Summary
The EU Commission presented a digital omnibus law in December 2025 to simplify data rules and AI regulation. The European Parliament reacted skeptically and warned of a deregulation initiative favoring Big Tech companies. Key points of criticism are the redefinition of personal data, self-classification privileges for AI firms, and lack of legal certainty in the draft.
People
- Renate Nikolay – Deputy Director-General DG Connect
- Michael McNamara – AI Act Rapporteur (Renew)
- Birgit Sippel – S&D Group
- Marina Kaljurand – Vice Chair Internal Market Committee
- Axel Voss – EPP Group
Topics
- Digital regulation and deregulation
- Data protection and GDPR reform
- AI regulation and AI Act
- Data transparency and pseudonymization
- Competitiveness of European companies
Detailed Summary
The EU Commission wants to consolidate four regulations with its digital omnibus law: the regulation on the free movement of non-personal data, the Open Data Directive, the Data Governance Act, and the Data Act. Additionally, scattered data breach notification requirements are to be centralized to provide companies with a single point of contact.
The Commission justifies its initiative with simplification and increased competitiveness of European companies. Renate Nikolay emphasized that the central goals lie in regulatory harmonization and economic strengthening.
Parliament, however, sees in the package a "deregulation initiative." Irish rapporteur Michael McNamara noted that the Commission drafts "article by article reflect proposals from major Big Tech firms."
Parliamentarians express particular concerns about the redefinition of personal data. Pseudonymized data could in future be passed on to third parties if re-identification is ruled out. The Commission wants to determine itself in implementing decisions which pseudonymization is "safe."
Birgit Sippel criticized the self-classification right for AI firms as "High Risk." Marina Kaljurand questioned the planned data processing privileges for AI companies and scrutinized their security guarantees.
Axel Voss acknowledged the intention to bring together GDPR and AI Act but warned of legal uncertainty and time pressure in implementation.
Key Messages
- Omnibus package aims to consolidate four data protection regulations, but criticized as deregulation initiative
- Pseudonymization rules are relaxed; Commission gains definitional authority without parliamentary oversight
- AI firm privileges enable data use of sensitive categories with questionable security guarantees
- Self-classification right allows AI companies to assess their own risk profile
- Parliamentary resistance unites Pirates, Greens, Social Democrats and conservative groups
- Legal certainty endangered by mixing GDPR and AI Act without clear demarcation
Stakeholders & Affected Parties
| Actor | Position |
|---|---|
| EU Commission | Proponent: Simplification and competitiveness |
| Big Tech companies | Beneficiaries: Relaxed data rules and self-regulation |
| Data protectors & Greens | Opponents: Fear erosion of protection standards |
| Small/medium enterprises | Ambivalent: Simplification positive, but monopolistic risks |
| Citizens & consumers | Losers: Weaker data protection guarantees and control rights |
| European industry | Mixed: Better starting conditions vs. tech dominance |
Opportunities & Risks
| Opportunities | Risks |
|---|---|
| Simplified compliance for companies through centralized notification requirements | Data protection erosion through redefinition of personal data |
| Faster AI innovation and European competitiveness | Self-regulation instead of external oversight for AI firms |
| Transparency through centralized data breach notification centers | Big Tech lobbying victory – drafts follow tech firms' wishes |
| More open data markets for new business models | Pseudonymization loopholes enabling indirect re-identification |
| Legal uncertainty through mixing GDPR and AI Act |
Actionable Relevance
For Parliamentarians:
- Prepare detailed group statements; substantiate criticism
- Place implementing decisions (pseudonymization) under parliamentary control
- Review AI firms' self-classification right and potentially demand external auditing
For Companies:
- Keep compliance requirements current; consider transition phases
- Establish data protection governance proactively, don't rely on minimum standards
For Data Protectors:
- Mobilize publicly against definitional blank checks
- Use conservative EPP groups as coalition partners
Quality Assurance & Fact-Checking
- [x] Central statements and quotes verified
- [x] People and positions validated
- [x] Regulations (GDPR, AI Act, Data Act) correctly named
- [ ] Detailed text changes in Commission drafts requiring verification ⚠️
Additional Research
- Heise Online Original Source – Current EU digital policy
- EU Commission: DG Connect – Official omnibus documentation and legislative drafts
- European Parliament: Internal Market Committee (ITRE) – Parliamentary statements and votes
- Data protection activists (NOYB, EDRi) – Critical analysis of pseudonymization rules
Bibliography
Primary Source:
Ermert, Monika (2025): Digital "Omnibus": European Parliament Brakes Commission Plans for Data and AI – https://www.heise.de/news/Digitaler-Omnibus-Europa-Parlament-bremst-Kommissionsplaene-fuer-Daten-und-KI-11156161.html
Supplementary Sources:
- European Commission – DG Connect: Digital Omnibus Package (December 2025)
- European Parliament – Internal Market Committee (ITRE): Committee Meeting on Digitalization and AI
- Max Planck Institute – GDPR & AI Act Interactions (Research Paper)
Verification Status: ✓ Facts checked on 2025-01-14
Footer (Transparency Notice)
This text was created with support from Claude.
Editorial responsibility: clarus.news | Fact-checking: 2025-01-14
Original source: Heise Online (Monika Ermert)