The European Commission plans to present the Digital Omnibus on November 19, a package of amendments that, under the guise of ‘simplification’ and ‘reducing bureaucracy’, opens up almost the entire European digital legal framework. In theory, the goal is to make life easier for companies and accelerate the development of artificial intelligence, but in practice, according to drafts and analyses, it represents the deepest intrusion into GDPR, ePrivacy, and AI Act since these regulations have existed, with consequences that go far beyond ‘technical adjustments’.
According to the new omnibus, Big Tech would for the first time have a basis for using the personal data of Europeans to train and operate AI models, under the guise of ‘legitimate interest’, along with a weakening of the protection of sensitive data and the possibility of extensive monitoring of user devices.
The digital omnibus is part of a broader agenda of the Commission for simplification, and the idea is to combine and ‘modernize’ a range of digital regulations, from GDPR and the ePrivacy directive to the Data Act and AI Act. The official explanation from the EU states that there will be less overlap, fewer reports, clearer rules, and more innovation.
However, documents and legal analyses tell a different story. The omnibus is not a package of cosmetic changes, but an intervention into the very essence of GDPR, into what is even considered personal data, into the rights of data subjects, into the regime of sensitive data, and into the rules for accessing data on end devices (computers and mobile phones). The Austrian organization NOYB (None Of Your Business), specialized in protecting digital rights and strict application of GDPR, especially against large tech companies, described this approach from the Omnibus in an ‘open letter’ as the ‘death of GDPR’.
Narrowing the Definition of ‘Personal Data’
The most controversial change concerns the very definition of ‘personal data’. According to NOYB’s analysis of the draft, the Commission wants to introduce a subjective criterion, so if a certain data controller ‘cannot reasonably identify a person’, the data would no longer be considered personal, and GDPR would not apply at all.
Although it may sound confusing, in practice, this means that various pseudo-identifiers, advertising IDs, and cookie IDs could be treated as ‘non-personal’ data. The entire online advertising ecosystem, which today formally falls under GDPR, could partially fall out of protection. At the same time, EU case law has so far operated on the completely opposite principle, which is that even data that does not reveal a name but allows for profiling or ‘identifying’ a person is considered personal.
Even more contentious is the way sensitive data, such as health information, political beliefs, or sexual orientation, is planned to be handled. According to the proposals, special protection would only apply if such data is ‘directly disclosed’. This means that if you write that you are a member of a certain party, GDPR protects you. But if an algorithm classifies you into that party based on, for example, ‘likes’, location, or contact lists, the protection is much weaker.
The paradox is evident because people who openly disclose intimate data usually understand the risks better, while those who are ‘read’ by the system from their behavior, without their knowledge, are more vulnerable. For this reason, activists warn that such a reduction in protection would contradict the previous practice of the EU Court. The new package particularly intrudes into data on end devices such as laptops and smartphones. The idea is to combine ePrivacy with GDPR and significantly expand the reasons for which access to data on the device is allowed, including ‘legitimate interest’ and a range of new legal bases. This would allow for data retrieval or the placement of trackers without the classic clear consent.
Political Battle
The discussion is just beginning as it is still a draft that must pass through member states and the European Parliament. Most governments are not thrilled about the significant ‘mutilation’ of GDPR, while Germany and Finland are pushing for stronger relaxation of the rules in the name of ‘competitiveness’. NOYB claims that Germany has pushed for the most far-reaching changes, although other countries have only sought minor adjustments. Some analysts link this to lobbying by American tech companies and to Draghi’s report, which openly states that GDPR hinders AI innovation.
Opponents have already spoken out in Parliament, including MEP Markéta Gregorová, who warns that a looser definition of personal data and greater ‘flexibility’ for AI would mean mass processing of personal and sensitive data without real protections, and that fundamental rights would be pushed behind business interests, i.e., money.
Commission: We Are Not Weakening GDPR
The Commission, of course, claims that it only wants to facilitate business and strengthen ‘technological sovereignty’ while maintaining strong protection for citizens. The problem, however, is that this is not a minor adjustment, but a change in the definition of personal data, a weakening of the protection of sensitive data, a relativization of the rights of data subjects, and the introduction of new exceptions for AI training based on ‘legitimate interest’. Even more problematic is that the Commission, according to available information, does not plan a full impact assessment, even though these are changes that affect the very core of European regulation.
