Reopening GDPR and ePrivacy through the Digital Omnibus: a risky path for EU digital rights

What the Digital Omnibus proposes for GDPR and ePrivacy

The Digital Omnibus introduces horizontal amendments to several elements of the EU digital rulebook, including the GDPR and the ePrivacy framework. These are not ancillary instruments. They are foundational rights laws that give concrete effect to the fundamental rights to data protection and to the confidentiality of communications. Changes to their scope, structure, or interaction therefore carry systemic consequences for the people, democracy, and the planet.

The European Commission frames the Omnibus as a response to implementation difficulties, compliance burden, and usability concerns such as so-called ‘cookie fatigue.’ EDRi recognises that enforcement across the EU has been uneven and that abusive consent practices remain widespread. These problems are real. What matters, however, is how they are addressed. The Omnibus does not focus on enforcement, clarification, or institutional capacity. Instead, it reopens core safeguards and reshapes the legal architecture itself.

EDRi’s baseline for assessing GDPR and ePrivacy reform

EDRi’s assessment starts from a clear baseline. The GDPR and ePrivacy are rights-based instruments, not administrative checklists. Any reform affecting them must preserve the non-regression of fundamental rights, maintain legal certainty, and follow a transparent, participatory legislative process.

Simplification could support compliance where it clarifies procedures or improves cooperation between authorities. It cannot justify lowering safeguards, expanding discretion, or making rights harder to exercise or enforce. Where such effects occur, the result is deregulation in substance, regardless of how the reform is labelled. In the context of fundamental rights law, reducing the level of protection is a policy choice that requires explicit justification and democratic scrutiny. The Omnibus does not meet that standard.

How the Digital Omnibus reshapes the GDPR

The Omnibus introduces changes that affect the very essence of the GDPR: when it applies, which lawful bases are available, and how core rights function in practice. Amendments to the definition and scope of personal data risk fragmenting protection by making applicability depend on the position or technical capacity of individual controllers. This undermines uniform protection and weakens legal certainty at the very entry point of the Regulation.

Other changes expand pathways for large-scale data reuse, particularly in the context of artificial intelligence, while simultaneously weakening transparency, access, and safeguards related to automated decision-making (even more concerning when the AI Act is also on the chopping board). These rights are essential for uncovering unlawful processing, discriminatory profiling, and systemic misuse of data. Reducing their effectiveness shifts the burden onto individuals at the same time as processing becomes more opaque and harder to contest.

Taken together, these amendments move the GDPR away from a preventive, rights-centred framework and towards greater reliance on internal assessments and after-the-fact justification. This shift redistributes risk from controllers to individuals and weakens the GDPR’s role as the backbone of the EU digital rulebook.

How the Digital Omnibus alters the ePrivacy framework

In ePrivacy, the Omnibus reshapes the rules governing access to terminal equipment by introducing a split based on whether the accessed information ‘constitutes or leads to’ personal data processing. This replaces a clear, technology-neutral rule with an unstable boundary that is difficult to assess at the moment of access.

EDRi is concerned because this undermines a key upstream safeguard that protects device integrity and communications confidentiality regardless of data classification. In practice, the proposal creates overlapping regimes and new interpretative disputes, while leaving modern tracking techniques largely untouched. The result is increased legal uncertainty and a higher risk of fragmented enforcement, particularly in an ecosystem that relies on fingerprinting, SDK-based tracking, server-side collection, and link decoration.

The Omnibus also introduces new mechanisms related to consent interfaces and automated signals. While reducing manipulative consent practices is a legitimate objective, interface-level changes only protect rights if they are embedded in a coherent ePrivacy framework with clear legal meaning, binding effect, and verifiable limits. Without this, surface-level adjustments risk masking continued large-scale extraction of data.

Deregulation by effect, combined with a weakened legislative process

The substantive concerns raised by EDRi are compounded by the way these changes are being pursued. The Digital Omnibus bundles far-reaching reforms to GDPR and ePrivacy into a single horizontal package. This makes it difficult for legislators, civil society, and affected communities to assess each change on its own necessity and proportionality.

For fundamental rights law, process is not a formality. Proper impact assessments, clear problem definitions, and meaningful participation, as required under the European Commission’s Better Regulation Guidelines (that the very Commission is looking into weakening after having disregarded them for 10 Omnibus), are safeguards that ensure limitations remain justified and contestable. Compressing scrutiny while advancing reforms that lower protections results in deregulation through legislative structure, rather than through an open and accountable policy debate.

What EDRi considers necessary, under strict conditions

EDRi’s position is not a defence of the status quo. Implementation failures, abusive practices, and enforcement gaps must be addressed. Where targeted reforms are genuinely necessary, they must follow the full legislative process, be supported by robust impact assessments, and be subject to open democratic debate.

Crucially, any such reform must not weaken fundamental rights protections in any respect, nor relocate safeguards into more permissive legal regimes. Simplification or clarification cannot serve as a vehicle for lowering protections, increasing discretion, or shifting risk onto individuals. For GDPR and ePrivacy, this also requires preserving a clear division of roles. ePrivacy must continue to govern access to terminal equipment and confidentiality of communications, while the GDPR governs the processing of personal data once collected. This separation is essential for predictable compliance and effective enforcement and above all, for respect of primary law.

Onwards

EDRi is sharing its GDPR and ePrivacy positions to contribute to an informed and principled debate on the Digital Omnibus. The current approach combines deregulation in effect with a compressed legislative process, placing fundamental rights and legal certainty at risk. The EU can, and should, address implementation challenges without reopening core safeguards. Doing so requires enforcement, institutional capacity, and disciplined lawmaking. Weakening protections and calling it simplification is not the solution.