The Digital Omnibus was supposed to make European Union data law simpler, clearer, and less allergic to reality. Instead, the Council of the European Union appears to be turning it into something more familiar: a reform that trims the statute, fattens the recitals, and hands more interpretive power to the same regulators whose maximalist readings made reform necessary in the first place.
In March, the International Center for Law & Economics (ICLE) submitted comments to the European Commission on the General Data Protection Regulation (GDPR) and ePrivacy provisions of the Digital Omnibus. The GDPR is the European Union’s main privacy law. The ePrivacy rules govern confidentiality of communications and device-access rules, including the cookie-consent regime that has trained a continent to click “accept” while learning nothing substantial.
We made four core arguments.
First, policymakers should adopt the proposed entity-relative clarification of the personal-data definition—that is, they should ask whether the particular organization holding the data can realistically identify someone, not whether someone, somewhere, with some imagined tool, might be able to do so.
Second, the package’s artificial-intelligence (AI) provisions represented a necessary legislative settlement of questions that the European Data Protection Board (EDPB), the EU body that coordinates national privacy regulators, had deliberately left unresolved.
Third, the proposed cookie-consent reforms pointed in the right direction, but did not go far enough.
Finally, the package’s greatest weakness was its silence on enforcement architecture. Without institutional reform, we argued, the same authorities that had interpreted the GDPR into a “law of everything” would read the new exemptions just as narrowly.
Three months later, the two sister components of the Digital Omnibus have diverged sharply. The AI Omnibus (COM(2025) 836) reached a provisional trilogue agreement on May 7. A trilogue is the closed-door negotiation among the Commission, Parliament, and Council that often determines the final shape of EU legislation. The Data Omnibus (COM(2025) 837)—which contains the GDPR and ePrivacy reforms—remains before the Council, where the Cypriot Presidency has circulated successive compromise texts, most recently on May 21 (Council document 9547/26).
That latest compromise deletes three of the Commission’s four principal GDPR reforms: the entity-relative personal-data test, the relocation of cookie consent into the GDPR, and the legitimate-interest basis for AI processing. It also removes the Commission’s proposed authority to define pseudonymization criteria. Pseudonymization means replacing direct identifiers, such as names, with substitutes, while keeping the possibility of re-identification under controlled conditions.
What remains of those reforms has largely migrated into recitals and EDPB guidance. Recitals are the explanatory passages that accompany EU laws. They can influence interpretation, but they are not the same as binding operative text. At the same time, the compromise expands the EDPB’s own mandate.
The concern at the heart of our March comments—that textual reform without enforcement reform would underperform—now looks almost understated. The Council appears poised to deliver less reform than the Commission proposed, while leaving the EDPB stronger than before.
This post examines how the Council compromise affects each of the issues addressed in our comments, and what it means as the file moves to the European Parliament.
The Referee Takes the Field
Our comments urged adoption of the amended Article 4(1), which would have codified the entity-relative approach to identifiability reflected in EDPS v. SRB and Breyer. We also supported Article 41a, which would have authorized the Commission—after consulting the EDPB—to specify, by implementing act, when pseudonymization places data outside the scope of the GDPR. An implementing act is a legal instrument through which the Commission sets technical or practical rules under authority granted by legislation.
That allocation of authority mattered. We warned against leaving the scope of the law to be defined solely by the body that enforces it.
The Council deleted both provisions.
The entity-relative test disappeared from operative Article 4(1). Its substance survives only in Recital 27a, which states that identifiability “should be assessed by the controller or the processor, considering the actual technical, organisational and legal capabilities” of that controller or processor. In GDPR terms, a controller decides why and how personal data is processed; a processor handles data on the controller’s behalf.
The reference to “actual … capabilities” is welcome. It addresses the recurring tendency to treat purely hypothetical means of identification as legally relevant. But the clarification now appears only in a recital, rather than in binding legal text.
Article 41a fared even worse. The Council eliminated the Commission’s implementing-act authority entirely. Renumbered as Article 29a, the provision now directs the EDPB to issue an opinion on pseudonymization and anonymization within 12 months of the regulation’s entry into force.
