EU Commission launches "Digital Package" with "Omnibus"

Contents

According to the Brussels count, this is the seventh so-called simplification package from the European Commission: The Digital Omnibus Law aims to revise the multitude of European digital rules and, where possible and sensible, reduce the number of laws and their regulatory density or strive for simplifications for citizens, administrations, or companies. With today's decision in the College, the European cabinet, the way is cleared for the debate on the proposals at the European level.

"Fundamental rights fully protected"

The Commission's stated goal is better competitiveness. "By reducing bureaucracy, simplifying EU legislation, opening up access to data, and introducing a common European Business Wallet, we are creating space for innovation and its commercialization in Europe," says the responsible Vice-President of the Commission, Henna Virkkunen. "This is done in a European way: by ensuring that users' fundamental rights remain fully protected." However, there are justified doubts about this.

While simplifications such as the consolidation of Open Data Regulation, Free Flow-of-non-Personal-Data-Framework-Regulation, Data Governance Act, and Data Act into a common Data Act are likely to cause less discussion, the plans to revise data protection rules are particularly extensive. Changes to the AI Regulation have also been initiated, partly related to this: In addition to some detailed regulatory changes, the EU Commission primarily wants to postpone the application of a significant part of the provisions for "general-purpose models" such as ChatGPT, Gemini, Grok, or DeepSeek by more than a year. Furthermore, the exceptions for small and medium-sized enterprises, according to the EU definitions, are to be expanded.

End of cookie banners still uncertain

Changes have occurred compared to leaks that have already become known and announcements, most recently regarding the formulations that concern the abolition of the E-Privacy Directive and its partial transfer into the General Data Protection Regulation. While the EU Commission believes this heralds the end of the universally hated cookie banners, the proposed regulations in the Omnibus Law itself remain enigmatic even for absolute experts. The Federation of the German Digital Economy (BVDW), for example, sees new complexity rather than simplification emerging here. "Furthermore, the Commission does not sufficiently consider practical and technical realities," says BVDW President Dirk Freytag.

IT industry welcomes the direction

From the IT industry associations, the package presented today is otherwise welcomed in its direction. At the same time, however, criticism is also voiced that the Commission could have made even more far-reaching proposals. The Association of the Automotive Industry (VDA), which is increasingly affected by data regulation, also welcomes the initiative. Its members are likely to benefit primarily from simplifications regarding data without personal reference and the planned centralized reporting of security incidents across legal acts. VDA President Hildegard Müller emphasizes: "The EU Commission must ensure when amending the GDPR that its application becomes more transparent and manageable for companies without lowering the data protection standard." Digitalization would only succeed if legal requirements were structured and practical, and at the same time, a responsible handling of personal data is guaranteed, according to the VDA President.

The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband) expresses itself much more critically: "Instead of dismantling consumer protection and fundamental rights under the guise of deregulation, the EU must ensure clear rules and at the same time maintain the existing level of protection," says board member Ramona Pop. The data protection activist Max Schrems, feared in Brussels, goes a step further: "This is the biggest attack on Europeans' digital rights in years. When the Commission states that it 'upholds the highest standards,' that is simply false." For example, the now proposed Article 88c of the General Data Protection Regulation will raise some questions: It would declare the processing of personal data by the operator for AI training and operation as regularly covered by the so-called legitimate interest.

European Parliament likely to have the greatest need for discussion

Some European parliamentarians have already registered a need for discussion on the draft in advance. In the run-up to the Omnibus publication, they voiced criticisms of some of the EU Commission's proposals, which, while varied in emphasis, were nevertheless clear. However, since not only the member states member states but also the European Parliament must approve the initiative, some of the controversial points could undergo changes or even deletions during the upcoming negotiations. Because only when both the Council of Member States with a qualified majority and the majority of European parliamentarians approve the regulations will the changes become law.

EU Business Wallet to come by 2029

Quite differently far-reaching is another proposal from the Commission in today's digital package, which could bring massive impacts and perhaps also hoped-for savings for companies in the medium term: Alongside the digital EU identity for citizens (EUID), the "European Business Wallet" is now to be introduced – a kind of identification document for legal entities, which should enable simple identity verification in digital business transactions and in interactions with authorities. For this purpose, the regulation on digital identities of the EU is to be adapted.

(olb)