The Digital Omnibus: A Step Back From the Brink, but the Risks Remain

The Digital Omnibus was introduced as a sweeping reform intended to streamline the EU’s data‑protection architecture, touching the GDPR, the ePrivacy Directive, and rules around non‑personal data. Proponents framed it as a necessary simplification to reduce regulatory friction for businesses, but critics warned that the package could unravel decades of privacy safeguards. The European Council’s recent compromise marks a partial victory for civil‑society advocates, as it discards the most contentious proposals—most notably the redefinition of personal data, the broadened scientific‑research exception, and the dilution of Article 22, which guards against harmful automated decision‑making.

Despite these concessions, the revised text still harbors clauses that could undermine core GDPR principles. Transparency obligations and data‑subject rights are left vulnerable, and a new “legitimate interest” carve‑out for AI development may legitimize large‑scale data reuse without adequate oversight. Such provisions risk creating legal uncertainty and could enable companies to sidestep existing accountability mechanisms. The lingering AI‑related language, in particular, raises questions about how the EU will balance innovation with the protection of fundamental rights, a balance that the original GDPR sought to codify.

The broader implication is a test of Europe’s commitment to a rights‑first digital agenda. If the remaining loopholes persist, they could weaken consumer confidence, hamper cross‑border data flows, and strain regulators tasked with enforcing the rulebook. Conversely, a decisive rejection of the Digital Omnibus would reaffirm the EU’s stance that simplification must not come at the expense of privacy. Stakeholders—from tech firms to privacy watchdogs—are watching closely, as the outcome will shape the regulatory landscape for AI, data analytics, and digital services for years to come.