The Digital Omnibus reopens the EU data acquis before it has even been tested

The Digital Omnibus goes beyond GDPR and AI

Much of the debate around the Digital Omnibus has focused on proposed changes to the General Data Protection Regulation (GDPR), ePrivacy and artificial intelligence rules. However, the proposal also significantly reshapes the EU’s broader data governance framework. This ‘data acquis’ part of the Omnibus merges elements of the Data Governance Act, which establishes a legal framework to facilitate data sharing and reuse across the European Union, the Open Data Directive, which  governs the re-use of public sector information, and related instruments into the legislation that ensures fair access to and use of data, the EU Data Act.

This is not a minor technical update. The proposal turns the Data Act into a central hub for data access, reuse, and governance. In doing so, it rewrites the institutional balance of the EU data framework. The changes affect how public authorities access privately held data, how data intermediaries operate, and how protected public-sector data can be reused.

These changes come despite the fact that the laws being amended are very recent. The Data Governance Act was adopted in 2022, and the Data Act itself in 2023. Many of their provisions are still being implemented. Simplifying a framework that has not yet been tested in practice risks creating uncertainty without evidence that the existing rules are not working ineffectively.

Why the EU created these laws in the first place

The EU data acquis, meaning the accumulated body of European Union legislation, legal acts, and court decisions specifically governing data protection, data sharing, and digital governance, was designed to address specific governance gaps. The Data Governance Act introduced trusted data intermediaries and data altruism mechanisms to enable data sharing while preserving safeguards. While the Data Act established rules on access to data generated by connected devices, cloud switching, and business-to-government data sharing.

These instruments reflected a careful balance. They aimed to encourage data sharing without undermining fundamental rights, market fairness, or public oversight. They also recognised that effective data governance requires clear roles, strong safeguards, and independent enforcement.

However, the Digital Omnibus risks undoing the balance of the EU data framework. By transferring governance mechanisms originally designed under the Data Governance Act into the Data Act, the proposal shifts them into an instrument with a different objective and logic. The While the Data Governance Act was designed to structure stewardship, safeguards, and public-interest governance, the Data Act focuses primarily on facilitating data access and use.

Placing these regimes under the Data Act risks weakening the protections originally designed for governance contexts and introduces ambiguity over which rules apply and to whom. Without clear operational guidance, actors may struggle to determine their obligations, increasing legal uncertainty and the risk of inconsistent enforcement across Member States. A true measure of simplification could have clarified the relationship between instruments, while preserving their distinct roles. Instead, the proposal collapses governance and access functions into a single framework, altering their underlying balance.

The merger also leaves key concepts undefined in binding provisions. Terms such as ‘data space’, or even ‘data access’, continue to lack clear legal definitions. As more actors fall within the framework, this lack of clarity makes it difficult to determine obligations in practice and opens the door to selective compliance.

Preserving GDPR primacy across the EU data framework

The Digital Omnibus does not only reorganise data-sharing rules, but it also risks reshaping how personal data is treated across the EU data acquis. The Data Act, the Data Governance Act, and related instruments were designed to complement the GDPR, not to create alternative pathways for processing personal data.

By merging governance and reuse mechanisms into the Data Act, the proposal risks blurring the relationship between sector-specific data rules and GDPR safeguards. In practice, this could mean that a data intermediary facilitating access to mixed datasets containing personal data relies on Data Act provisions governing reuse or access, without clear guidance on how GDPR obligations such as purpose limitation, lawful basis, or data subject rights apply. This creates uncertainty about which safeguards must be implemented and who is responsible for enforcing them. Data-sharing arrangements, intermediation models, and reuse regimes may operate in parallel with data protection obligations, creating uncertainty about which safeguards apply in practice.”

This fragmentation risks weakening core GDPR principles such as purpose limitation, transparency, and accountability. If actors rely on sectoral rules without clear links to GDPR obligations, people’s rights may become harder to exercise and enforce. Therefore, the EU data framework must preserve the primacy of the GDPR and ensure that all data-sharing mechanisms remain fully subject to data protection safeguards.

Data access rules must not reinforce dependency

The proposal significantly reshapes access to privately held data. However, by deleting non-emergency access pathways and limiting business-to-government access to public emergencies, the Omnibus risks making the framework ineffective in practice. Many public-interest uses of data arise outside of crisis situations, including environmental monitoring, market surveillance, and public-interest research.

Removing these pathways creates a structural governance gap. Public authorities may become dependent on voluntary data sharing or procurement arrangements, often under conditions set by dominant data holders. This weakens accountability and reduces the ability of authorities to exercise oversight in a timely manner.

At the same time, expanded refusal grounds risk giving data holders greater control over whether access is granted. Without strict thresholds and independent review, refusal mechanisms may become the default barriers. A workable data access framework must ensure that access rules are usable in practice and do not reinforce dependency on large actors.

A trust architecture that risks becoming nominal

The Digital Omnibus also reshapes the trust architecture introduced by the Data Governance Act. These mechanisms were designed to enable data sharing while ensuring neutrality, accountability, and independent oversight. Mandatory registration for data intermediation services was intended to create a meaningful trust label backed by enforceable obligations.

However, the proposal weakens this model by making registration voluntary and reducing the link between registration and enforceable safeguards. This risks turning the trust label into a nominal designation without clear guarantees. Actors may present themselves as trusted intermediaries without being subject to meaningful neutrality or accountability requirements.

This shift may reinforce concentration rather than support decentralised data sharing. Large actors can internalise intermediary roles while maintaining conflicts of interest, whereas smaller actors lose the signalling value of a mandatory trust label. A credible data-sharing ecosystem requires enforceable trust mechanisms, not voluntary labels.

Rules must be clear, enforceable, and usable in practice

The merger of the data acquis into the Data Act also raises concerns about legal clarity and enforceability. Combining regimes with different objectives and safeguards risks creating ambiguity about which rules apply and to whom. This is particularly relevant for the reuse of protected public-sector data, intermediation, and governance mechanisms.

When actors cannot determine which obligations apply, compliance becomes uneven and enforcement more difficult. Authorities may interpret the framework differently across Member States, leading to fragmentation. This undermines legal certainty and weakens the effectiveness of safeguards.

The EU data framework should therefore prioritise clear definitions, explicit separation of regimes, and operational guidance. These mechanisms must not only exist on paper but also be supported by institutional pathways and incentives that allow them to function in practice. Without this, simplification risks producing ambiguity rather than clarity.

The future of EU data governance

The data acquis plays a central role in shaping how data is shared in Europe. It determines whether public authorities can access data for oversight, whether intermediaries operate with accountability, and whether people’s rights remain protected.

The Digital Omnibus risks weakening these safeguards while concentrating power in the hands of both corporate and institutional actors. Instead, the EU should preserve the GDPR primacy, ensure that access mechanisms are usable and accountable, maintain a robust trust architecture, and clarify the scope of the merged framework.

EDRi will continue to engage with policymakers to ensure that changes to the data acquis strengthen democratic oversight, transparency, and people’s rights rather than undermining them.