The EU’s Digital Omnibus proposal promises simplification. Conversely, it could lower data protection standards, and risks to undermine European digital sovereignty goals.
When the current EU legislative term started in 2024, the terms “simplification” and “competitiveness” were dominating the debate. In 2025, the Commission published several legislative proposals with the declared aim of increasing European competitiveness, by simplifying legislation. The so-called “omnibus” proposals combine changes to multiple laws. In the case of the “digital omnibus”, laws like the Data Governance Act, the Data Act, and the Artificial Intelligence Act (separately) are to be changed – even though some of them have been passed as recently as 2024 and to some extent have not yet entered into force. The most notable change however, concerns the European data protection regime: in particular changes to the definition of “personal data” in the GDPR and the possibility to re-use personal data on the basis of “legitimate interest” for AI are cause for controversy.
In its digital omnibus, the Commission is proposing changes to the definition of personal data, with the stated intention to take into account a developing understanding of the European Court of Justice (ECJ) for how personal information could be restored from pseudonymised datasets. However, civil society organisations like Wikimedia Europe, European Digital Rights (EDRi), and D64 are pointing out that the proposed changes go beyond the recent ECJ rulings, and would weaken the protection of personal data. The European Consumer Organisation BEUC considers the changes “extremely dangerous for consumers”, and the joint declaration of the European Data Protection Supervisor and the Board of European Data Protection authorities goes so far as to “strongly urge the co-legislators” in Parliament and Council “to not adopt the proposed changes”.
The General Data Protection Regulation (GDPR) has become a landmark legislation, and has even lead to the term “Brussels effect” being coined to describe the extraordinary impact it had on privacy discussions around the world. The lower data protection level in particular in the US has led to several high-profile decisions of the ECJ with regard to data transfers.
While the GDPR arguably created additional duties for businesses (or in some cases made existing rules more apparent), the processing and storage of data in Europe have become prominent sales arguments and contribute to the value proposition of products and services from the EU.
The GDPR’s high level of privacy and data security are an advantage and have become a trade mark for European offers.
Changes to the data protection regime as the digital omnibus proposes would lead to a lowering of data protection levels that could prove to be detrimental to businesses that have invested in compliance. In turn, the multi-national operators backed by the Trump administration, that have tried to circumvent data protection rules for years, and that occupy the top spots of the GDPR infringement and fines charts, would be rewarded.
The digital omnibus proposal risks to haphazardly undermine the EU’s digital sovereignty goals when the control over data processing, and the protection and security of data lose relevance.
The Commission is still collecting feedback to both the Digital Omnibus and AI Omnibus until 15 and 13 March respectively, so there is just over a week to send in your reply and point out that the omnibus proposals must not undermine the goals of increasing digital sovereignty and making Europe more competitive in the digital field.
