://en.wikipedia.org/wiki/Do_Not_Track

Because that made more sense than the cookie banner ever did.

Edit: it looks like there is a legal alternative now: Global Privacy Control.

stavros

Instead of what? Instead of the central browser controls?

jonesjohnson

the issue was never the law.

the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)

Most websites do. not. need. cookies.

It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.

https://noyb.eu/en/project/cookie-banners (edit: link)

rpastuszak

I'm not sure why this is being downvoted?

zdragnar

The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.

That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.

weberer

Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.

theptip

> users would be able to control others from central browser controls that apply to websites broadly.

Great to see this finally. It’s obviously the way it should have been implemented from the beginning.

We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!

(Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)

GardenLetter27

> We still see this technically myopic approach with things like age verification; it’s insane to ask websites to collect Gov ID to age verify kids (or prove adulthood for porn), rather than having an OS feature that can do so in a privacy-preserving way. Now these sites have a copy of your ID! You know they are going to get hacked and leak it!

An OS feature is also a terrible option - remember when South Korean banks forced the country to use ActiveX and Internet Explorer?

The government should offer some open digital ID service where you can verify yourself with 2FA online, after registering your device and setting credentials when you get your ID card + residence registration in person.

philipallstar

> (Parents should opt their kids phones into “kid mode” and this would block age-sensitive content. The law just needs to mandate that this mode is respected by sites/apps.)

Good kid mode[0].

[0] https://www.lego.com/en-gb/product/retro-telephone-31174

ElectricalUnion

That was what P3P was supposed to enforce automatically for you, until Google ruined it for everyone.

GardenLetter27

About time. Startups and innovative business simply cannot get investment when there's the constant risk of a new AI Act massively increasing compliance and legal costs.

But it's not enough - they need to completely repeal the DSA, AI Act, ePrivacy Directive, and Cybersecurity Act at least. And also focus on unifying the environment throughout the EU - no more exit taxes, no need for notaries and in-person verbal agreements, etc.

There's just so much red tape and bureaucracy it's incredible. You can't hire or pay payroll taxes across the EU (without the hire relocating) - that's a huge disadvantage compared to the USA before you even get into the different language requirements.

yardie

> no need for notaries and in-person verbal agreements, etc.

With the advancement of AI being used to commit fraud through chat, video, and audio calls I think we're at the precipice of needing to in-person verbal agreements again.

And I thought the harmonization of markets in the EU would have reduced the red tape but some industries are built on it and will complain quite vocally if their MP makes any move on it.

GardenLetter27

The law in Germany comes from when many people couldn't read, so all contracts must be read by a notary to both parties in-person.

The bizarre thing is now they advertise how fast they can read! Like it serves no purpose other than giving notaries and lawyers a slice of all transactions.

Europe is full of backwards stuff like this - where the establishment interests are so strong, it cannot be adapted for modern times. From blocking CRISPR and gene editing crops (while allowing the less controlled but older technology of radiation treatment), to blocking self-driving cars.

Symbiote

Does anyone have a link to the proposal, preferably on the EU website?

I'd like to see for myself, as I don't consider moving the consent method from the webpage to the browser settings "watering down" — it's the opposite.

weberer

They seem to be reporting on two drafts that were leaked by Netzpolitik.

https://cdn.netzpolitik.org/wp-upload/2025/11/EU-Kommission-...

The official website mentions these documents, but for some reason doesn't let you view them, saying "It will be possible to request access to this document or download it within 48 hours".

https://ec.europa.eu/transparency/documents-register/detail?...

mikece

How about this as a privacy law: if you collect data about people without their EXPLICIT permission[1] you can be charged with digital stalking. Same principle as stalking; escalating penalties for repeat offenses and for doing so in bulk or en masse.

EDIT: And you cannot share information gained by permitted collection unless EXPLICIT permission to share is granted.

[1] Eg: it's not sufficient to disclose this in equivocal text buried in 25k lines of EULA text.

ChrisArchitect

Europe's cookie nightmare is crumbling. EC wants preference at browser level

https://news.ycombinator.com/item?id=45979527

ChrisArchitect

Previously:

European Commission plans “digital omnibus” package to simplify its tech laws

https://news.ycombinator.com/item?id=45878311

m3kw9

the consequences of their laws is pushing their hands

bpodgursky

> The EU folds under Big Tech’s pressure.

This is a very odd framing, because the actual reason from quotes in the article is that the EU is acutely feeling the pain of having no big tech companies, due in part to burdensome privacy regulations.

The pressure isn't really from big tech, it's from feeling poor and setting themselves up as irrelevant consumers of an economy permeated by AI.

yardie

> due in part to burdensome privacy regulations.

A large part is due to their approach to startup investing and chronic undercapitalization. GDPR is coming up 10 years now and the worries about it were overblown. What hasn't budged is Europe is very fiscally conservative on technology. Unless it's coming from their big corporations it's very hard to get funding. Everyone wants the same thing, a sure bet.

bpodgursky

I think this is a very rosy framing.

GDPR showed that once you are a ten-billion dollar company, your compliance team can manage GDPR enough to enter the market. For a startup, starting in the EU or entering the EU early is still extremely difficult because the burdens do not scale linearly with size.

This means that yes, US tech giants can sell into the EU, but the EU will never get their own domestic tech giants because they simply cannot get off the ground there.

yardie

My company did not retain customer data or retained very little. So compliance for us was very simple. If your business venture relies on that PII data you're going to have a hard time. And I'm not exactly sympathetic since I'm regularly getting notified from HaveIbeenPwned about another PII leak.

m00dy

europe got stuck in the old world, they will never have tech companies.

AndrewKemendo

> The changes, proposed by the European Commission, the bloc’s executive branch, changes core elements of the GDPR, making it easier for companies to share anonymized and pseudonymized personal datasets. They would allow AI companies to legally use personal data to train AI models, so long as that training complies with other GDPR requirements.

Put together and those two basically undo the entire concept of privacy as it’s trivially easy to target someone from a large enough “anonymous” set (there is no anonymous data, there only exists data that’s not labeled with an ID yet)

zoobab

[flagged]