When the European Union unveiled the General Data Protection Regulation in 2018, it was hailed as a triumph of principle over profit, a rare moment when lawmakers set limits on the power of technology firms.

Now, a decade on, Brussels appears to be retreating from its own creation.

The European Commission is preparing a legislative bundle dryly called the Digital Omnibus that would streamline and merge a tangle of overlapping technology rules.

Buried in its pages are proposals that could let the world’s biggest tech companies use Europeans’ personal data to train artificial intelligence models, so long as they can claim a “legitimate interest.”

Critics see a quiet dismantling of Europe’s privacy fortress.

“It’s death by a thousand cuts,” warns Max Schrems, the Austrian privacy campaigner whose courtroom battles reshaped transatlantic data policy.

His group, noyb, argues that the reforms would turn the GDPR from a bulwark of digital rights into a set of negotiable guidelines.

One clause in particular alarms watchdogs: companies could be exempted from the ban on processing sensitive data if they take “reasonable steps” to remove such material later.

That, say campaigners, opens the door to widespread scraping of personal details under the guise of innovation.

Folding the ePrivacy Directive, the law that created Europe’s plague of cookie pop-ups, into the GDPR may further blur limits on access to phones, computers, and other connected devices.

The Commission insists it is merely tidying up a crowded legal landscape.

But to many, the project signals something larger: Europe’s confidence in regulating technology is ebbing.

Ten years after the GDPR defined global privacy standards, the continent that once led the world in digital restraint now seems tempted to loosen its grip.