The EU’s ambitious, and some say overzealous, regulatory agenda is facing a potential recalibration. The European Commission’s “Omnibus Package,” designed to streamline data protection laws, including the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AIA), is sparking heated debate and raising concerns about the future of digital rights in Europe. Is this a necessary course correction, or a dangerous rollback?
The Commission claims the Omnibus Package aims to bolster the EU’s long-term competitiveness by simplifying existing legislation. This latest iteration, the fourth in a series, specifically targets small and medium-sized enterprises (SMEs) and the digitalization process, addressing everything from cookie consent to cybersecurity incident reporting.
The push for simplification stems from growing complaints from businesses and governments that the EU is drowning in red tape. Ursula von der Leyen, in a speech last year, declared that simplification is “the only way to remain competitive.” But critics argue this drive could come at the cost of fundamental rights, particularly in the realm of data privacy.
The inclusion of GDPR in this simplification effort is particularly contentious. Mario Draghi’s 2024 report on European competitiveness, cited as justification, offers little concrete evidence that the GDPR is hindering innovation. The report mentions GDPR only twice, vaguely referencing regulatory fragmentation affecting health data and undermining EU digital goals. It’s a thin rationale for potentially sweeping changes.
The Omnibus Package has ignited a battle between privacy advocates and those prioritizing economic competitiveness. While these goals aren’t necessarily mutually exclusive, civil society groups warn that “simplification” could easily erode crucial privacy protections. Their responses to the European Commission’s call for evidence express strong opposition to any measures that weaken data protection.
Industry positions are more varied. CrowdStrike, for instance, calls for greater legal certainty under the Cybersecurity Act. Meta, on the other hand, urges a pause in AI Act enforcement and a broad reform of EU data protection law. Access Now argues that fundamental rights are at stake, warning that reduced consent prompts could allow unchecked tracking.
A leaked draft document outlining potential GDPR modifications suggests a significant shift in favor of less privacy-friendly approaches. These proposed changes include redefining personal and sensitive data, expanding the use of legitimate interest for AI processing, and intertwining the ePrivacy Directive (ePD) with the GDPR.
EU case law
A new article would allow controllers to rely on legitimate interest (LI) to process personal data for AI processing. This could sideline data subject control, allowing businesses to train AI systems on individuals’ data without consent.
Data Breach Reporting: Streamlining or Obscuring?
The draft proposes extending the data breach notification deadline from 72 to 96 hours and establishing a single EU-level reporting portal. However, it also raises the notification threshold from “risk” to “high risk.” While industry welcomes fewer reporting obligations, critics fear that a “high-risk” threshold could lead to many incidents going unreported.
The European Commission is expected to present its official simplification package on November 19th. The final text will reveal the extent to which the proposed changes will be implemented. Member State support is divided, with some firmly against reopening the GDPR and others proposing targeted or systematic amendments.
Simplification is a laudable goal, but not at the expense of fundamental rights. The scrapped green due diligence obligations from a previous Omnibus package serve as a cautionary tale. As all eyes turn to November 19th, the future of EU privacy standards, and potentially global data protection norms, hangs in the balance.
