GDPR: simplifying without compromising
The digital omnibus provides an opportunity for a pragmatic review of one of Europe’s flagship regulations
When it comes to data, Europe has achieved the holy grail. Ten years after its adoption and eight years after its implementation, the General Data Protection Regulation (GDPR) has established a culture of personal data protection within European companies and organizations. However, the free flow of data promised within the internal market has not yet been achieved. Emblematic of the Union, the GDPR also reveals its contradictions.
Yet the shift in mindset is real. Fully committed, stakeholders feel empowered. The model is being exported. Fifteen countries recognized by the European Union (EU) now offer a level of protection equivalent to ours. This allows for free trade with them. Argentina, Japan, and the United Kingdom, which is fortunate for the latter, having helped lay the groundwork for the Regulation, are among them. Nevertheless, the GDPR has also helped develop its own antidote to sometimes overzealous controls, often nitpicky over-compliance, and cookie consent notices that are usually unreadable and incomprehensible on websites. At the risk of reinforcing the idea that citizens are better protected against cookies than against identity theft. Frequent and recent cyberattacks show where efforts should be focused.
When a law becomes meaningless, it must be simplified to lighten the burden on companies already facing a legislative overload bordering on indigestion. The Data Governance Act, AI Act, and Data Act, not to mention the more sector-specific European Health Data Space (EEDS), constitute a regulatory cathedral in which organizations navigate between texts that do not always speak to one another. In fact, the European Commission has shown foresight by launching a simplification initiative, known as the omnibus, aimed at revising the GDPR and the e-Privacy Directive. A landmark ruling by the Court of Justice of the European Union in September 2025 served as the catalyst. Long awaited, it clarifies the status of pseudonymized data. Thus, such data remains personal to those who can re-identify the individual but ceases to be so for those who lack the means to do so. We must not forget this along the way. Legislative monsters lie dormant; let us be careful not to awaken them. Such clarification would be all the more beneficial as it would contribute to concrete advances in medical research and, more broadly, to innovation and the development of artificial intelligence (AI) solutions.
« To be sustainable, data protection must also become a competitive advantage rather than an additional cost »
Simplify. In a report published on Wednesday, drafted under the direction of attorney Jeanne Bossi Malafosse, La villa numeris welcomes these advances, provided they are reflected in the legislation to be voted on and subsequently implemented.
Pragmatism can do no harm. However, several points, particularly regarding economic and competitive matters, would in turn benefit from simplification. Thus, the combination of the GDPR and the e-Privacy Directive, adopted as early as 2002 to protect privacy online, becomes a symptom of a Europe that, having neglected to streamline its regulations, legislates in layers. Thus, the Omnibus proposal, unveiled this fall, would create a parallel consent regime providing for more exceptions to consent for the processing of personal data than for the processing of non-personal data.
Another glaring inconsistency is that the interpretation of the GDPR remains highly fragmented across the 27 EU member states. With 27 different ways of interpreting the text, this has become a major obstacle for pan-European actors. For example, a French company operating in five European countries must navigate as many different sets of guidelines. The Commission’s draft seeks to address this situation in certain areas. This would be a positive step forward insofar as it would simplify matters for all stakeholders, the largest, certainly, but also smaller ones that are less well-equipped, if only in terms of legal departments. Furthermore, the omnibus proposal overlooks the concept of a “sandbox,” which allows applications to be tested in a restricted environment, whereas the AI Act enshrines them.
It is time to move from compliance to trust. The upcoming EU Council presidency, in the second half of the year, would be an ideal time to do so. To be sustainable, data protection must also become a competitive advantage rather than an additional cost. In this regard, the upcoming Digital Omnibus Bill presents an opportunity that leaders, both public and private, must seize, a chance not to be missed to raise awareness among policymakers and legislators. They are taking action. We must encourage them. The competitiveness of our continent is at stake here as well.
This article was originally published in French in l’Opinion