Commentary on far-reaching EU plans: The Trojan digital omnibus

Contents

On Wednesday, the EU Commission presented a legislative initiative with which it intends to axe the hard-won digital regulation of recent years in several places. It indirectly wants to restrict civil rights by giving the data-driven economy freer rein.

An opinion by Holger Bleich

Holger Bleich has been writing for c't and heise online since 1999. His focus is on technical topics such as Internet protocols and web hosting. From his studies, the graduate political scientist has retained his interest in the legal and cultural aspects of Internet use and Internet policy.

The harmless and cute-sounding "Digital Omnibus" will contribute to reducing bureaucracy as a directly applicable amendment regulation and simplify EU legal provisions, it was assured. For explanation: Legislators choose the omnibus procedure when they want to amend several existing laws in one go without much resistance. In this specific case, it concerns several regulations of digital regulation that are to be tinkered with, including the Data Act, the AI Regulation, and above all the General Data Protection Regulation (GDPR).

"Incomprehensible ruling" as justification

The EU Commission claims that for the most part, it is merely codifying the prevailing legal opinion. As an example, it cites the proposed Art. 88c, which is to be inserted into the GDPR. According to this, AI providers will in future be allowed to invoke the legal basis of "legitimate interest" when using personal data for training their models. Consent (opt-in) would then not be required, only an active objection would be possible (opt-out). A new legal basis even allows the inclusion of sensitive data categories such as health data, provided the providers implement some protective mechanisms.

The European Data Protection Board took a stance on this issue in December 2024 on this issue and indeed stated that in certain scenarios for AI training with personal data, the consent of the data subjects is not required. Furthermore, there is a ruling by the Cologne Higher Regional Court in summary proceedings (!), according to which Meta does not require consent for the scraping of user data for AI training. Many German state data protection authorities still see it differently. The Federal Data Protection Commissioner Louisa Specht-Riemenschneider even called the Cologne ruling "incomprehensible" and "incorrect".

Nevertheless, the EU Commission uses these two legal interpretations to justify why it wants to give AI providers a free pass to massively feed personal data into their AI models. At least there can be no talk of established jurisprudence that needs to be codified. The Commission could strengthen the fundamental rights of EU citizens by better protecting their data in the GDPR. However, there is apparently no interest in that.

The relaxation is ostensibly intended to make it easier for European AI start-ups to obtain personal data for model training. This is at the express request of Chancellor Friedrich Merz and French President Emmanuel Macron at the sovereignty summit in Berlin this week. But that train has long since left the station. Rather, it would make it even easier for large US tech corporations to further expand their dominance. OpenAI, Meta, Google & Co. would be largely exempt from having to consider the annoying EU data protection.

Pressure from the USA

Which leads to the question: Why does the EU Commission suddenly and incidentally want to relax data protection standards? It was actually planned to thoroughly consider a more comprehensive GDPR reform at the earliest in 2026. Incidentally, with the omnibus, the Commission also announced that the rules of the AI Regulation for high-risk AI systems will come into effect up to 16 months later than planned.

The always well-informed freelance Brussels correspondent Dave Keating has explained in a worthwhile analysis that the digital omnibus could be due to pressure from the USA. It is likely the first result of a "comprehensive attack" that Republicans in the US Congress have "launched against the EU's digital rules." One can assume, without mental gymnastics, that the next target could be the Digital Services Act.

Polished Bus

Since Wednesday, the Commission has been keen to highlight the planned cookie regulations in the foreground of the omnibus innovations. Users will be able to reject tracking cookies with one click in the future. Website operators will have to remember these decisions for six months. Furthermore, it will be possible to automatically signal rejections via browsers, apps, or operating systems. How all this is supposed to work technically is completely unclear. And yet, it is the only thing the EU Commission can offer its citizens as a positive initiative for them – it wants gratitude for solving a problem it created itself.

It almost seems as if the EU Commission wants to polish its rights-eroding omnibus. Doing something about the annoying flood of cookie banners is a "low hanging fruit," a high-ranking commission official recently explained in a background briefing on the omnibus. Yes, citizens will be happy about that! And the media prefer to jump on this good news rather than analyze the complicated GDPR changes, as netzpolitik.org aptly stated. Now it rolls, the cute Trojan omnibus.

(hob)