Skip to Content

Will the new Digital Omnibus laws destroy your GDPR privacy rights in 2026?

By: Author Alex Lim

Posted on

Categories Cybersecurity

Home » Cybersecurity » Will the new Digital Omnibus laws destroy your GDPR privacy rights in 2026?

Why are EU data regulators stopping the latest Commission AI and GDPR changes?

The Digital Omnibus Dispute

The European Commission introduced the “Digital Omnibus” on November 19, 2025, framing it as a necessary step to streamline the General Data Protection Regulation (GDPR) and reduce bureaucracy. However, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion in February 2026 that firmly rejects these changes. Their primary concern is that the proposal disguises a weakening of citizen rights as mere “technical simplification”.

Critical Risks to Personal Data

The most contentious point involves the definition of personal data under Article 4(1) of the GDPR.

  • Narrowing Definitions: The Commission proposes changing the legal text to exclude data from being “personal” if the entity holding it cannot effectively identify the person. Regulators argue this contradicts established case law and creates loopholes for companies to strip data of its “personal” status arbitrarily.
  • AI Training Loopholes: The proposal attempts to legitimize the processing of user data for AI training under “legitimate interest,” bypassing the need for explicit consent. Authorities warn this gives Big Tech a free pass to harvest European data without adequate checks.

The Impact on Rights and Access

Beyond definitions, the Omnibus threatens the practical ability of citizens to control their information.

  • Restricted Access Rights: Proposed changes to Article 12(5) would limit a user’s right to access their own data, restricting it only to cases serving “data protection purposes.” This could prevent users from requesting data for other valid reasons, such as checking for price discrimination or evidence in legal disputes.
  • Complexity for SMEs: While pitched as a burden-reduction measure, the amendments reportedly increase legal uncertainty. Small and medium enterprises (SMEs) would face a fragmented legal landscape, while large US-based tech firms with vast legal teams would likely benefit most from the new ambiguities.

Civil Society Pushback

The privacy organization noyb (None of Your Business) has aligned closely with the regulators’ findings. Their analysis highlights that the EU regulators’ rejection serves as a critical validation of civil society concerns. noyb emphasizes that the Commission’s plan to classify pseudonymized data as “non-personal” would effectively allow companies to opt out of GDPR compliance by simply altering how they label their datasets.