In the days preceding the publication of the European Commission’s Digital Omnibus proposals mid-November 2025, several news outlets, most prominently The Guardian, reported that the EU was preparing a “secret” overhaul of the GDPR. Early leaks painted the Omnibus as a sweeping deregulatory push that would turn Europe into a “digital vassal” of US tech giants. Now that the actual proposals have been released, the reviews from some corners aren’t much better, with the European Digital Rights (EDRi), a pan-European network of NGOs, describing the plans as “a major rollback of EU digital protections” that risked dismantling “the very foundations of human rights and tech policy in the EU”.
In my view, while the package does include significant deregulatory measures — particularly around data protection, AI, and cybersecurity — the “vassalisation” narrative is entirely overstated. Whilst I entirely sympathise with the EDRi’s call for digital protection, the old law (and unequal enforcement of it for US Big tech firms) was restricting innovation for EU business. The reforms will help European businesses innovate and compete globally. I’d caution though that the rules still need to be coupled with consistent, effective enforcement which was missing before the shake up.
What the Digital Omnibus really is
The Digital Omnibus is not a single law but a two-part package:
The EU Commission frames the reforms as a targeted simplification of an overly complex rulebook. Critics argue it is a deregulatory reset that weakens privacy protections while giving Big Tech breathing room. In my view, the deregulation, if actioned carefully and consistently, gives everyone breathing room, which could allow EU SMEs and innovative tech companies the opportunity to ‘catch up’ with established big tech.
Key reforms now proposed
The Commission proposes clarifying that some pseudonymised or indirectly identifiable data can fall outside the definition of personal data if reasonable re-identification is not possible. This would allow wider reuse of such datasets — including for analytics and AI development — without triggering full GDPR obligations.
The proposal introduces greater flexibility to use data for new purposes, especially in contexts like cybersecurity, fraud prevention, and AI model improvement. Organisations could refuse data-subject access or deletion requests deemed “manifestly unfounded or excessive.”
Critics argue this risks undermining one of GDPR’s core protections: limits on how data collected for one purpose can be used for another. For me, this is all in the interpretation and enforcement.
A highly controversial change: special-category protections would apply only when sensitive traits are directly provided or evident — not merely inferred by an AI system.
Civil-society groups warn this could enable profiling without adequate safeguards.
Organisations could process personal data — including some sensitive data — for AI development under a legitimate interest basis, with safeguards.
This is a major shift away from consent-based data use and is explicitly aimed at boosting European AI capabilities.
The Omnibus raises thresholds for documentation (Article 30), simplifies DPIA requirements for low-risk processing, and provides lighter compliance regimes for SMEs and non-profits.
The Commission proposes a single EU breach-reporting portal — maintained by ENISA — covering GDPR, NIS2, and other digital laws.
This reduces overlapping notifications, a long-standing business complaint.
Important elements beyond the original leaks
Delays to the AI Act
High-risk AI obligations are postponed:
This gives companies more time and allows standards to be finalised.
Expansion of regulatory sandboxes
An EU-level AI sandbox (from 2028) will allow real-world testing, helping SMEs in particular.
European Business Wallet
A new digital identity tool for companies to ease cross-border compliance.
Simplification or deregulation?
Supporters (I include myself here) argue the Omnibus tackles long-standing issues: complex rules, divergent national interpretations, and heavy administrative burdens. They say GDPR needs refinement to remain workable in an AI-driven economy.
However, critics argue the package goes well beyond simplification:
Some civil-society groups call the proposals a “rollback” of digital rights. Whilst I do have some sympathy here and absolutely think privacy and security should be at the heart of digitisation, I do think the point is overstated – the reforms absolutely need to be actioned with care, but some deregulation is need if European innovation is to thrive.
Do the reforms go too far?
Whilst I’m a broad supporter of the reforms, I do concede that some elements deserve serious scrutiny:
These are areas where further refinement is essential.
Is Europe really becoming a “digital vassal” of US tech?
The Guardian claims the reforms risk turning Europe into a subordinate “digital vassal” to US tech giants by easing restrictions on data use — an area central to their business models. It also argues, correctly, that GDPR enforcement against large US firms has been inconsistent and often ineffective.
But the idea that any deregulatory move benefits only US firms is flawed.
In 2025 and beyond, every organisation — from start-ups to public bodies — relies on data and AI. Without some recalibration, European firms risk falling further behind global competitors operating under more permissive regimes.
The solution is not to keep rigid rules while selectively failing to enforce them. Instead, Europe needs:
This combination would strengthen European competitiveness rather than weaken it. It’s easy for politicians to demand x, y, and z, but if the requirements are overly burdensome and unrealistic, they’ll end up receiving nothing at all. Which feels like where things were heading before these reforms. With these changes, it finally feels like policy makers are taking some of the pragmatic messages on board from data professionals.
Conclusion: Europe needs balance — not alarmism or complacency
In my view, Europe is right to review whether its digital regulatory framework remains fit for purpose. GDPR was groundbreaking, but it predates modern generative AI and the scale of today’s data ecosystems.
The answer is not to freeze the system in time, nor to hollow it out. The EU must strike a pragmatic balance:
That, more than anything, is what will prevent Europe from becoming a digital vassal — and help build a resilient, competitive, sovereign digital economy.
If you have thoughts on the proposals and want to discuss, feel free to reach out via hello@metadataworks.ai.