In 2025, drawing on Mario Draghi’s Report, the European Commission introduced in its competitiveness vision proposing several ‘simplification’ packages of various EU regulations. Among them, the so-called ‘Digital Omnibus’, which is designed to streamline, simplify, and align major Union’s digital legislation, including the GDPR, the AI Act, the Data Act, and cybersecurity laws. Its primary goal is to strengthen the competitiveness of EU businesses by reducing the administrative and compliance burden by at least 25% (35% for SMEs) by 2029.
Digital for Planet works on several topics that directly relate to the above EU digital legislation and everyday practices. Therefore, we could not miss the recent ‘Digital Omnibus’ legislative proposal, a key European Commission’s proposed ‘simplification’ package.
Setting the Stage
The General Data Protection Regulation (GDPR) is widely regarded as one of the world’s most robust data protection frameworks. It governs how individuals—and increasingly, algorithms—access, process, and use personal data, establishing clear boundaries for organisations and businesses. GDPR has impacted privacy laws in over 100 countries across the world. In doing so, it has contributed not only to stronger data protection, but also to shaping a more human-centric European and global digital ecosystem.
Rooted in the principles of the Charter of Fundamental Rights of the European Union—particularly Art. 7 (respect for private and family life) and Art. 8 (protection of personal data)—the GDPR reflects a broader vision of digital development that places fundamental rights, social well-being, and trust at its core. This aligns closely with emerging approaches to ICT for social good, which emphasise that digital technologies should serve people, communities, and the public interest.
While the GDPR initially faced criticism for potentially constraining innovation, it has increasingly come to be recognised as a global ‘gold standard’ for governing data in a digitising society. Importantly, it has also laid the groundwork for more responsible and accountable AI systems by embedding principles such as transparency, purpose limitation, and data minimisation—principles that are essential for developing efficient, trustworthy, and sustainable AI.
Recent policy shifts, however, reflect growing pressure on Europe to enhance competitiveness and strengthen its role in the global digital economy. These shifts have initiated a broader reassessment of both the protections afforded by the GDPR and the assumptions underpinning EU digital policymaking. This moment presents an opportunity not only to streamline regulation, but also to ensure that innovation pathways remain aligned with societal values and long-term sustainability.
Europe’s Digital Crossroads: Data Protection, AI, and the Future of Innovation
On 19 November 2025, the Commission introduced its Digital Omnibus proposal. While reaffirming the importance of protecting personal data, the proposal aims to simplify and harmonise digital rules to support innovation. At the same time, it raises important questions about how to preserve core data protection principles while enabling the development of advanced AI systems. In particular, proposed changes affecting the definitions of personal and sensitive data have sparked debate among stakeholders—including businesses, policymakers, and civil society—highlighting tensions between regulatory simplification and the need to safeguard fundamental rights.
From the perspective of responsible and efficient AI, this debate is crucial. AI systems depend on data, yet their development must be guided by principles that ensure fairness, accountability, energy efficiency, and societal benefit. Simplifying regulatory frameworks should not come at the expense of weakening protections, but rather should aim to enable innovation that is both technically robust and socially aligned.
Ultimately, this raises fundamental questions. Are existing policy instruments still fit for purpose in ensuring that digital technologies—particularly AI—serve society without undermining fundamental rights? And can legislative initiatives such as the Digital Omnibus support a European model of innovation that is both competitive and socially responsible, or do they risk reinforcing existing power imbalances, including the growing dominance of hyperscalers?
What We're Saying
- The Commission, both in the proposal itself and in the press conference in which it has been introduced, states that, by reducing the reporting burden, the measures aim to improve the competitiveness of European actors in the digital domain, including SMEs (e.g amending Art. 30(1) of the Cyber Resilience Act). However, we suggest simplification may mainly benefit larger actors rather than SMEs and SMCs (up to 749 employees). This is because we’re unsure whether the simplification will actually reduce the compliance burden for growing businesses, or does the real hurdle lie in core requirements like Data Protection Impact Assessments (DPIAs).
- The proposal revises some core EU data protection principles. One of the new provisions (relevant for both the GDPR and the AI Act) would expand the notion of ‘legitimate interest’ and might mitigate the need for explicit and unambiguous consent in cases where personal data is used to train AI models (see e.g. Art. 88). This might create unbalanced risks and D4P will follow this ‘simplification’ closely.
- The newly proposed Art. 4a, which replaces Art. 10(5) of the AI Act, extends the material and personal scope of the provision, allowing for broader detection and correction of bias. This actually means processing sensitive personal data (normally prohibited) to detect and mitigate bias. Of course, on the one hand, a biased AI system may be more harmful to individuals and society than the processing of special categories of personal data itself. On the other hand, this could lead to misuse for large-scale data crawling. Here we align with the BDVA’s recent answer to public consultation on the Digital Omnibus. We recommend differentiating between high- and non-high-risk systems; and require documented justification showing no viable
To conclude, as the digital transition continues to reshape interactions between people, technologies, and environments, the challenge is not only how to regulate effectively, but how to do so in a way that fosters inclusive and sustainable digital transformation. This requires carefully balancing the opportunities of data-driven innovation with the need to mitigate risks and prevent harm.