EU AI Act changes threaten GDPR protections for CX sector
MANCHESTER, UNITED KINGDOM — As the European Union kicks off a decisive year for digital regulation, the outsourcing sector finds itself at the center of a recent heated debate, with consumer watchdogs issuing fresh warnings against the “Digital Omnibus” proposal, according to a report from CX Today.
The proposal is a measure that promises to cut €5 billion (US$5.85 billion) in administrative red tape for businesses but could force customer experience (CX) providers to trade strict GDPR protections for faster, “legitimate interest” AI training.
EU AI Act amendments spark GDPR consent debate
The Digital Omnibus, launched by the European Commission on November 19, seeks to streamline the EU’s digital regulatory framework, covering privacy, cybersecurity, and AI-specific rules.
The package aims to reduce compliance costs by up to €5 billion (US$5.85 billion) by 2029 and simplify reporting obligations under GDPR, NIS2, DORA, and the Critical Entities Resilience Directive.
However, Belgian consumer group Testaankoop warns that the proposal could weaken core protections for European citizens.
“Officially, the goal is laudable: to reduce the administrative burden, strengthen European competitiveness, and close the EU’s gap with the United States and China in the field of artificial intelligence. But behind that promise of simplification, an uncomfortable question arises: are the rights of European citizens now taking second place?” the group said.
One of the most contentious elements is the shift from explicit consent to a “legitimate interest” model for AI training. Under this approach, companies could use personal data without first asking for permission, provided users have the option to opt out.
Testaankoop notes that “research shows that far fewer people take action to refuse than if they were actively asked for permission,” raising concerns about informed choice and long-term trust.
CX providers face compliance crisis under EU AI Act
High-risk AI systems—including facial recognition, automated recruitment, and credit scoring—would face a transition period through 2028, while some transparency requirements, like mandatory registration, could be removed.
Testaankoop warns this could result in “less visibility [for] European citizens, and potentially fewer safeguards against technologies that have a very real impact on your daily life.”
For CX providers, reduced transparency and changes to consent mechanisms may increase friction when customers question automated decisions.
“Whilst these proposals are subject to the outcome of months of institutional discussions to come, they should be considered as the Commission’s viewpoint at the start of what is likely to be a lively debate and intense negotiation,” law firm Bird & Bird emphasized.
Despite these challenges, the Digital Omnibus could benefit outsourcing and CX firms by lowering administrative burdens, clarifying reporting processes, and allowing companies to focus more on innovation and customer service.
“Now constitute the final nail in the coffin of the absolute concept of personal data — even if the proposed wording will see some changes in the legislative process ahead,” Ulrich Baumgartner, partner at Baumgartner Baumann, noted.
For the outsourcing industry, the debate highlights a delicate balancing act: firms must navigate evolving regulations while maintaining consumer trust, proving that compliance and customer experience are not just legal obligations—they are strategic differentiators in Europe’s AI-driven economy.
