european funds recovery initiative Search Search... Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR HOME Related News
Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR Last week we at EFRI wrote about the Digital Omnibus leak and warned that the European Commission was preparing a stealth attack on the GDPR
Since then, two things have happened:
The Commission has now officially published its Digital Omnibus proposal.
noyb (Max Schrems’ organisation) has released a detailed legal analysis and new campaigning material that confirms our worst fears: this is not harmless “simplification”, it is a deregulation package that cuts into the core of the GDPR and ePrivacy.
What noyb has now put on the table
On 19 November 2025, noyb published a new piece with the blunt headline: “Digital Omnibus: EU Commission wants to wreck core GDPR principles”
Here’s a focused summary of the four core points from noyb’s announcement, in plain language:
New GDPR loophole via “pseudonyms” and IDs
The Commission wants to narrow the definition of “personal data” so that much data under pseudonyms or random IDs (ad-tech, data brokers, etc.) might no longer fall under the GDPR.
This would mean a shift from an objective test (“can a person be identified, directly or indirectly?”) to a subjective test (“does this company currently want or claim to be able to identify someone?”).
Therefore, whether the GDPR applies would depend on what a company says about its own capabilities and intentions.
Different companies handling the same dataset could fall inside or outside the GDPR.
For users and authorities, it becomes almost impossible to know ex ante whether the GDPR applies – endless arguments over a company’s “true intentions”.
Schrems’ analogy: it’s like a gun law that only applies if the gun owner admits he can handle the gun and intends to shoot – obviously absurd as a regulatory concept.
arzh-CNnlenfrdeitptrues european funds recovery initiative Search Search... Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR HOME Related News
Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR Last week we at EFRI wrote about the Digital Omnibus leak and warned that the European Commission was preparing a stealth attack on the GDPR
Since then, two things have happened:
The Commission has now officially published its Digital Omnibus proposal.
noyb (Max Schrems’ organisation) has released a detailed legal analysis and new campaigning material that confirms our worst fears: this is not harmless “simplification”, it is a deregulation package that cuts into the core of the GDPR and ePrivacy.
What noyb has now put on the table On 19 November 2025, noyb published a new piece with the blunt headline: “Digital Omnibus: EU Commission wants to wreck core GDPR principles”
Here’s a focused summary of the four core points from noyb’s announcement, in plain language:
New GDPR loophole via “pseudonyms” and IDs The Commission wants to narrow the definition of “personal data” so that much data under pseudonyms or random IDs (ad-tech, data brokers, etc.) might no longer fall under the GDPR.
This would mean a shift from an objective test (“can a person be identified, directly or indirectly?”) to a subjective test (“does this company currently want or claim to be able to identify someone?”).
Therefore, whether the GDPR applies would depend on what a company says about its own capabilities and intentions.
Different companies handling the same dataset could fall inside or outside the GDPR.
For users and authorities, it becomes almost impossible to know ex ante whether the GDPR applies – endless arguments over a company’s “true intentions”.
Schrems’ analogy: it’s like a gun law that only applies if the gun owner admits he can handle the gun and intends to shoot – obviously absurd as a regulatory concept.
Weakening ePrivacy protection for data on your device
Today, Article 5(3) ePrivacy protects against remote access to data on your devices (PCs, smartphones, etc.) – based on the Charter right to the confidentiality of communications.
The Commission now wants to add broad “white-listed” exceptions for access to terminal equipment, including “aggregated statistics” and “security purposes”.
Max Schrems finds the wording of the new rule to be extremely permissive and could effectively allow extensive remote scanning or “searches” of user devices,ces as long as they are framed as minimal “security” or “statistics” operations – undermining the current strong protection against device-level snooping.
Opening the door for AI training on EU personal data (Meta, Google, etc.)
Despite clear public resistance (only a tiny minority wants Meta to use their data for AI), the Commission wants to allow Big Tech to train AI on highly personal data, e.g. 15+ years of social-media history.
Schrems’ core argument:
People were told their data is for “connecting” or advertising – now it is fed into opaque AI models, enabling those systems to infer intimate details and manipulate users.
The main beneficiaries are US Big Tech firms building base models from Europeans’ personal data.
The Commission relies on an opt-out approach, but in practice:
Companies often don’t know which specific users’ data are in a training dataset.
Users don’t know which companies are training on their data.
Realistically, people would need to send thousands of opt-outs per year – impossible.
Schrems calls this opt-out a “fig leaf” to cover fundamentally unlawful processing.
On top of training, the proposal would also privilege the “operation” of AI systems as a legal basis – effectively a wildcard: processing that would be illegal under normal GDPR rules becomes legal if it’s done “for AI”. Resulting in an inversion of normal logic: riskier technology (AI) gets lower, not higher, legal standards.
