The GDPR was supposed to be the gold standard. The AI Act was meant to be the world’s first comprehensive regulation of artificial intelligence. For years, the EU positioned itself as the global leader in digital rights — the one place where governments told Big Tech what the rules were, not the other way around.
That era may be ending. The European Commission’s “Digital Omnibus” — a package of proposed changes to the GDPR, AI Act, and ePrivacy rules — would gut key protections under the banner of “simplification.” And a Corporate Europe Observatory investigation has documented, article by article, how Big Tech lobbying shaped nearly every major change.
What the Digital Omnibus Changes
Your Data Becomes AI Training Material
The most alarming change: a new GDPR Article 88c would let companies process your personal data for AI development as a “legitimate interest” — without your explicit consent. This flips the current model from opt-in to opt-out for one of the most invasive forms of data processing that exists.
The Commission also wants to expand exceptions for processing sensitive data categories — your sexuality, political beliefs, ethnicity, health information — for AI training. The current GDPR restricts this to narrow, specific circumstances. The Omnibus would allow it for any AI system, not just high-risk ones.
This isn’t hypothetical harm. Denmark’s government deployed an AI fraud-detection system that disproportionately targeted people with migrant backgrounds and non-traditional households. In Hungary, facial recognition technology was used to surveil Pride marches. These are exactly the systems that need more oversight, not less.
Pseudonymised Data Gets a Free Pass
The Omnibus modifies the GDPR’s definition of personal data (Article 4(1)) so that pseudonymised data is no longer considered personal data when the specific company holding it “cannot identify the natural person.” This sounds reasonable until you realise it means a company can strip your name, claim they can’t re-identify you, and then process your data without any GDPR protections — even if other parties (data brokers, advertisers, governments) easily could.
DigitalEurope, the industry association representing Google, Microsoft, Meta, and Amazon, lobbied for exactly this change. The Commission delivered it almost verbatim.
Your Right to Access Your Data Gets Weaker
Companies can now refuse your data access requests if they require “disproportionate effort” — a term the Omnibus doesn’t define. They can also label repeated requests as potential “abuse.” Google lobbied the German government specifically for these exemptions to Articles 15-22, and the Commission adopted them.
This matters because access requests are how people discover what companies know about them. Investigative journalists, privacy researchers, and ordinary people have used GDPR access requests to expose hidden data collection. Making it easier for companies to refuse these requests shields exactly the practices the GDPR was meant to expose.
The AI Act Gets Gutted Before It’s Even Enforced
The AI Act hasn’t fully taken effect yet, and the Omnibus already proposes:
- Deleting mandatory registration of high-risk AI systems, eliminating the public databases that would let people know which AI systems operate in their country
- Delaying high-risk requirements by roughly 18 months, letting companies market potentially dangerous systems without safeguards
- Allowing self-certification, so companies can decide for themselves whether their AI system is safe enough to deploy
- Removing transparency requirements for publishing high-risk system assessments on EU databases
The industry lobby group Dot Europe argued that companies providing “concrete justifications” should be exempt from registration. The Commission didn’t just agree — it deleted the registration requirement entirely.
Cookie Tracking Without Consent
The Omnibus proposes moving ePrivacy Directive rules on device access into the GDPR framework, with broad new exceptions allowing tracking without prior consent for “first-party audience measurement, ad frequency capping, and anti-fraud measures.” Google lobbied for this specific language.
A proposed “privacy signal” mechanism — where browsers could communicate consent preferences — sounds positive, but it wouldn’t take effect for two years and would exclude many media sites.
Follow the Money
The scale of lobbying behind these changes is staggering. Digital industry spending on EU lobbying hit a record €151 million, up 33.6% from €113 million just two years earlier. Amazon alone spent €7 million in a single year.
The Corporate Europe Observatory tracked the lobbying pipeline in detail. Industry associations like DigitalEurope, CCIA, and ITI submitted position papers to the Commission, and the final Omnibus text mirrors their requests with remarkable precision — from the pseudonymised data carve-out to the AI training exceptions to the access request limitations.
Meta’s political strategy has also shifted. The company increased meetings with far-right MEPs from just one during the previous parliamentary term to 38 meetings with members of the ECR, Patriots, and Europe of Sovereign Nations groups. Google France’s head of public affairs attended a dinner hosted by six Rassemblement National MEPs shortly after the Digital Omnibus was announced.
The Fight Back
Civil society organisations aren’t going quietly. Amnesty International, the European Digital Rights network (EDRi), and dozens of other groups have pushed back hard. In April, the European Parliament voted to maintain registration requirements for high-risk AI systems — a partial win that shows the Omnibus isn’t a done deal.
The European Council has also pushed back on some of the most harmful AI provisions. Negotiations between the Parliament, Council, and Commission will determine the final text.
But the process itself is concerning. The Commission used expedited legislative procedures that limited civil society input while giving industry players privileged access. EDRi described it as “a massive reopening of the EU’s core digital protections” that “risks dismantling the very foundation of human rights and tech policy in the EU.”
Why This Matters
If you chose a European cloud provider, encrypted email service, or privacy-focused platform partly because of the GDPR’s protections, the Digital Omnibus threatens the legal framework those services rely on.
Swiss privacy law — which operates independently of the EU — isn’t affected by these changes. Switzerland’s Federal Act on Data Protection (nFADP) maintains strong consent requirements, purpose limitation, and individual rights without the Omnibus carve-outs for AI training or pseudonymised data.
But for the hundreds of millions of people whose data is processed under EU jurisdiction, the stakes are real. Weakening the GDPR doesn’t just affect Europeans — it affects anyone whose data touches EU-regulated systems. And when the world’s strongest privacy framework gets rolled back at the request of the companies it was designed to regulate, it sends a signal to every other jurisdiction considering similar protections.
The GDPR set the global standard because it prioritised people’s rights over corporate convenience. If the Digital Omnibus passes in its current form, that standard disappears — replaced by a framework designed by the companies it was supposed to constrain.
What You Can Do
- Contact your MEP. The European Parliament has already pushed back on parts of the Omnibus. Pressure from constituents matters — tell your representative that GDPR protections shouldn’t be weakened to feed AI models.
- Support digital rights organisations. Groups like EDRi, Amnesty Tech, and Access Now are fighting the Omnibus in Brussels. They need public backing.
- Choose services outside EU-weakened jurisdiction. Swiss-hosted services operate under data protection law that isn’t being rewritten by Big Tech lobbyists. If the legal protections around your data matter to you, jurisdiction matters.
- Exercise your rights while you still can. File GDPR access requests. Find out what companies know about you. The Omnibus would make these requests easier to refuse — use them now.