The Digital Omnibus, the European Commission’s flagship package to simplify EU digital rules, is a genuine opportunity to make Europe’s digital rulebook clearer, more coherent and easier to work with, while ensuring the protection of users’ personal data and privacy. It contains real progress that European tech companies have long called for. It also contains provisions that, if left unchanged, would hold back the very competitiveness it is meant to unlock. As negotiations move forward, the European Tech Alliance (EUTA) urges co-legislators to preserve what works, and to fix what does not.
Six months in, Council discussions have advanced and Parliament is preparing its position. The test for the file is straightforward: does it really deliver simplification in practice? Three priorities should guide negotiators: preserve the General Data Protection Regulation (GDPR) simplifications that work, fix the consent provisions that do not, and turn Privacy-Enhancing Technologies (PETs) into a strategic European asset.
Three provisions in the proposal stand out for their direct operational impact. They should be preserved.
✔ A workable definition of personal data. The Commission codifies the relative approach to identifiability already established by the Court of Justice of the European Union (CJEU) in the Breyer and EDPS v SRB cases. This resolves a long-standing source of legal uncertainty that has forced European companies to apply the full GDPR regime to tokenised, aggregated and pseudonymised data, even where they have no realistic means of identifying individuals. This means: clear rules, better calibrated compliance, strong user protection and more harmonisation in the interpretation of the CJEU case law contributing to a fair level playing field for all economic actors.
✔ Legitimate interest as a legal basis for AI training and deployment. A clear, risk-based and harmonised pathway with a balancing test is essential to keep AI development in Europe that is aligned with our European values. It supports the SMEs, scale-ups and entrepreneurs that will determine whether Europe builds its own AI capabilities or imports them. However, the unconditional right for data subject to opt-out should be removed as it goes beyond the GDPR.
✔ A single entry point for data breach notifications. A harmonised mechanism, a raised risk threshold aligned with Article 33 GDPR, a 96-hour reporting window and a unique European template will replace today’s patchwork. For companies also subject to the Network and Information Security 2 (NIS2) Directive (Directive (EU) 2022/2555), one notification can cover both frameworks. The result is faster, more focused incident response: less time spent on duplicative paperwork across 27 jurisdictions, more time spent containing breaches and protecting users.
These three targeted changes are not industry privileges. They are the operational prerequisites that allow European tech companies to innovate, build, deploy and scale across the Single Market with confidence – as the case studies illustrate, from faster fraud detection in e-commerce to fairer AI training for rare-disease diagnostics.
The Digital Omnibus rightly identifies cookie fatigue as a problem. But Articles 88a and 88b, as drafted, will not solve it.
Article 88a creates two different sets of consent rules for accessing a user’s device, depending on whether the data accessed is personal or non-personal. The result is counter-intuitive: non-personal data would be held to a stricter consent standard than personal data. Enforcement would also remain split between the GDPR one-stop-shop and multiple national authorities under the ePrivacy Directive (Directive 2002/58/EC). That is more complexity, not less.
Article 88b would mandate a single consent setting built into the user’s browser, applied automatically across every website. The aim is user empowerment. The likely effect is the opposite, on three counts.
There is a better way, build consent that works:
✖ Delete Article 88b. A centralised browser-level layer will not fix the volume problem. The answer is to ask for consent where it genuinely matters to users, not to channel every request through a single technical intermediary.
Co-legislators should redraft Article 88a around:
✔ Apply the GDPR’s existing legal bases, including legitimate interest, to data accessed on a user’s device, and end the parallel data processing regime under the GDPR and the ePrivacy Directive. Simplify both regimes by uniting them under Article 6 of the GDPR.
✔ Reserve consent for what genuinely matters to users or potentially impacts them, such as commercial personalisation, where meaningful in context service-level consent should remain. Stop asking for consent for things users already expect to happen such as keeping a service secure, preventing fraud, measuring how a website performs or limiting the frequency at which the same ad is shown.
The Digital Omnibus should incentivise recognised Privacy-Enhancing Technologies (PETs) through open technical standards developed with relevant authorities such as the EDPB, the European Union Agency for Cybersecurity (ENISA) and the European Data Innovation Board (EDIB). Having standards will enable fair competition and prevent “PETs washing”.
PETs make privacy-by-design operational. Pseudonymisation, differential privacy, federated learning, synthetic data and secure multi-party computation all share the same principle: privacy protection is engineered into how data is handled, not added on afterwards.
Today, the regulation has yet to catch up. A company that invests in deploying a PET to better protect users or to suppress the risk of identifying individuals faces the same legal obligations as one that does not. The business case for the investment disappears.
✔ Broaden Article 41a so that PETs become a strategic European asset, not a compliance afterthought. The Digital Omnibus introduces Article 41a GDPR, empowering the Commission to define when data resulting from pseudonymisation no longer constitutes personal information. The scope should be broadened to introduce PETs through delegated acts.
✔ Support open, interoperable infrastructure, referencing internationally recognised technical benchmarks, to prevent gatekeeper lock-in at the technology layer.
The Digital Omnibus can deliver what European tech companies have long called for: one law, one rulebook, one interpretation, applied consistently across the Single Market. To get there, negotiators should:
✅ Preserve the three GDPR simplifications on personal data, AI training and breach notifications.
✅ Redraft Article 88a so that consent is only asked where it genuinely matters and aligns with the GDPR’s existing legal bases.
✅ Ensure the implementation of a risk-based approach and incentivise the development of Privacy Enhancing Technologies
❌ Delete Article 88b imposing a centralised cookie management system creating gatekeepers.
Simplification must be delivered in practice, not in principle. The test is whether European companies can spend less time navigating regulatory uncertainty and more time building the products, services and AI capabilities that will define Europe’s digital future while protecting users’ personal data. The Digital Omnibus can pass that test. EUTA stands ready to work constructively with co-legislators to make sure it does.