Cutting user rights back to almost zero – driven by German demands
The starting point for this attack on user rights is a debate in Germany about people using GDPR access rights in employment disputes, for example to prove unpaid overtime. The German government chose to label such use as “abuse” and pushed in Brussels for sharp limits on these rights. The Commission has now taken over this line of argument and proposes to restrict the GDPR access right to situations where it is exercised for “data protection purposes” only.
In practice, this would mean that employees could be refused access to their own working-time records in labour disputes. Journalists and researchers could be blocked from using access rights to obtain internal documents and data that are crucial for investigative work. Consumers who want to challenge and correct wrong credit scores in order to obtain better loan conditions could be told that their request is “not a data-protection purpose” and therefore can be rejected.
This approach directly contradicts both CJEU case law and Article 8(2) of the Charter of Fundamental Rights. The Court has repeatedly confirmed that data-subject rights may be exercised for any purpose, including litigation and gathering evidence against a company. As Max Schrems points out, there is no evidence of widespread abuse of GDPR rights by citizens; what we actually see in practice is widespread non-compliance by companies. Cutting back user rights in this situation shifts the balance even further in favour of controllers and demonstrates how detached the Commission has become from the day-to-day reality of users trying to defend themselves.
EFRI’s take: when Big Tech lobbying becomes lawmaking
For EFRI, the message is clear: the Commission has decided that instead of forcing Big Tech and financial intermediaries to finally comply with the GDPR, it is easier to move the goalposts and rewrite the rules in their favour. The result is a quiet but very real redistribution of power – away from citizens, victims, workers and journalists, and towards those who already control the data and the infrastructure. If this package goes through in anything like its current form, it will confirm that well-organised corporate lobbying can systematically erode even the EU’s flagship fundamental-rights legislation. That makes it all the more important for consumer organisations, victim groups and digital-rights advocates to push back – loudly, publicly and with concrete case stories – before the interests of Big Tech are permanently written into EU law.
It's called Corruption.
If this goes through, watch out in a couple of years for ex-commisioners being paid fortunes by large Tech companies as non-executive board members, giving speeches or consulting gigs.
It's the same way as in the US, were people in positions of power doing "favours" today for large companies "by an amazing coincidence" later end up being paid enormous fortunes by those very companies or related companies for "working" 1h/month or similar - at that level the exchange of political favours for money is not done using brown envelopes full of bank notes.
Investigation and Prosecution of Corruption in Europe are a joke whilst Conflict Of Interest legislation is non-existent or riddled with so many giant loopholes that it's actually worse than if it didn't exists as it deceives most people into believing these things are properly legislated for.
We live in a seriously corrupt era in Europe, even in the countries which were traditionally cleaner.
Usually it's corruption, but in this case I think it's even more sinister than that... it's the result of a total and basically irreversible digital dependency which the EU maneuvered itself into, despite warnings of numerous technical experts not to give away full control of your important digital infrastructure to some other country. But they didn't listen because they were constantly scammed by marketing, lobbyists and short-lived tech trends to think that it's surely the best option and there's surely never going to be a problem if you let US-based companies control everything you need in daily personal or business life.
I don't think it's a coincidence that this comes after the US removed/disabled all US company based accounts (E-mail, Paypal, Creditcard, international banking, ...) of one EU judge whose ruling heavily disfavored US big tech companies. (See: https://www.heise.de/en/news/How-a-French-judge-was-digitally-cut-off-by-the-USA-11087561.html) I think this was the main trigger for the EU why this "digital omnibus" now exists - to appease the US-based companies and, by extension, the current US regime. Because otherwise quite a lot of EU businesses and individuals could and would be teleported back to the digital '90s, simply because they chose to give away all of their digital sovereignty - because it seemed cool to do so, and because most others did so too.
The US has demonstrated the world who's the boss in the digital realm, and everyone who doesn't fall in line will be threatened with the deactivation or removal of all "important" US-based accounts. This maybe couldn't have happened before due to friendlier administrations and the rule of law and contracts, but now with the current regime which doesn't have to care anymore about past alliances or laws or regulations or contracts, there's really not much that would stop them from doing whatever they (or the US companies) want. And while everyone is watching the US slide into a fascist authoritarianism, what people forget about is how dependent their own lives and also businesses still are on US-based companies. This will be, or is already, a weapon against whole countries to bully them into compliance with US wishes. And I think the EU is still absolutely the equivalent of a digital colony of the US - and that is fully self-inflicted. Far too many popular mistakes have been made in the past, and now those mistakes are actually having their biggest cumulative effect. Just like with the climate desaster. Which is waiting just in line after we get over this. Buckle up.