Why the Digital Omnibus puts GDPR and ePrivacy at risk

On 19 November, the European Commission has published two Omnibus proposals: one that rewrites key parts of the General Data Protection Regulation (GDPR) and ePrivacy rules, along with other data-related laws, and another that amends the AI Act. This article focuses on the first proposal. It explains how the changes would weaken core rights to data protection and the confidentiality of communications, and why the combined effect risks reshaping long-standing safeguards for people in the EU.

By EDRi · November 19, 2025

A fast-track to weakening rules that safeguard daily life

On 19 November, the European Commission unveiled its new “Digital Omnibus” package — a set of proposals advertised as an effort to “simplify” digital regulation and ease compliance for businesses. Buried inside this package, however, is something far more consequential: the reopening of the EU’s core privacy and data-protection laws, including the GDPR and the ePrivacy Directive.

This move comes despite the fact that neither the Commission’s Call for Evidence nor its “simplification agenda” ever mentioned plans to amend the GDPR. And yet, a few closed-door “reality check” meetings with selected stakeholders later, the Commission has put forward a proposal that reshapes key protections without a fundamental-rights impact assessment. The documents pay lip service to rights but focus primarily on economic arguments, leaving unanswered how weakened safeguards will keep people safe or uphold the fundamental rights enshrined in the EU Charter.

What would the Omnibus do – in paper and in real life

After an analysis of the leaked version of the Digital Omnibus, our Policy Advisor Itxaso Domínguez de Olazábal, looked into what made to the final proposal and what this really means, both on paper and in real life. Once again, : it’s less about reducing red tape and more about eroding privacy, accountability, and human rights across Europe.

What we found is clear: the proposal fundamentally weakens the protections that make the EU’s digital framework meaningful. The Omnibus would:

  • Redefine “personal data”, letting companies treat data as ‘non-personal’ if they cannot identify someone, even if others can..
  • Loosen biometric protections by allowing certain identity checks and AI uses to bypass existing safeguards.
  • Create a new “legitimate interest” for AI, allowing your posts, photos, or voice recordings to train AI systems without consent. With no control, you won’t have opt-out nor deletion.
  • Relax transparency duties: companies could skip key info if they think “users already know.” You’d never truly know who uses your data, or how. Combined with weaker access rights, you lose the ability to see who has your data or what they do with it.
  • Weaken device and communications privacy. By shifting parts of ePrivacy into the GDPR, the Omnibus loosens the long-standing rule that companies must get consent before accessing information on your device. This means that accessing or storing information on your phone could happen “for technical reasons” or under broad exceptions, normalising device-level tracking.
  • IShift key ePrivacy protections into the GDPR when personal data are involved, weakening the consent rule and expanding exceptions. This allows companies and other actors to read and store data on your phone without consent. Your devices could be accessed or tracked “for technical reasons.”
  • Remove current limits on automated decision-making, allowing important decisions to be made solely by algorithms whenever companies consider them ‘necessary for a service’. This would mean profiling and discrimination invisible to you.
  • Create new permissions in the AI Act for processing sensitive data to ‘correct bias’, allowing traits like sexuality, health status or political views to enter AI systems, and allowing sensitive data to stay in training datasets if removing it is seen as too difficult.
  • Pull the Law Enforcement Directive down to the weakened GDPR baseline at a moment when Europol and other agencies are expanding their access to data and AI systems.

This is a great corporate wishlist disguised as reform

Individually, these amendments are troubling. Together, they represent a shift away from enforceable rights and toward corporate discretion, with no evidence that these changes will benefit businesses or competitiveness, but strong evidence that they will erode trust, fragment enforcement, and harm people. By redefining key terms and creating overlapping rules, the proposal makes enforcement harder across authorities and allows companies to switch arguments between legal regimes.

Europe’s credibility as a global defender of digital rights depends on upholding, not unravelling, the protections it built. Once again, we urge the European Commission to course correct and withdraw its plans to reopen the GDPR and ePrivacy, and instead focus on enforcing these laws.