On January 29, 2026, a heated debate unfolded in Berlin as the EU Commission’s sweeping “Digital Omnibus” proposal took center stage at the European Data Protection Day event. The package, which seeks to overhaul key aspects of digital regulation across the European Union, has rapidly become a lightning rod for controversy—especially around its proposed changes to data protection and artificial intelligence (AI) rules.
Meike Kamp, Berlin’s Data Protection Commissioner, did not mince words as she addressed an audience of privacy experts and policymakers. “The EU Commission is shaking the very foundations of data protection,” she declared, according to coverage by netzpolitik.org. Her concerns focused on a central, and highly contentious, element of the Omnibus: the potential redefinition of pseudonymized data and its status under the General Data Protection Regulation (GDPR).
The Digital Omnibus, as outlined by the EU Commission and analyzed by experts on January 29, aims to consolidate overlapping digital laws, streamline reporting for IT security incidents, and—most notably—introduce significant changes to how personal data is handled in the age of AI. The Commission frames the package as a move toward simplification and greater competitiveness, but critics warn it could open the floodgates to weakened privacy standards and unchecked data exploitation.
One of the most debated proposals is to allow pseudonymized data, under certain circumstances, to fall outside the scope of the GDPR. Currently, such data is still regarded as personal unless it is truly anonymized—meaning no reasonable means exist to re-identify the individual. The Commission now wants to introduce a “relative personal reference” concept. Simply put, if a data processor cannot easily re-identify a person, the data would no longer be treated as personal, even if a third party might possess the means to do so.
Supporters argue this change would make it easier for companies to share and use data for innovation, particularly in AI development. As recent analyses have shown, large tech firms—especially from the United States—have lobbied hard for such a shift, hoping to lower compliance costs and speed up product development. The Commission also points to recent European Court of Justice (ECJ) rulings, claiming its proposal merely aligns the law with the court’s latest interpretations.
But privacy advocates aren’t convinced. Meike Kamp warned that the new approach could legitimize the “out-of-control tracking industry,” which already traffics in vast quantities of location and behavioral data. According to investigations by netzpolitik.org and Bayerischer Rundfunk, these data flows often end up in the hands of brokers who can re-identify individuals—including high-ranking EU officials—with alarming ease. “Are these entities able to identify natural persons, or does this only apply to the website operator?” Kamp asked, highlighting the complexities regulators face in policing the opaque world of online advertising.
She was not alone in her criticism. Alexander Roßnagel, the Data Protection Commissioner for Hesse and a respected privacy law scholar, echoed her concerns at a separate event, calling the Commission’s proposal “too undifferentiated” and warning it could significantly lower the GDPR’s protection level. Max Schrems, a well-known privacy activist, also voiced strong objections, while Renate Nikolay, Deputy Director-General at the EU’s Directorate-General for Communications Networks, Content and Technology, defended the changes, insisting they merely implement the ECJ’s guidance and do not erode existing safeguards.
Beyond the pseudonymization debate, the Digital Omnibus contains other far-reaching provisions. It proposes to delay the full application of strict rules for high-risk AI systems—originally set for August 2026—until the EU finalizes harmonized technical standards. This “stopwatch mechanism” could push deadlines back by up to 16 months, a move welcomed by many businesses who fear being held to requirements before technical specifics are settled. According to legal experts at Baker McKenzie, this is a pragmatic response to industry concerns about a so-called “standards gap.”
The package also aims to simplify documentation obligations, extending streamlined requirements to larger medium-sized enterprises and thereby reducing bureaucratic red tape. For companies struggling with the practical implications of the EU AI Act—from risk classification to labeling and record-keeping—these changes could spell significant relief. A free implementation guide, now circulating among developers and compliance officers, offers checklists, templates, and timelines to help businesses navigate the evolving regulatory landscape.
On the data protection front, the Omnibus seeks to explicitly permit the use of personal data for AI model training based on a “legitimate interest” principle, provided that safeguards like pseudonymization and opt-out options are in place. This clarification is designed to end the legal uncertainty that has plagued European AI developers, but it also raises questions about the sufficiency of such protections in practice.
Another notable change is the plan to tighten the definition of “personal data.” Under the new rules, data from which an individual cannot be “reasonably” identified would potentially fall outside GDPR coverage. This could dramatically lower compliance burdens for companies handling large datasets, but it also risks leaving individuals vulnerable if re-identification methods improve or are misused.
The Omnibus further proposes a single entry point for incident reporting, replacing the current patchwork of obligations under the GDPR, NIS2 Directive, and DORA Regulation. This harmonized EU gateway is intended to cut down on double work and streamline crisis response. Meanwhile, cookie consent rules will be moved into the GDPR, introducing a six-month “cooling-off period” during which websites cannot repeatedly pester users who have declined tracking. This aims to combat “consent fatigue,” but will require adjustments by today’s consent management platforms.
The stakes are high. The Digital Omnibus signals a strategic pivot for the EU—from a strict regulatory stance toward a focus on competitiveness and simplification. Economic pressures are mounting, and both the European Parliament and Council are expected to push for swift negotiations in 2026. Industry groups have welcomed the prospect of lighter-touch regulation, but privacy advocates and civil society organizations remain wary, fearing that the package could mark the beginning of a broader deregulatory trend.
For now, companies find themselves in a state of limbo—preparing for both the existing AI Act deadlines and the possibility of significant delays or changes. As the legislative process unfolds, all eyes are on Brussels, where the outcome will shape not just the future of European data protection, but the global conversation on privacy, innovation, and digital rights.
Meike Kamp’s message for lawmakers was clear: “Instead of weakening definitions, we should pursue robust pseudonymization.” As the EU grapples with how to balance privacy, innovation, and economic growth, the debate over the Digital Omnibus is far from over.
:sharpen(0.5,0.5,true)/tpg%2Fsources%2F70d6a541-5757-486e-a21c-bce2850b6d29.jpeg)