DIGITAL OMNIBUS: IS SIMPLE ALWAYS BETTER?

Have you got a question?

I. A complex regulatory landscape.

In recent years, the topic of digitalization—and with it, the protection of users’ personal and sensitive data—has simultaneously concerned and preoccupied the European legislator, who has responded by producing a regulatory corpus designed to govern citizens’ digital lives. With the EU General Data Protection Regulation, the Union emphasized the need to identify and safeguard personal data, particularly when sensitive in nature; the Digital Services Act (DSA) and the Digital Markets Act (DMA) have set out rules for digital platforms (first and foremost, the socalled social media) and for major technology companies operating on European soil (the socalled gatekeepers); the Data Act and the Data Governance Act have regulated access to and circulation of data; finally, the AI Act has addressed the delicate issue of artificial intelligence systems and the development of generative AI.

It is within this complex scenario that the Commission’s proposals for Regulations COM(2025) 837 and COM(2025) 836—presented on 19 November 2025 and currently under review by the Council and the European Parliament—find their place, under the more appealing label of the Digital Omnibus.

The objective: to simplify the regulatory framework on digital matters by creating a single structure capable of harmonizing definitions, clarifying terminology, avoiding duplication, and, above all, making compliance easier for companies and public administrations.

The intended recipients: small and mediumsized enterprises, often overburdened by compliance obligations that require continuous audits and a structured management of data collection.

II. Digital simplification or “deregulation”?

In the draft presented by the Commission, the objective of simplification does not appear neutral. The Digital Omnibus does not merely eliminate redundancies, correct inconsistencies, or standardize terminology. Instead, it shifts the perspective from which data protection is conceived—from the user to the infrastructure that processes and manages those same data.

To fully appreciate this change in perspective, one must start from the central role that the GDPR assigns to the individual and the protection of the data relating to them. Under the current regulatory framework, data are considered “personal” if they objectively identify the user (such as IP addresses or technical identifiers like cookies), or if they are capable of identifying them when combined with other information. By virtue of their “personhood,” the user thus has the right to have such data protected. This right is exercised concretely through explicit consent to data processing or, more often, by accepting a temporary reduction of that right (how many times are we asked to accept cookies for commercial purposes simply to access a website?).

The Digital Omnibus draft does not explicitly abolish these principles but reframes them by prioritizing the perspective of the entity managing the infrastructure rather than that of the user.

Put simply, what matters is not only whether a piece of information “is” objectively personal under the current definition, but also what the organization handling the data claims to be able to do with it.

An immediate example is the “like” on a social media post.

A “like” is, in the abstract, an anonymous data point—a simple digital signal that reveals nothing about the user who generated it.

But if the platform declares that it uses that data to associate preferences with a user and personalize content and advertisements, the same data point becomes personal.

Conversely, where no such declaration exists, the data processed by the organization would be considered nonpersonal and therefore not fully protectable.

Within the Digital Omnibus framework, then, data would become “personal” only if the organization declares that it uses them to directly or indirectly identify the user and their individual preferences—potentially diminishing the protections currently afforded to digital users.

A similar mechanism applies to sensitive data. The GDPR situates sensitive data within the sphere of human dignity and personal integrity, imposing enhanced protections on that basis.

The Digital Omnibus draft, however, would instead make such protections depend on the infrastructure’s ability to manage those data properly. The sensitivity no longer lies intrinsically in the data, but becomes proportional to the quality of the process governing them.

Under this new conception of digital rights, the protection of personal and sensitive data shifts from a foundational principle to a variable linked to the functioning of the digital infrastructure. It is not denied, but it is conditioned—first, on what the organization declares about the data; second, on the ability of platforms, administrations, and providers to demonstrate that they have ensured such protection.

For these reasons, rather than a simplification, the Digital Omnibus draft appears to move toward a deregulation of digital rights, whose identification would be “delegated” to the very companies that process them—above all, the big tech firms.

III. Carrot and stick: the Union’s ambiguous stance toward big tech

Last year, the European Union hit U.S. tech giants with massive fines for violations of European digital regulations: €500 million for Apple (also sanctioned by the Italian antitrust authority), €200 million for Meta, €2.95 billion for Google, and finally €120 million for X.

Yet, the deregulatory approach implicit in the Commission’s proposal seems to clash with this inquisitorial posture, raising an important question:

Does the Digital Omnibus truly represent an adjustment to the European regulatory architecture, or is it meant to signal a strategic repositioning of Europe within an increasingly competitive geopolitical landscape?

It is well known that following the hefty fine imposed on X for violating the Digital Services Act (DSA), the Office of the United States Trade Representative (USTR) listed several European companies—including Spotify, Accenture, Amadeus, Mistral, Publicis, and DHL—as potential targets of American retaliation in the ongoing techrelated trade dispute with the Union.

In this context, granting big tech greater leeway within the digital regulatory framework could be interpreted as a step backward for the Union, driven by purely political and economic considerations.

On the other hand, it must not be forgotten that the Digital Omnibus is currently an unconsolidated draft, not an applicable regulation. To become one, it must undergo scrutiny by the Council and the European Parliament, with the possibility of being amended—or even rejected.

Setting geopolitics aside, there is nothing to do but await the progress of the European legislative process. Only then will it be possible to understand whether the Union truly intends to preserve its model of strict regulation or whether, instead, it is prepared to renegotiate the balance of power with big tech in the name of broader political and economic interests.

In the meantime, we return to the question posed in the title of this article:

How many—and which—rights can we sacrifice in the name of simplification?