The Digital Omnibus is going on summer break. Your rights are not.

In November 2025, the European Commission presented the Digital Omnibus as a simplification package for EU digital rules. Since then, the AI Omnibus has been adopted, weakening the AI Act before key safeguards fully apply. The Data Omnibus is still moving through the Council and European Parliament, covering the Data Acquis, GDPR and ePrivacy rules. Decisions on it will be waiting after summer, with the same basic problem: a deregulation agenda sold as simplification, with weak evidence, rushed process and real risks for people.

By EDRi · July 16, 2026

Grilling our rights

It is summer in Brussels. Meetings slow down, automatic replies bloom, and everyone starts treating September like a rumour. Sadly, the European Commission has not packed a towel and reconsidered its choices. Back in November 2025, the institution presented the ‘Digital Omnibus’ as ‘simplification’, a good branding. Who wants complicated rules? Nobody wants legislation that feels like trying to fit a beach umbrella, a laptop, and five unread policy papers into one cabin bag.

But this clearly was not a tidy-up: we knew it formed part of a wider deregulation agenda. Across several Omnibus files (the Digital Omnibus is the 7th one!), the EU is reopening protections for people, workers, consumers, communities and the environment. The pattern is familiar: call safeguards ‘burdens’, promise competitiveness, move fast, consult selectively, skip evidence, and hope nobody notices before the next holiday period. At this point, the EU simplification agenda has more sequels than a summer franchise nobody asked for.

That process is one of the problems. The Commission did not produce a proper impact assessment for this Omnibus, nor for the broader wave of similar files, despite changes that go well beyond ‘targeted amendments’. Instead, it relied on selected ‘reality checks’ and meetings that disproportionately listened to industry players, with a few civil society representatives here and there. Public-interest voices had to react to a fast-moving package with huge consequences.

In case you have missed it: what is the Digital Omnibus?

An Omnibus is a legislative package that changes several laws at once. In theory, this can fix overlaps and make rules easier to apply. In practice, it can also become a shortcut for changing political choices without the scrutiny they deserve.

The Digital Omnibus has two main parts. The AI Omnibus changes the Artificial Intelligence Act. The so-called Data Omnibus changes the Data Acquis, meaning EU rules on data sharing, public sector data re-use, cloud switching, data intermediaries and data altruism. It also changes the General Data Protection Regulation, known as the GDPR, and ePrivacy rules on device access and confidentiality of communications.

The AI Omnibus: first Interrail stop, weakened safeguards

The AI Omnibus has now been adopted. And even though much of it was defended while shouting ‘stop the clock’, it does more than delay the AI Act. It delays key obligations for high-risk AI systems. It weakens transparency in some areas. It complicates accountability. It changes the treatment of industrial AI, especially machinery, in a way that risks pushing some systems away from the AI Act’s horizontal safeguards. It also changes rules on AI literacy, fundamental rights oversight and the processing of sensitive data for bias detection and correction.

That matters because high-risk AI can affect people at work, in schools, in healthcare, in public services, in policing, in migration procedures and in access to essential services. Let’s not forget that the AI Act was already a compromise. Many of its key safeguards had not even started to apply. Instead of supporting implementation with guidance, resources and enforcement, the EU reopened the law almost immediately. That sent a dangerous message: if powerful actors dislike a rule, they can wait until implementation starts, call it ‘too difficult’, and ask for a new shortcut.

The Data Omnibus is still pending after summer

The Data Omnibus has not been agreed yet. At the end of June 2026, Member States did not adopt the Council’s compromise text. A blocking minority led by Germany and Poland stopped the file from moving forward before the summer break. That pause matters, but it does not mean the danger has passed. The Irish Presidency is expected to continue work, with all eyes on it for its specific political economy, its role in hosting major tech companies, and growing public concern around data centres.

Some industry actors, and the governments capitals supporting them, wanted the Council to slow down because the compromise text was not deregulatory enough for them. They want broader exceptions, more room for AI training and development, weaker limits on tracking, and less binding (or none at all) privacy signals. Signals, possibly the only true simplification for the people, were dropped from the last draft compromise, because… there was not an impact assessment!! Listen. If you suddenly discover evidence standards when the proposal helps people say no to tracking, but forget them when the proposal weakens rights, the problem is not evidence. The problem is political appetite, and this is SPF 0 law-making.

The AI story is also a labour story

This is often framed as a story about Europe needing more data for AI. But more data for AI will not automatically deliver better healthcare, fairer public services, safer workplaces or stronger rights. It can also – and surely will – mean more extraction, profiling, data centres, energy use, opaque decisions and market power for companies that already dominate the digital market.

And no, the promise that this will magically create good jobs deserves more scrutiny. AI systems are already being used to monitor workers, allocate shifts, discipline employees, deskill roles and replace labour where companies can get away with it. Weakening safeguards in the name of AI competitiveness does not guarantee employment. It can make working conditions more automated, more opaque and less contestable.

This is the race-to-the-bottom dynamic. If the EU weakens rights because others do, it does not become stronger. It becomes another jurisdiction competing over who can offer companies more data, fewer limits and less accountability. We should not join that race and call it strategy.

