On 19 November 2025, the Commission revealed the Digital Omnibus package. This package is only one in a series of increasing omnibus bills (giant laws that modify several laws at once) that are part of the deregulatory agenda of the new Von der Leyen Commission. The new College of Commissioners has a very clear agenda: to compete with China and the US, we need to dismantle as many regulations as possible to help businesses grow in a market defined by comparatively less-regulated regions. The narrative of the Commission is about “cutting red tape” and “reducing bureaucracy”, which are appealing concepts. However, this narrative does not explain how fundamental rights will be protected. It is even less clear how the Commission plans to ensure legal certainty when dismantling recent laws or failing to enforce them. Why should businesses respect laws the Commission does not respect?
When Deregulation wins, Citizens lose
In short, whether the deregulation touches on fundamental rights, environmental protections, or digital, there is only one winner: The business sector. In fact, even the Commissioner for Fundamental Rights, McGrath, said it when he was trying to explain the large consultations they had when they were first discussing how to modify the GDPR and the AI Act: The “targeted” changes, as he defined them, came after the feedback from European businesses demanding these changes. McGrath did not even refer to any critical voices or pretend that he had taken into consideration civil society’s views.
Paraphrasing Neil Armstrong's famous words, this is a huge step backwards for the EU’s global leadership in upholding fundamental rights online, but a giant leap forward for corporations.
If you’re new to these two digital laws, the GDPR is the actual gold standard for data protection laws around the globe. In fact, there are countries from all around the world that are signatories of the GDPR-inspired Convention 108+. The ePrivacy Directive, on the other hand, is the main piece of EU legislation protecting the right to privacy in the context of electronic communications (protecting your chats on WhatsApp or dating applications, preventing abusive online tracking -in theory- and much more).
What's at stake?
We want to highlight here 3 aspects of the Digital Omnibus that will impact our fundamental rights for data protection and privacy:
- Definition of personal data: The proposed text redefines what constitutes personal data. Until now, personal data has referred to any information that allows us to identify someone. With the suggested changes, the Commission includes a subjective aspect of how “reasonably” someone can be identified — shifting from an objective to a more flexible standard.
- Legitimate abuse: AI will use your personal information under the “legitimate interest” exception. This exception was created for low-risk situations. For example, your local sports club, of which you are a member, has a legitimate interest in using your personal data to send you direct marketing with new offers from the club. If this change goes through, AI companies will be able to abuse our personal data (including intimate photos, private documents, or chat history) without asking for our permission.
- Automated welfare - An offer that you cannot reject: Another important aspect related to automated decision making (ADM). ADM has been the target of numerous controversies, including the infamous scandal in Dutch social welfare distribution, among others. The changes to Article 22 will allow ADM to be used more intensively, as we will see a reduction in our right to object to decisions made by machines on issues such as job applications. At the moment, we can oppose that ADM (at least in theory) when the decision could have been taken without using technical means (for example, by having a recruiter analysing a job application themselves), but with the new proposed text, we will lose the right to reject a fully automated decision.
Appearances can be decieving
Contrary to what was announced, the changes to the GDPR via the Digital Omnibus will neither significantly reduce bureaucracy nor provide legal certainty. On the contrary, the Digital Omnibus will increase the power of companies and public authorities that collect personal data, and reduce people's ability to access their personal data and to reject surveillance.
But the battle has just started. This is just a proposal. Civil society has the means and the duty to resist watering down what remains, despite its problems in the text and in its enforcement, the gold standard for data protection worldwide. Civil society is already mobilising against this and the many other omnibuses planned. Will you join us?
Read our in-depth policy analysis here
The Digital Omnibus: What it Means For AI Regulation
Digital Omnibus: Quick Analysis
Liberties' response on the Digital Omnibus simplification package