Peter Craddock greeted the new Article 29a with a pointed question: “Possibly the most useless legal provision ever proposed?” On our reading, it is worse than useless. A provision originally intended to check the EDPB’s steadily expanding jurisdiction—by giving the Commission authority to define the contours of pseudonymization—now does the opposite. It more explicitly empowers the Board to define the limits of its own jurisdiction. The revised Article 70(1) confirms the point by assigning the Article 29a opinion to the EDPB.
That institutional shift matters because the Commission and the EDPB have not always agreed on how broadly data-protection rules should reach. In EDPS v. SRB, the Commission intervened to push back against a maximalist interpretation of identifiability. Under the Council text, by contrast, the EDPB will determine what qualifies as effective pseudonymization.
This is the same body that interpreted Article 5(3) of the ePrivacy Directive so broadly that URL parameters and ordinary browser transmissions became consent-triggering forms of “access.” Expecting a notably pragmatic approach to pseudonymization would be optimistic.
Of the two deletions, the loss of Article 41a matters more in practice. The Article 4(1) amendment was symbolically important, and we continue to believe it should be restored. Standing alone, though, it might not have changed an enforcement culture resistant to the idea that “personal data” has meaningful limits.
Article 41a addressed the institutional problem directly by vesting interpretive authority in a body other than the EDPB. That is precisely why the EDPB and the European Data Protection Supervisor (EDPS), the EU’s independent data-protection authority for EU institutions, called for its deletion in their February joint opinion. It is unfortunate that the member states chose to follow that advice.
The Deal That Unmade Itself
We recommended adopting both Article 88c, which would have created a legitimate-interest basis for AI development and operation, and Article 9(2)(k), which would have created a derogation for special-category data that appears incidentally in AI training. “Legitimate interest” is one of the GDPR’s lawful bases for processing personal data. Special-category data includes especially sensitive information, such as data revealing health, race, ethnicity, political opinions, religious beliefs, biometric identifiers, or sexual orientation.
Article 88c has disappeared from the operative text, but much of its substance survives in Recital 33a. Most of the Commission’s language remains, albeit with important changes. Processing that the Commission said “may be pursued for” legitimate interests now merely “may be regarded as” carried out for a legitimate interest. The unconditional right to object—the central safeguard, which we described in March as stronger than the ordinary Article 21(1) standard—has been deleted, along with the enhanced-transparency requirement. The Council also added a caveat stating that the recital “does not affect the obligation … to choose the most appropriate lawful ground.”
The result is a return to the ordinary Article 6(1)(f) balancing test, with EDPB Opinion 28/2024 serving as the de facto framework. That opinion was notable for what it did not resolve, leaving broad discretion to enforcement authorities. Both sides of the Commission’s original bargain have therefore disappeared: the clearer legal basis that AI developers were supposed to receive, and the unconditional objection right that data subjects—the people whose data is processed—were supposed to receive in return.
To be fair, the distinction between operative text and a recital may matter less in practice than the attitude of the authorities enforcing it. A supervisory authority determined to reach a particular result can often interpret around either one. But that observation supports, rather than undermines, the point we made in our comments: institutional incentives matter at least as much as statutory language.
Article 9(2)(k) survived, albeit in narrowed form.
The Council added the qualifier “incidental and residual,” and moved the accompanying conditions into a new Article 9(5). Controllers must take measures to avoid collecting special-category data; erase such data once identified; and, where erasure is impossible or manifestly disproportionate—for example, because the information has been memorized by a model—protect it against further processing, inference, or disclosure. They must also document the process. The provision expressly excludes data collected through prompts during deployment.
Even in this narrower form, Article 9(2)(k) remains useful. Web-scale AI training makes the incidental collection of sensitive data effectively unavoidable. The provision answers a question that legislators can no longer sidestep. Indeed, it may be the only significant AI-related GDPR reform still standing in the package.
The AI Omnibus, meanwhile, is essentially finished.
The agreed text extends the bias-detection carveout—formerly Article 10(5) of the AI Act, and now a standalone Article 4a—beyond providers of high-risk systems to deployers and to non-high-risk AI systems and models. In AI Act terms, providers develop or place AI systems on the market, while deployers use them. The carveout preserves the “strictly necessary” threshold and the existing safeguards. It operates through Article 9(2)(g) GDPR; the AI Act supplies the required basis in EU law, while Article 4a supplies the accompanying safeguards.
