The European Digital Omnibus package is under fire from privacy advocates. The organization NOYB warns that the proposed changes to the GDPR and the ePrivacy Directive could weaken the protection of personal data, ultimately doing exactly the opposite of what those laws are intended for.
The protection of personal data on the internet as we know it today could be in jeopardy, critics say. According to a proposal by the European Commission, General Data Protection Regulation (GDPR) would no longer protect any information that does not directly identify a person – such as common digital traces like cookies, device IDs, or hashed e-mails.
NOYB, a data protection NGO, published analysis of all the changes relevant to the first two laws.
“We got half common sense simplifications and another half wild deep cuts that would make the GDPR even more complex and inconsistent. We see a tendency that the co-legislators may dispose of major changes and wave the reasonable parts through,” the founder of NOYB Max Schrems said to EU Perspectives.
You might be interested
The Commission adopted a Digital Omnibus proposal amending a large corpus of the EU’s digital legislation, including the GDPR, the ePrivacy Directive, the EUDPR, the Data Act and the NIS 2 Directive on 19 November 2025.
Consumer rights group BEUC has also voiced serious concerns about the proposals to change the scope of the GDPR.
“Despite earlier assurances, the Digital Omnibus proposal goes far beyond ‘targeted modifications’. Instead, it weakens longstanding consumer protections regarding data and privacy,” it said in its latest position paper.
What falls under “personal data”
The Commission proposes to change the definition of “personal data” in Article 4 of the GDPR.
This would severely restrict the definition of personal data, said BEUC. “In short, under the Commission proposal, any information element that does not immediately identify a person would fall outside the definition of personal data. For example, most online activity relies on cookies, hashed e-mail values, device IDs and similar identifiers. Under the new definition, these elements risk no longer being considered as personal data. Which means that the GDPR would no longer apply.”
Even the European Union’s own watchdogs, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have said the changes raise significant concerns.
We strongly urge the co-legislators not to adopt the proposed changes. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data. – Wojciech Wiewiórowsk, the European Data Protection Supervisor
In a joint statement the EDPB and the EDPS said some of the proposed changes could “adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply”.
The EDPB and the EDPS “strongly urged” law-makers not to adopt the proposed changes. The change to the definition of personal data is ostensibly to align with European Court of Justice rulings. But the EDPS and EDPB dispute this saying the changes “do not accurately reflect and clearly go beyond the CJEU jurisprudence.”
“Simplification is essential to cut red tape and strengthen EU competitiveness – but not at the expense of fundamental rights,” said EDPB Chair, Anu Talus.
“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data. We must make sure that any changes to the GDPR and EUDPR actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms,” explained the European Data Protection Supervisor, Wojciech Wiewiórowski.
Technical solutions
However both bodies welcome the proposal’s aim to introduce a specific derogation to the prohibition to process sensitive data. That would cover the incidental and residual processing of such data in the context of the development and operation of AI systems or models.
Yet they recommend several improvements, such as clarifying the scope of the derogation and ensuring safeguards throughout the whole lifecycle.
Lastly, they say, changes brought to the provision on automated individual decision-making should be clarified to make these changes meaningful and legally sound.
Regarding changes to the ePrivacy Directive, the Omnibus aims to address so-called consent fatigue and the proliferation of cookie banners. Here the EDPB favours technical solutions saying “that the use of technical means can simplify compliance by controllers and support individuals in making their online choices effective”.
