Privacy advocates assert that the possible effects of the Digital Omnibus package, which consists of the latest EU developments, are going to change the user rights in favor of Big Tech. They believe that the European Union's major data protection policy could lose its strength dramatically after the current proposal of the package gets its approval as the very soonest date is 19th November.

Already within the scope of the possible changes, a heavy debate has come up, and there are numerous groups from the civil society who are alarmed. They claim that the European Commission is hastily changing the very complicated and lengthy negotiations of the original GDPR that have taken years to finish.

The leaked draft shows the direction of the EU's Digital Omnibus package very well. So what is noyb, the Austrian privacy NGO, saying analysis that there are more than one impacting changes to GDPR protection by the leaked draft?

1. Personal data's narrower definition: Such information cannot be directly related to a person, but still it would not be considered personal data if it can be connected with other facts. The above statement implies that pseudonymous identifiers like advertising IDs and cookies, which are used for targeting, would no longer be protected under GDPR, thus erasing the restrictions on tracking and profiling.

2. Diminished rights over data: Access, correction, or deletion of data rights would only be granted for "data protection purposes". An employee, journalist, or consumer may not be able to make use of data requests as part of their dispute or investigation due to this limitation in practice.

3. Sensitive data protections are less effective: Categories such as health condition, political opinion, or sexual orientation will be kept under protection only if the information has been disclosed. This is a very restrictive approach and it runs contrary to the current practice where the European courts grant individuals the benefit of the doubt when it comes to the data that is being collected about them.

4. AI training exemption: A new "legitimate interest" exception would allow companies to use personal data, including some sensitive information, for AI training, provided unspecified safeguards are in place. This means high-risk AI systems could legally process massive amounts of European data, whilst traditional data storage remains tightly regulated.

"One part of the EU Commission seems to try overrunning everyone else in Brussels, disregarding rules on good lawmaking, with potentially terrible results," said Max Schrems, founder of noyb, who has filed numerous GDPR complaints against major tech companies. "It is very concerning to see Trump's lawmaking practices taking hold in Brussels."

The AI Act could be delayed

The EU's landmark AI Act, which entered force earlier this year but won't fully apply until 2026, could face significant delays under the proposed changes.

Reporting by MLex, Reuters, and Financial Times indicates the European Commission is considering:

- An initial year during which companies using high-risk AI systems won't be penalized or required to comply with the regulations
-Delaying the imposition of penalties for breaches of the transparency requirement (e.g., not marking content created by AI) until August 2027
-Permitting companies to self-classify high-risk AI systems as low-risk and to skip the safeguards without informing anyone

That last change is particularly alarming to civil society groups. The amendments would remove the requirement for providers to register self-exempted systems in the EU database – effectively eliminating a hard-fought 2023 compromise that ensured at least minimal transparency.

"The Commission's so-called simplification proposal will let loose unsafe AI systems in the EU that will threaten public safety and fundamental rights," said CAIDP President Merve Hickok. "The current reporting requirements in Article 6 are the bare minimum for AI accountability and transparency."

Cookie consent changes

The long-delayed ePrivacy regulation could be merged into the GDPR under the Digital Omnibus, fundamentally changing how cookie consent works.

Currently, websites must get explicit consent before storing or accessing most cookies – hence those ubiquitous "accept cookies" banners. Under the proposed changes, companies could collect some data without asking first, either for "low-risk" uses or under a "legitimate interest" basis.

This would shift Europe from an opt-in system to something closer to opt-out, where users must actively refuse tracking rather than explicitly allowing it.

The European Commission claims this would reduce banner fatigue and simplify things for users. Privacy experts aren't convinced. Itxaso Domínguez de Olazábal of European Digital Rights (EDRi) warned: "It's not only about cookies. It's about whether platforms, data brokers, and governments get legal permission to look inside your device and your communications."

The rushed timeline

Privacy advocates have criticised the fast-track process. Whilst the original GDPR took years to negotiate through proper consultation, the Digital Omnibus public consultation only concluded in October. According to noyb, some Brussels units had just five working days to review a 180+ page draft.

The Commission hasn't prepared impact assessments, claiming the proposed changes are merely "targeted and technical." Critics strongly disagree.

Robin Berjon, technologist and fellow at the Future of Tech Institute, warned: "We've seen the European Commission be weak on enforcement and hesitant to anger the American authorities, but the omnibus changes go much further. American tech monopolies and intelligence agencies are the biggest beneficiaries of the surveillance economy and these changes strengthen their hand to instead actively sabotage European businesses and national security."

What happens next

The proposal is still being discussed within the Commission and could change before 19th November. Once adopted, it will head to EU governments and the European Parliament for approval, though the rushed process suggests limited opportunity for meaningful amendments.

Why this matters globally

For non-European readers, these modifications are of great importance not only in the EU zone. The General Data Protection Regulation (GDPR) has been a worldwide influencer as to the decision of the data protection laws in other countries such as India and its Digital Personal Data Protection Act. A decline in Europe's data protection standards would mean a great opportunity for other countries to do the same.

Moreover, the proposed AI training exemption could have global implications. If European user data can be freely used for AI training under vague "legitimate interest" grounds, it sets a concerning precedent for how personal data fuels the next generation of AI systems – systems that will be deployed globally, including in India.

The Digital Omnibus is a decisive moment; Will Europe still be the strongest protector of digital privacy in the whole world, or will compliance fatigue combined with industry influence result in a much weaker regulatory framework? The outcome could have a global impact in terms of shaping data protection standards for many years.