EU consultation on digital rules: time to think outside the box
The EU’s Digital Omnibus consultation is open until Oct 14, 2025, aiming to simplify data, AI, and cybersecurity compliance. But without tackling the GDPR reform, the elephant in the room remains.
The European Commission has launched a call for evidence on the so-called Digital Omnibus, which is part of the broader Digital Package on Simplification. It will later be complemented by the Digital Fitness Check, which aims to “stress-test” the coherence and cumulative impact of the EU’s digital acquis governing business activities.
The consultation, open to all Europeans to share their views, will run until October 14, 2025. It builds on three previous calls: the Data Union Strategy, the review of the Cybersecurity Act, and the Apply AI Strategy, which together have already received 718 original feedback responses.
This Omnibus aims to address existing challenges and seek simplification in a) the data acquis (Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive); b) cookie rules under the e-Privacy Directive; c) cybersecurity incident reporting obligations; d) the application of AI Act’s rule; and e) and other aspects related to the European Digital ID framework.
Draghi called for a broader GDPR reform: will we have it?
The general objective of this call for evidence is to reduce businesses’ administrative compliance costs without “compromising the objectives of the underlying rules”. Having one’s cake and eating it too is difficult — and while no one would wish the task of leading GDPR reform even on their worst enemy, it is a task that must be done.
In the explanatory document, the Commission cautiously promises to “further explore the potential need for simplification measures in the realm of data regulation, to enhance data availability and sharing”.
That promise should be bolder. Just a few days ago, Mario Draghi called for a broader GDPR reform — the pink elephant in the room has been named, and it is now time to address it.
Limiting the scope of the Omnibus only to the Data Governance Act, the Open Data Directive, and non-personal data will not address the real problem: the GDPR’s overly broad definition of personal data, Member States’ gold-plating, and their reluctance to share data with European startups and scaleups, often under the pretext of GDPR compliance.
On top of this lies a persistent fear that greater openness could lead to data “ending up in American hands”. These problems are solvable — and it is high time they were solved.
Some would argue that “this is not how the EU works” — that the matter belongs to another working group, that the Danish Presidency is currently handling it, or that GDPR reform could not be included in this call for feedback due to legal constraints. Understandable — but that is precisely what interservice consultations, and the spirit of simplification and better governance, are for.