What is happening in Parliament?

The European Parliament is preparing its position, too. The file will be back, probably before anyone has fully recovered from their first post-holiday inbox.

The main work is happening in the LIBE and ITRE committees. LIBE deals with civil liberties, justice and home affairs. ITRE deals with industry, research and energy. Together, they are preparing Parliament’s main position. Their draft report does not yet cover every issue, because political groups are partly in disagreement. This could slow down the Parliament, but it could also create space to improve the text.

The work of other committees matters too. IMCO, the internal market and consumer protection committee, is looking at consumer rights, access to services, unfair practices and legal certainty. JURI, the legal affairs committee, is focusing more on the Data Acquis side of the file.

Parliament has also requested a substitute impact assessment, which is apparently limited in scope and not mainly focused on fundamental rights. While this is welcome, it cannot fix the Commission’s failure on its own. It must not become a decorative parasol placed over a rushed deregulation package.

The Data Acquis: the lesser-known cousin that still matters

The Data Omnibus also amends the Data Acquis. That includes the Data Act, the Data Governance Act, the Open Data Directive and rules on cloud switching. Some consolidation may sound reasonable. But the details matter. Rules on the reuse of public sector data, protected data, trade secrets, data altruism, data intermediation and cloud switching affect who can access data, the conditions under which they can access it, and the safeguards that must be in place.

These questions are not only technical. They shape public-interest research, public sector accountability, competition, data concentration and people’s control over information about them. So yes, the GDPR and ePrivacy changes deserve special attention, but the Data Acquis part should not be treated as harmless administrative work. That is where many important safeguards can quietly become thinner.

The GDPR and ePrivacy are exposed without the sunscreen fog

The GDPR protects personal data, while ePrivacy protects the confidentiality of communications and access to devices. Together, they help stop companies and public authorities from treating people as walking data sources. The Data Omnibus risks weakening these protections in several ways.

It could narrow down the definition of when data counts as personal data, especially for pseudonymised data. That matters because if data falls outside the scope of the GDPR, people lose GDPR rights over it. It could also create more opportunities to use personal data for AI development and operation, including through legitimate interest. That risks turning a case-by-case balancing test into a broad permission structure.

It could weaken protections of sensitive data, including biometric data and data that reveals health, sexuality, political opinions or other intimate traits. It could reduce transparency and access rights, making it harder for people to know how their data is used and to challenge misuse. It could make automated decisions easier to justify in high-stakes contexts.

It could move key device-access rules away from the ePrivacy logic of confidentiality and into broader GDPR-style exceptions.

This is not abstract. It affects workers asking how shifts are assigned, people applying for housing or credit, patients using health apps, migrants facing automated tools, people reading news online, and anyone trying to refuse tracking without playing banner whack-a-mole.

Cookie banners are annoying. That is not the fault of your rights, and there is a solution for it.

Everyone is tired of cookie banners. Some are manipulative, some make refusal harder than acceptance, and some feel designed by someone who believes human patience is an infinite resource. But ‘cookie fatigue’ does not come from people having too many rights. It comes from a tracking economy that keeps – over and over again – asking for permission to follow people across websites, apps, devices and services.

The industry claims to have a preferred solution: drumroll… more exemptions! In other words: fewer moments when companies have to ask, and more situations where they can access or use data anyway. That is where the quieter attack on ePrivacy comes in. ePrivacy is the EU framework that protects the confidentiality of communications and sets rules for access to information on your device. It works before data is collected. That is exactly why some actors dislike it. It stops certain forms of tracking at the door.

Weakening ePrivacy, or moving its core principles into broader GDPR-style exceptions, changes the starting point. Instead of asking whether access to your device should happen at all, the debate shifts towards how companies can justify it afterwards. That does not solve cookie fatigue. It makes the tracking system easier to run.

Privacy signals could help. A browser, app or device setting could tell services: no tracking. One clear choice, less clicking and fewer banners. This means better and more meaningful respect for people’s choices. But signals must be binding, immediate, clear and enforceable. They must work across browsers, apps and operating systems, not create new tracking layers, nor come with broad carve-outs that let powerful actors ignore them.

Otherwise, we will keep the banners and lose the safeguards. Truly the worst summer deal since warm white wine.

What should happen after summer?

The EU should separate real simplification from deregulation. Real simplification helps people exercise rights, helps organisations understand obligations, and supports regulators. It would reduce pointless duplication, make refusal of tracking easier, and improve enforcement — something we have been calling for years.

Deregulation expands exceptions, weakens safeguards, shifts discretion to companies and public authorities, and leaves people with rights that become harder to use. The AI Omnibus showed the danger. The Data Omnibus risks spreading the same logic across the Data Acquis, GDPR and ePrivacy.

So yes, enjoy summer. Drink water. Close the laptop when possible. Ignore at least three calendar invites with dignity. But when September comes, the Data Omnibus will still be there. EDRi will keep pushing for a simple principle: EU digital rules should protect people (and the planet), not make life easier for those who want more data, weaker safeguards and fewer questions.

If you would like more information on this topic or would like to join the fight, please do not hesitate to get in touch with us.