The agreement also postpones the compliance dates for high-risk systems, moving Annex III obligations to Dec. 2, 2027, and product-embedded AI obligations to Aug. 2, 2028. At the same time, it accelerates the Article 50 watermarking requirements to Dec. 2 of this year and adds a new Article 5 prohibition on AI-generated child sexual-abuse material and non-consensual intimate imagery.
Taken together, the two files produce a striking asymmetry. The deliberate use of sensitive data for bias detection—the relatively uncommon case—now rests on firm legislative ground. The incidental presence of sensitive data in training datasets—the ubiquitous case—remains trapped in a contested file, within a provision the Council has already narrowed.
Meet the New Cookie Rules, Same as the Old Cookie Rules
On ePrivacy, we were blunt in March. The Commission’s proposal was the weakest part of the package. It created a two-track regime, moving personal-data-related device access into a new Article 88a of the GDPR while leaving non-personal data under Article 5(3) of the ePrivacy Directive. Its analytics exemption was too narrow to cover standard third-party analytics services, and it omitted several low-risk exemptions that should have been obvious candidates, including fraud prevention, advertising measurement, frequency capping, and contextual advertising.
The Council solved the two-regime problem by abandoning the reform altogether.
Article 88a is gone. Device access remains governed by Article 5(3) of the ePrivacy Directive, albeit in revised form. That means seven years of expansive EDPB interpretations of Article 5(3)—covering everything from cookies and tracking pixels to URL parameters—remain the starting point. Whatever the revised exemptions ultimately say, the EDPB will continue to play a decisive role in determining how broadly or narrowly they are interpreted.
The revised exemptions move toward some of the reforms we recommended, only to hedge them so heavily that they risk becoming ineffective in practice.
The audience-measurement exemption now permits analytics conducted “by a third party acting on the provider’s behalf.” That directly addresses the analytics problem we identified and could help resolve the long-running Google Analytics disputes. But the exemption applies only if the data remains anonymous and aggregated, and is neither combined with other data nor shared.
Fraud prevention now appears within the security exemption, but the drafting limits it to protecting the “security of the interface.” As Craddock observed, fraud prevention typically aims to protect the broader service from fraudulent users, rather than the interface itself. Under the current text, “in most cases, fraudsters will then need to give their consent before anything can be done against them.”
The contextual-advertising exemption fared even worse. It appeared in the February compromise text but disappeared by May, even though the joint opinion of the EDPB and EDPS had itself recommended exempting contextual advertising. Contextual advertising targets ads based on the content a user is viewing, rather than by tracking that user across sites and services.
The browser-signals provision survives. Renumbered as Article 88a, it now applies to operating-system providers as well as browsers. The provision also includes a one-click refusal mechanism, a six-month cooling-off period following refusal, and a 24-month transition period. National GDPR supervisory authorities would serve as ePrivacy enforcers.
The comparison we drew with the United Kingdom has, if anything, become sharper.
The cookie provisions of the Data (Use and Access) Act 2025 took effect Feb. 5. Rather than relying on a single “strictly necessary” exemption, the law creates five exemptions, including an analytics exemption that expressly permits third-party providers acting as processors under an opt-out model. It also authorizes the secretary of state to create additional exemptions through secondary legislation.
Last month, the Information Commissioner’s Office (ICO), the United Kingdom’s data-protection regulator, went further, formally advising the government to remove low-risk advertising activities from consent requirements altogether. The ICO proposed a “first-party framework” covering ad delivery, measurement, frequency capping, brand safety, and ad-fraud prevention, while retaining consent requirements for cross-service tracking and profiling. The proposal was evidence-based, supported by cost analysis, and tested through citizen juries.
The ICO now also operates under a statutory duty to balance privacy concerns against innovation, competition, and crime prevention. We do not endorse every conclusion the ICO reached. One could argue that the cleaner solution is simply to repeal the cookie-consent rule and allow the GDPR’s risk-based framework to govern device access. Even so, the contrast between the British and European approaches is stark.
