Experts Find Holes in Planned Changes to EU Landmark Online Privacy Law

The European Commission’s "digital omnibus" package aims to streamline data‑protection obligations across the bloc, promising reduced paperwork and faster market entry for tech firms. Yet, civil‑society groups and the EU’s own data‑protection board warn that the draft could dilute core GDPR safeguards, especially around transparency and accountability. By bundling amendments to access rights, breach notifications, and automated decision‑making, the proposal seeks a one‑size‑fits‑all solution that may overlook sector‑specific challenges.

In a detailed report released on March 5, the digital‑rights NGO noyb surveyed 500 data‑protection officers to gauge the real‑world impact of the proposed changes. The findings reveal a pronounced disconnect: more than 70 percent of respondents report that access‑request workloads are minimal, contradicting the Commission’s claim of abusive volume. Professionals also stress that automated breach alerts and decision‑making rules are already managed through existing tools, rendering the suggested relaxations redundant. Crucially, 79 percent of participants call for explicit whitelist and blacklist lists—mirroring the AI Act’s approach—to eliminate interpretive ambiguity.

The broader implication is a push for a tiered GDPR framework that aligns obligations with actual risk exposure rather than arbitrary employee counts. Stakeholders argue that thresholds based on the number of affected individuals would better target large platforms while sparing small enterprises from disproportionate compliance costs. If adopted, such a model could restore confidence in the regulatory regime, preserve consumer rights, and provide businesses with clearer, more predictable obligations. Conversely, ignoring these insights may lead to fragmented enforcement and heightened legal uncertainty across Europe.