A promised spring-clean of EU digital standards is turning into a tense showdown. MEPs accuse the Commission of gutting hard-won safeguards, such as scrapping AI transparency registers, postponing high-risk duties, loosening data definitions and gifting media a cookie free-pass. Meanwhile, officials swear it is mere tidying, not kowtowing to tech giants and lobbyists.
The civil-liberties committee of the European Parliament (LIBE) on 26 January sized up the European Commission’s twin “digital omnibuses”. It soon became a tug-of-war over whether the texts streamline the Union’s rule-book or hollow it out. Two representatives of the Comission—Renate Nikolay, deputy director-general at DG CONNECT, and Ana Gallego Torres, director-general at DG JUST—arrived armed with one omnibus that welds four data laws into a single Data Act and another that edits the still-ink-wet Artificial-Intelligence Act. Before long they found themselves on the defensive.
Ms Nikolay opened with a plea for calm. “Let me stress that simplification does not mean deregulation, and that it does also not mean playing around with the objectives of our regulatory framework,” she said. Ms Gallego added that the overhaul would “contribute to the simplification agenda and legal certainty”.
Yet many deputies thought the Commission was rushing to rewrite statutes that are not fully in force. MEP Juan López Aguilar (S&D/ESP) warned that legislation which took “time and toil to adopt” now risked being “reviewed, downgraded” before its effects were visible.
You might be interested
Re-setting the dials
The omens were obvious well before the microphones clicked on. The digital omnibus merges the Data Governance Act, the Open Data Directive, the Free Flow of Data Regulation and the original Data Act. The AI omnibus, meanwhile, delays core duties for high-risk systems, scraps a transparency register that took months to stitch together during the AI Act’s night-time trilogues and lets providers self-classify whether their tools fall inside Annex III, the law’s high-risk list.
MEP Michael McNamara (Renew/IRL), rapporteur on the AI file, doubted both the pace and provenance of the clean-up. “It also raises some considerable concerns, in particular around the impact assessments or the lack thereof,” he said. He reminded colleagues that corporate-watchers had traced many amendments to tech-lobby wish-lists. Ms Nikolay shot back: “The simplification agenda has nothing to do with US lobbying.” She insisted that consultations took place “with European businesses”, not with Silicon Valley.
The first flash-point concerned transparency. Article 6 of the AI Act obliges suppliers of high-risk systems to list them in a public register. MEP Markéta Gregorová (Greens-EFA/CZE) called the clause “a minimum safeguard”. “So my question is, how can you justify coming back on such an important provision?” she asked. Ms Nikolay, suddenly on the back foot, acknowledged that the register “was seen as a cumbersome kind of issue”. She floated the idea of support from the new AI Office in lieu of filing requirements. That answer satisfied few sceptics.
The data dilemma
“I disagree with statement that you didn’t change the definition of personal data that was mentioned—you did,“ Ms Gregorová went on. “It was in order to codify a case law that I think you cherry picked, but okay. I would like to understand, does this mean that you intend to exclude from the GDPR data brokers and a great chunk of the advertising industry that relies on pseudonyms and identifiers?“
For data brokers the stakes are existential. If a database of hashed identifiers falls outside the GDPR, swathes of the targeted-advertising industry could slip into a lighter regime. Ms Gregorová pressed the point: would an IP address still count as personal data? Ms Gallego insisted there was “no intention whatsoever to exclude data brokers” when re-identification remained possible. Observers noted that enforcement will hinge on whether supervisory authorities have the forensic capacity to judge pseudonymisation claims.
MEP Birgit Sippel (S&D/DEU) warned that greater reliance on self-assessment “could become a loophole rather than a simplification”. She demanded to know how the Commission would stop firms quietly downgrading risk classifications. Ms Nikolay promised “to observe the market further” through the AI Office and national watchdogs. The reassurance sounded thin. Several deputies muttered that consumers will discover the gaps only after harm occurs.
Deadlines deferred
A second row erupted over timing. Under the AI Act, most duties for high-risk systems bite in August 2026. Standards bodies admit they cannot finalise technical norms by then. The AI omnibus therefore postpones obligations until standards or equivalent guidelines exist. Ms Sippel called the device “a de facto suspension mechanism”. Ms Nikolay replied that the choice lay between orderly delay and legal limbo. “We can be blind to that and simply run into this without legal certainty, or we can address it,” she argued.
Not everyone bought the dichotomy. MEP Axel Voss (EPP/DEU) wondered whether the Commission had conflated content with calendars. Perhaps, he suggested, member states should “stop the clock”, pull the AI clauses out of the omnibus and treat them separately. Ms Nikolay said talk of halting implementation was outdated; the European Council had already called for swift enforcement and member states had backed the omnibuses in December.