Our recommendation therefore remains unchanged. The best solution is to repeal Article 5(3) of the ePrivacy Directive and allow the GDPR to govern device access without a parallel consent regime. Short of that, the European Parliament should at least detach the fraud-prevention exemption from the concept of “interface” security, remove the restrictions that make the analytics exemption largely unusable, and restore the contextual-advertising exemption.
The Changes You Might Have Missed
The compromise also reshaped three quieter corners of the file. Two concern provisions that our March comments did not address in detail. All three, however, follow a familiar pattern: legislative reforms survive, but key questions about their scope are increasingly delegated to the EDPB.
The EDPB Defines Science
The compromise retains the new GDPR definition of “scientific research” in Article 4(38), but in a form largely rewritten to the EDPB’s specifications. Research must now be “conducted in an autonomous and independent manner,” follow recognized methodological standards, and produce “verifiable and transparent results.”
The Commission’s original language acknowledging that research may support innovation and commercial objectives has been removed from the operative text and relocated to Recital 28. At the same time, the EDPB has published Guidelines 1/2026 on scientific research, currently open for public consultation, which seek to define the concept through guidance.
The result is familiar. The legislation preserves a broader category, but much of the practical work of deciding who qualifies for it will occur through EDPB interpretation.
Yes, But Only If You Don’t Use It
The Commission proposed, and the Council retained, a new Article 9(2)(l) allowing biometric verification when both the biometric data and the means of verification remain under the data subject’s sole control. Biometric verification confirms that a person is who they claim to be by comparing a live biometric sample—such as a face or fingerprint—to a stored template.
The Council added one further limitation: the verification must be “one-to-one,” meaning the system compares a user against a single stored biometric template rather than searching a larger database.
The more significant constraint may lie in Recital 34. As revised by the Council, the recital instructs controllers to prioritize authentication methods that do not use biometric data and to select the “less intrusive” option whenever two methods are equally effective.
That language comes directly from EDPB Opinion 11/2024 on facial recognition at airports. Notably, the opinion rejected biometric verification even where travelers had a genuine choice among authentication methods. The operative rule therefore creates a new permission, while the accompanying recital imports reasoning that could substantially limit its practical use.
The Algorithm Still Says No
The Council retained the Commission’s broader rewrite of Article 22 on automated decision-making, but reverted to the familiar “right not to be subject” formulation. In plain English, Article 22 governs when consequential decisions—such as some credit, employment, or eligibility decisions—may be made solely by automated systems without meaningful human involvement.
By returning to the “right not to be subject” language, the Council preserved the prohibition-in-principle approach endorsed by the Court of Justice of the European Union (CJEU) in SCHUFA.
The Commission’s most useful clarification did not survive in operative text. Its proposal would have made clear that a decision can be “necessary” for the performance of a contract even when a human could theoretically have made the same decision. That clarification now appears only in Recital 38.
Meanwhile, the revised Article 70(1) assigns the EDPB responsibility for specifying the criteria governing Article 22 profiling decisions.
Once again, the pattern is hard to miss. The legislation settles some questions, moves others into recitals, and leaves the EDPB with a larger role in determining how the final framework will operate in practice.
The Board Wins
In our March comments, we argued that the Digital Omnibus was fundamentally incomplete. The same authorities whose interpretations helped create the current dysfunction would remain responsible for interpreting whatever reforms the legislature enacted. The package contained no mechanism to discipline that process.
The Council compromise has done more than validate that concern. It has expanded the EDPB’s formal authority in the very same text that removes many of the Commission’s proposed legislative settlements.
Recital 40a instructs national supervisory authorities to ensure that national guidance on matters covered by EDPB guidelines “does not contradict” the Board’s positions. Nothing comparable appeared in the Commission’s proposal. The result is a new form of vertical lock-in, giving EDPB interpretations greater influence over national enforcement.
The revised Article 70(1) likewise expands the Board’s role. The EDPB is now tasked with developing guidelines that specify the criteria for Article 22 profiling decisions and Article 32 security measures. It will issue the Article 29a opinion on pseudonymization and anonymization. It will also gain authority to establish data-protection-impact-assessment (DPIA) and breach-notification lists directly, rather than merely proposing them to the Commission. A DPIA is a risk assessment that organizations must sometimes conduct before engaging in higher-risk data processing.
