The EU Digital Omnibus, introduced by the European Commission on November 19, 2025, represents the most significant overhaul and potential setback for digital privacy in Europe since the GDPR was enacted in 2018. Framed as a technical update to simplify compliance and boost competitiveness, the package contains two interconnected legislative proposals that would radically alter established data protection, cookie, cybersecurity, and AI regulations, fundamentally shifting how personal information is managed and protected within the EU’s digital environment.

A key change is the narrowing of the definition of personal data. The GDPR’s broad current definition includes pseudonymous identifiers and behavioral profiles, capturing a wide range of surveillance tools under its protection. The new draft excludes data not directly identifying individuals—even if it can be linked with other information. This means that ad IDs, cookies, and similar identifiers would evade GDPR oversight, potentially legalizing more extensive tracking and profiling by advertising and data broker industries.

The Omnibus introduces a provision that counts AI model development and operation as a legitimate interest, thereby dramatically lowering the bar for processing sensitive categories of personal data such as health or biometric data. Previously, strict consent or public interest was needed, but the new rules would let companies process such data more freely for AI training and deployment. This opens the door for insurers, employers, and political firms to leverage sensitive information with minimal justification, shifting the burden to individuals to contest such uses.

The proposal restricts when people can access, correct, or erase their own data, limiting these rights to so-called “data protection purposes.” In practical terms, this narrows what once was a powerful tool for transparency—used by journalists, employees, and consumers alike—so that many requests could be dismissed, further deepening the information gap between individuals and large data-driven organizations.

Exploiting widespread annoyance with cookie banners, the proposal allows companies to access data stored on personal devices or place cookies for various vaguely defined “legitimate interests” or “low-risk” uses without user consent. This risks undermining the baseline principle of device sovereignty, as it could create legal justifications for broad, permissionless tracking across a blurred landscape of devices and cloud infrastructure.

The manner in which these reforms have been pursued is itself a point of contention. The Commission ignored explicit requests from EU Member States not to reopen the GDPR, proceeding with a truncated public consultation and absent robust impact assessments. Legal experts argue these shortcuts may themselves breach EU law and democratic legislative principles.

The Commission argues these changes will aid SMEs and European AI development. However, critics note that the main beneficiaries would be large tech platforms, data brokers, and AI developers—industries adept at navigating regulatory ambiguity. Small businesses, which typically process simpler datasets, will see little meaningful relief, as the proposals do not address the true sources of their compliance difficulties.

Europe’s GDPR established the so-called “Brussels Effect,” influencing privacy standards far beyond the continent. A weakened GDPR would have ripple effects worldwide, diminishing incentives for strong privacy practices in other regions and potentially reversing a decade of progress as AI becomes ever more entwined with daily life, commerce, and critical infrastructure.

Rather than gutting privacy, critics suggest reform should focus on:

• Harmonizing and clarifying enforcement across EU states
• Proportionate, risk-based compliance obligations tailored to actual harm potential
• Investing in privacy-enhancing technologies and clearer, interoperable technical standards
• Ensuring democratic debate and thorough expert consultation

The Digital Omnibus now moves to the European Parliament and Council for review, amendment, or rejection. Civil society and privacy experts urge lawmakers to resist industry lobbying, highlighting that robust privacy and innovation are not mutually exclusive. The legislative process will unfold into 2026 and may shape digital rights for a generation.

At its core, the Omnibus risks shifting European digital policy toward prioritizing business convenience over individual autonomy and privacy—the very principles that once set the EU apart as a global leader in data protection. The coming months will decide whether democratic oversight and privacy protections will be defended or quietly dismantled.

For deeper context on the EU’s regulatory direction, readers are encouraged to review the prior article: https://anticoruptie.md/en/blog/gheorghe-alexandra/the-wrong-pause-the-eu-is-delaying-regulation-instead-of-development