The ‘Digital Omnibus’ marks a new policy regarding privacy protection in the EU to reduce the administrative burden for companies. Privacy advocates see it more as a capitulation to the United States.
The European Union is known as a beacon of privacy. Legal frameworks such as the GDPR and the AI Act define clear boundaries within which technology companies are allowed to operate. However, the European privacy framework was a double-edged sword: the rules were intended to keep the big tech giants in check, but for local SMEs, they mainly meant a heavy administrative burden.
2026 appears to be a turning point for privacy legislation in Europe. The EU is changing its approach: in November, the ‘Digital Omnibus’ saw the light of day. It will thoroughly redraw the legal framework in which technology companies operate.
In honor of Data Privacy Day, notably an invention of the European Council, we discuss the most important changes that are about to happen for privacy legislation in Europe and what the impact will be on your privacy.
Ten years of GDPR: a bumpy ride
We start in 2016. April 14, 2016, to be precise: the birthday of the GDPR (AVG). The legislation was revolutionary ten years ago, as it was the first of its kind worldwide. With the GDPR came stricter rules for processing ‘personal data’ in Europe. Tech companies must store data from citizens on European soil and may not use it for commercial purposes without permission.
It would take another two years, until May 2018, before the law fully came into effect. The timing couldn’t have been better: the Cambridge Analytica scandal with Facebook as the central figure had made it clear to the world that behind digital services lies a perverse data collection machine. The GDPR would therefore have an effect far beyond European territory, after several Asian countries and American states introduced similar privacy rules.
Ten years later, opinions on the GDPR are divided. While the legislation has certainly made us think more consciously about what we share online, critics will argue that the law has shown too few teeth to bring tech companies to their senses. Fines follow when the damage has already been done. Small companies drown in paperwork, and consumers are immensely annoyed by those cookie windows.
AI puts pressure on privacy
The GDPR proved unable to cope with the next wave of massive data scraping for which AI models are responsible. To train ChatGPT, Gemini, and co., the tech giants have scraped the entire internet. As a result, chatbots spread personal and often even completely incorrect information about people, without the possibility of having it removed or modified.
AI has changed the rules of the game, and so the EU had to follow. Since 2024, the AI Act has been introduced gradually. This law calls on developers of AI systems to handle the data they feed into models transparently and responsibly.
However, the tech industry saw it as yet another piece of legislation in the already complex legal framework in Europe. European companies also dared to express their dissatisfaction this time, as was audible during the latest edition of MWC. The EU wanted to invent the seat belt before inventing the car, was the metaphorical criticism.
read also
MWC 2025: Europe Misses the AI Train, but Has the Best Safety Belts
Less Administration
This long lead-up brings us to the Omnibus. The European Union seems to be listening to companies, as the focus is on reducing complexity. Less administration is equated with more competitiveness for the European market. However, American companies will also not mind fewer rules. This does not only apply to technology: Omnibus I of February 2025 strikes through the ESG legislation.
The Omnibus can be summarized in the following six key points:
- Fewer administrative burdens, especially for SMEs, associations, and organizations with low-risk processing;
- Clarification of what falls under the term ‘personal data’;
- Incorporation of the e-privacy guidelines into the GDPR;
- Revision of the cookie guidelines;
- More room for using personal data for training AI models;
- One central reporting point for data breaches and incidents.
The renewed guidelines also provide for postponement of some measures against ‘high-risk’ AI systems, such as biometric identification and law enforcement, until December 2027. “Simplification is not deregulation,” the Commission makes clear when announcing Omnibus.
It remains to be seen what impact the Omnibus package will have on other legislation. For example, the Data Act is normally due to enter into force this year. This legislation provides guidelines on data exchanges in a B2B context and the accessibility of data for users of digital services.
read also
EU reshuffles the privacy cards: fewer rules, less privacy?
Capitulation to America
Privacy activists have a different interpretation. They see the proposed simplification primarily as a weakening of the European privacy framework that once served as an example to the world. The Omnibus rules had only just been announced when the Austrian association Noyb was already on the scaffolding.
Harsh words are not shunned. Max Schrems, the public face of the organization, speaks of an ‘attack on digital rights in the EU’ and believes that ‘the core values of the GDPR are being demolished’. Noyb is not the least opponent: Schrems has already managed to bring down an agreement for data transfers between the EU and the US twice.
read also
The Cloud Illegal? Sovereignty as Holy Grail for European IT
Schrems mainly objects to the fact that AI companies get much easier access to the personal data of citizens. The protection of sensitive data is also disappearing. With the revised rules, the European Commission is giving in to pressure from Washington, according to Noyb. Trump and his companions make no bones about what they think of the European rules.
Tipping Point
But also influential European leaders such as Macron themselves loudly proclaim that rules stand in the way of innovation. The EU seems at least willing to dilute its privacy stance. Not only to keep Trump friendly, but also to put as few obstacles as possible in the way of its own companies to be able to compete with American market leaders.
Our digital privacy is at a tipping point. Idealistic principles are increasingly clashing with political and economic reality. The European Union wants to stand on its own technological feet, and then privacy is seen more as an obstacle than a tool. Will privacy have to give way to competitiveness? Data Privacy Day seems more relevant today than ever.
Idealistic principles clash with political and economic reality.