Viewed together, these changes raise an obvious question: where do the substantive issues that the Commission originally sought to settle now reside?
In other words, many of the questions that the Commission attempted to answer through legislation have been returned to the EDPB, either directly or indirectly.
Accountability remains limited.
In WhatsApp Ireland v. EDPB, the Grand Chamber confirmed in February that the Board’s binding decisions under Article 65 may be challenged before the EU courts. That is a genuine improvement. But it applies only to the relatively rare instances in which the EDPB issues formally binding decisions.
The situation is different for the guidelines and opinions that do most of the practical work of shaping enforcement. In Meta v. EDPB, the General Court dismissed a challenge to the Board’s consent-or-pay opinion because an EDPB opinion “does not produce binding legal effects.” The appeal remains pending.
That distinction matters because the Omnibus’ substantive compromises have increasingly migrated into precisely those instruments—guidelines, opinions, and interpretive documents—that courts generally will not review.
That development makes every element of the structural reform agenda outlined in our March comments more urgent. Mandatory proportionality assessments for EDPB outputs, an independent multidisciplinary review mechanism, and a clearer standard for judicial review all matter more after the Council’s compromise than they did before.
Parliament’s Last Chance to Legislate
The Council may reach a general approach this month, before Cyprus hands the presidency to Ireland on July 1. In the European Parliament, responsibility is shared between the Committee on Industry, Research and Energy, led by rapporteur Aura Salla of the European People’s Party, and the Committee on Civil Liberties, Justice and Home Affairs, led by rapporteur Marina Kaljurand of the Socialists and Democrats.
Kaljurand has been openly skeptical. At the committee’s January hearing, she warned that allowing AI systems to process sensitive data for bias detection would mean the “technological neutrality of the GDPR will no longer exist.” The Socialists and Democrats group has likewise rejected what it calls “unacceptable deregulation and weakening of the EU’s digital rules,” while groups to the right of the European People’s Party have pressed for the package to go further. As of this writing, the committees had yet to settle their working arrangements, and adoption realistically appears likely to slip into 2027.
The open question is whether Parliament will restore any of the Commission’s reforms to binding text.
For Parliament—and for member states still negotiating the general approach—our recommendations follow directly from the analysis above:
- Restore the entity-relative test to operative Article 4(1). Recital 27a’s “actual technical, organisational and legal capabilities” language belongs in binding text.
- Restore the Commission’s implementing-act authority over pseudonymization criteria. Article 29a, in its current form, should be deleted. It asks the body whose jurisdiction is at issue to define the limits of that jurisdiction.
- Restore Article 88c as an operative legal basis for AI development and deployment, together with the unconditional right to object that the Council removed. Retain Article 9(2)(k), even in its narrowed “incidental and residual” form.
- Keep Article 9(2)(l), but rewrite Recital 34. A permission in operative text should not be paired with a recital instructing authorities to disfavor the very processing the permission allows.
- On ePrivacy, repeal Article 5(3) without replacement and let the GDPR govern device access. Short of that, detach fraud prevention from the “security of the interface,” remove the restrictions that make the analytics exemption impractical, and restore the contextual-advertising exemption.
- Delete Recital 40a and reverse the Article 70(1) mandate expansion. A reform prompted by the costs of unaccountable interpretive power should not end by enlarging it.
- Take up enforcement reform. The structural agenda of our March comments—separating investigation from adjudication, creating multidisciplinary review of consequential decisions, requiring mandatory balancing of all affected rights and interests, and enabling review of EDPB quasi-legislation—is still missing from the Digital Omnibus.
The Digital Omnibus began as a promise to make EU data law more proportionate, predictable, and compatible with European competitiveness. Six months in, the Council’s answer is a text that keeps the procedural trimmings, moves the substance into recitals and EDPB opinions, and strengthens the very institution whose interpretive practice made reform necessary in the first place.
Parliament now has a chance to prove that EU data-protection law is still made by legislators, not outsourced to the referee.
The post EU Digital Omnibus Hands the Wheel to the Referee appeared first on Truth on the Market.
Nicole Byers is an entertainment enthusiast! Nicole is an entertainment journalist for the Maple Grove Report.
