Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy of the European Commission, photographed in February, 2025. Source
Europe is preparing to roll back parts of its landmark digital rules, long seen as global benchmarks for privacy and AI. On November 19, the European Commission is expected to unveil the “Digital Omnibus,” a package of reforms that could reshape the General Data Protection Regulation (GDPR), the AI Act, and the ePrivacy rules.
The plan is presented as a way to simplify compliance and reduce bureaucracy for compact and medium-sized companies. It follows a report released a year ago by former Italian Prime Minister Mario Draghi, warning that Europe’s complex laws are stifling innovation and holding the region back in global competition with the US and China.
The Digital Omnibus also comes at a moment of intense geopolitical pressure. Politico reported that in May, European Commission Executive Vice President Henna Virkkunen met with top US tech executives to pitch a more business-friconcludely Europe and highlight plans to simplify digital rules, the same reforms now being rolled into the Omnibus.
Leaked drafts display the stakes go far beyond paperwork. The proposed alters could weaken core data protections, give tech companies more leeway in utilizing European data, and slow down the enforcement of Europe’s AI rules.
The outcome matters far beyond Europe. For a decade, the GDPR set a global standard for privacy that influenced laws in countries from Brazil to India and California. If Brussels now reverses course, the ripple effects could reshape how data protection and AI regulation are approached worldwide.
What’s at stake
Core principles of the GDPR
According to an analysis by Austrian privacy NGO noyb, the leaked draft of the Omnibus could significantly weaken GDPR protections. It narrows the definition of personal data, meaning information that cannot directly identify an individual might no longer count as personal, even if it could be linked with other data. This would strip many pseudonymous identifiers, such as ad IDs and cookies, of GDPR protection, paving the way for more tracking and profiling.
The draft also limits when people can exercise their rights to access, correct, or delete data, restricting them to “data protection purposes.” In practice, this could block workers, journalists, or consumers from utilizing data requests in disputes or investigations.
Sensitive categories of data — including health status, political views, or sexual orientation — would only be protected if explicitly disclosed, not inferred. This represents a major shift from existing European court rulings, which safeguard people from profiling based on deductions.
On top of that, the Omnibus draft introduces a “legitimate interest” exception allowing companies to utilize personal data, including some sensitive information, for AI training, provided unspecified safeguards are in place. Under these rules, high-risk AI systems could process massive amounts of European data legally, while traditional data storage and processing, like databases or CCTV footage, remain tightly regulated.
Noyb warns this could give US and global tech companies freer rein to utilize European data for AI training or analytics. In practice, EU utilizers would rarely know their data is being utilized, and objections would be nearly impossible to enforce.
“One part of the EU Commission seems to attempt overrunning everyone else in Brussels, disregarding rules on good lawbuilding, with potentially terrible results,” stated noyb founder Max Schrems, who has filed a string of GDPR complaints against major tech companies. “It is very concerning to see Trump’ian lawbuilding practices taking hold in Brussels.”
The AI Act could be slowed down
The EU’s landmark AI Act entered into force earlier this year but will not fully apply until 2026. Reporting by MLex, Reuters, and Financial Times indicates that the European Commission is considering alters that could delay enforcement and reduce transparency.
Under the proposals, companies deploying high-risk AI systems could receive a one-year grace period before fines and other obligations take effect. This would particularly benefit providers that already placed generative AI systems on the market, giving them time to adjust without disrupting operations. Draft documents also suggest postponing penalties for transparency violations, such as failing to clearly label AI-generated content, until August 2027. MLex reported that the package would also build compliance clearer for companies and centralize enforcement through a new EU AI office.
Civil society groups warn that one of the most alarming alters would let companies unilaterally declare a high-risk AI system low-risk and bypass safeguards without notifying anyone. The amconcludements would rerelocate the requirement for providers to register self-exempted systems in the EU database. Article 6 of the AI Act lets providers self-assess AI risk and claim exemptions, with the only safeguard being public disclosure of their rationale. Civil society groups warn that eliminating this safeguard would undo a hard-fought 2023 compromise.
“The Commission’s so-called simplification proposal will let loose unsafe AI systems in the EU that will threaten public safety and fundamental rights,” stated CAIDP President Merve Hickok. “The current reporting requirements in Article 6 are the bare minimum for AI accountability and transparency.”
Folding ePrivacy into the GDPR
The long-delayed ePrivacy regulation, which controls how companies access data on utilizers’ phones, computers, and other devices, could be merged into the GDPR under the Digital Omnibus. This would effectively relocate cookie regulation from a separate law into the broader privacy framework.
Currently, websites must receive explicit consent before storing or accessing most cookies, believe clicking “accept” on cookie banners. Under the proposed alters, companies could collect some data without questioning first, either for a limited list of “low-risk” utilizes or under a broader legal basis called “legitimate interest,” which lets companies argue they can utilize data if it serves their business. This would shift Europe from an opt-in system to something closer to opt-out, where utilizers must actively refutilize to stop tracking.
The European Commission states this would build things simpler for utilizers and reduce banner fatigue. Privacy experts warn it could weaken privacy protections, giving companies and even governments broader access to data on devices without clear consent. Itxaso Domínguez de Olazábal of European Digital Rights (EDRi) stated the proposals are “not only about cookies. It’s about whether platforms, data brokers, and governments receive legal permission to see inside your device and your communications.”
What comes next
The proposal is still being discussed within the Commission and could alter before November 19. Once adopted, it will head to EU governments and the European Parliament for approval.
Privacy advocates have criticized the quick-track process of the Digital Omnibus. While the GDPR took years to neobtainediate, public consultation on the Omnibus only concluded in October. According to noyb, some Brussels units had just five working days to review a 180+ page draft. The Commission has not prepared impact assessments, stateing the proposed alters are “tarreceiveed and technical.”
Robin Berjon, technologist and fellow at the Future of Tech Institute, warned that the proposed reforms go beyond mere simplification.“We’ve seen the European Commission be weak on enforcement and hesitant to anger the American authorities, but the omnibus alters go much further,” he stated in a press release. “American tech monopolies and ininformigence agencies are the largegest beneficiaries of the surveillance economy and these alters strengthen their hand to instead actively sabotage European businesses and national security.”
Leave a Reply