(The omnibuses) would contribute to the simplification agenda and legal certainty. — Ana Gallego Torres, director-general at DG JUST
The postponement matters beyond bureaucratic neatness. Companies developing medical diagnostics or safety-critical software plan compliance budgets years ahead. If the finish line moves, so do investment decisions. Consumer groups fear that the delay will expose patients and passengers to half-tested algorithms during the most rapid expansion of generative AI yet seen.
What counts as personal?
While the AI jousting hogged the spotlight, the data omnibus sparked its own doctrinal feud. The text codifies Court-of-Justice rulings by clarifying that information which has been irreversibly pseudonymised ceases to be personal data.
Ms Gallego claimed the change “is not about reducing the scope of the GDPR as such, but clarifying the notion of personal data based on the principles of the GDPR.” She said the new test will apply only when re-identification is “practically impossible”.
MEP Marina Kaljurand (S&D/EST), who chaired the meeting, accused the Commission of cherry-picking precedent. “But when I look at the wording, it seems that it has been taken from the one court case, SRB Single Resolution Board court case,” she said. Ms Gallego replied that the definition builds on recital 26 of the GDPR and the court’s guidance that risk must be “insignificant”.
Advertising, fatigue and the fourth estate
The archive of user complaints suggests voters care less about pseudonymisation theory than about the pop-ups choking their screens. The omnibus tackles the “cookie-consent fatigue” that has haunted Brussels since the e-privacy directive. Most sites will switch from opt-in pop-ups to browser-level consent signals.
However, publishers get an exemption: they may continue to serve cookies without prior consent to finance journalism. “Fundamental rights should be applied regardless of the business model,” argued Ms Gregorová.
I disagree with statement that you didn’t change the definition of personal data that was mentioned — you did. — MEP Markéta Gregorová (Greens-EFA/CZE)
Ms Nikolay defended the carve-out. She said media firms face “specific pressure points” because advertising revenue has migrated to platforms, and that the exemption applies only to outlets that meet the European Media Freedom Act’s definition of editorial responsibility. Critics worry that readers will face “pay-or-okay” walls: accept tracking or open your wallet. Whether the fix cures fatigue or deepens it may depend on how browsers implement the new signals.
Inter-institutional arithmetic
Behind every technical barb lurked an institutional question: who guards the guardians? The Commission proposes a “single supervisory window”, ending the practice of filing reports to 27 national authorities. Ms Nikolay called it “an important improvement for businesses”. National regulators fear a power grab. Deputies on the left echoed that anxiety when they heard that Brussels will take direct charge of general-purpose AI models.
The political sums are delicate. Member states like the simplicity of a one-stop shop. Parliament’s largest parties crave proof that enforcement will happen on-the-ground, not just at the Berlaymont. With elections looming, MEPs also worry about being painted as either anti-innovation or lax.
Both omnibuses now move to formal negotiation. The data-protection board and the EU’s own supervisor will publish a joint opinion in February. Mr McNamara hinted that Renew may back delays if safeguards tighten. Ms Gregorová signalled that the Greens will fight the removal of the AI register and the media cookie exemption. The Socialists want tougher gatekeeping on pseudonymisation and self-assessment. The EPP, split between pro-business instincts and consumer-rights rhetoric, will likely get to decide which camp prevails.
Costs and benefits
Amid the skirmishes the Commission touts headline savings. The European Business Wallet alone is to save companies €150bn annually. Merging reporting portals could shave compliance bills by €10bn a year. Harmonised breach-notification thresholds and a single list for impact assessments should help small firms in particular. The gain, though, depends on details not yet written: templates, standards, guidelines and implementing acts.
Ms Gallego argued that the biggest winners would be “the local sport club” or artisan now drowning in paperwork. If Brussels can draft truly usable templates, that may happen. If not, lawyers will still earn their keep.
Let me stress that simplification does not mean deregulation, and that it does also not mean playing around with the objectives of our regulatory framework. — Renate Nikolay, deputy director-general at DG CONNECT
Opponents fear opportunity costs that are harder to tally. Delayed high-risk obligations might let facial-recognition pilots run wild. A relaxed definition of personal data could blur tracking even as dark-pattern ads spread. And a publisher cookie exemption may lock readers into surveillance or subscription.
A story unfinished
No vote was taken at the January hearing, but the mood was plain. Simplification has become a loaded word in Brussels, celebrated by those who write compliance cheques and distrusted by those who defend digital rights. The clash in the LIBE committee showed how swiftly that word can turn a cordial update into a partisan cross-examination.
The omnibuses will now travel a gantlet of amendments. Some changes—a single incident-reporting portal for cyber breaches, for instance—look uncontroversial. Others, such as the diminished AI register, could sink the bill if Parliament stands firm. Trilogues are pencilled in for late spring, though veterans know that schedules slip.
For the Commission the stakes are reputational as well as regulatory. Ursula von der Leyen’s team has made competitiveness its rallying cry in the final year of the mandate. If deputies conclude that competitiveness masks capitulation to lobbyists, the slogan will ring hollow. If, however, Brussels can prove that tidier rules can still bite, the omnibuses may yet sail through.
