The GDPR is today considered the world’s strongest data protection law. It regulates how individuals (and now, increasingly, algorithms) access and use personal data and draws boundaries between what organisations and businesses can and cannot do with our personal data. To date, GDPR has impacted privacy laws in over 100 countries across the world, and is a key example of the so-called ‘Brussels effect’.
The Regulation closely follows principles from the Charter of Fundamental Rights of the European Union. Key references include Article 7 on the right to private and family life, and Article 8 on the protection of personal data.
From gold standard to growing pressure
While the Regulation faced criticism for the perceived risk of its enforcement hampering innovation, it has increasingly been considered as the ‘gold standard’ on data protection in a digitising society globally.
However, recent policy shifts, responding to growing global pressures to increase competitiveness and re-position Europe to maintain a relevant role on the global stage have planted the seeds for a review of the protections provided by the GDPR, and, more generally, of the assumptions informing EU policy making on the digital ecosystem.
What is the Digital Omnibus proposal?
On 19 November 2025, the European Commission introduced the Digital Omnibus proposal. Its stated aim is to simplify, harmonise, and streamline digital policy across the EU — and to strengthen Europe’s innovation capabilities.
The proposal reaffirms the importance of protecting citizens’ personal data. At the same time, it challenges some of GDPR’s founding principles. This has sparked polarised reactions across the digital ecosystem, from businesses to civil society.
The provisions relating to AI are particularly contentious. They touch on the very definitions of personal and sensitive data. These are not minor technical adjustments. They go to the heart of how data protection is understood and enforced in Europe.
The key questions Europe must answer
The digital transition is reshaping how people, objects, and environments interact. As the analogue and digital worlds increasingly merge, new legislative efforts must grapple with difficult trade-offs.
Before the Digital Omnibus is approved, policymakers should consider the following questions:
- Are today’s policy instruments still fit for purpose? Can they protect citizens’ rights without restricting the tools needed for innovation?
- Will the proposed changes support European AI development? Or will they open the door to greater hyperscaler dominance?
- Can a balance be struck? Is it possible to foster innovation while preserving personal data protection guarantees?
What comes next
The legislative landscape on AI and data protection is evolving rapidly. The coming months will reveal how the European Union responds to these new pressures. We will keep you posted!
