The future of the EU data protection under the Omnibus Package

Introduction and background information

The Commission claims that the Omnibus Package aims to simplify certain European Union legislation to strengthen the Union’s long-term competitiveness. A total of six omnibus packages have been announced in total.

The latest (no. 4) targets small mid-caps and digitalisation. Package no. 4 covers data legislation, cookies and tracking technologies (i.e. the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD)), as well as cybersecurity incident reporting and adjustments to the Artificial Intelligence Act (AIA).

That ‘simplification’ is part of a broader agenda to appease business, industry and governments who argue that the EU has too much red tape. In her September 2025 speech to German economic and business associations, Ursula von der Leyen sided with industry and stated that simplification is ‘the only way to remain competitive’.

As for why these particular laws were selected, the rationale is unclear. One stated motivation for including the GDPR is its mention in Mario Draghi’s 2024 report on ‘The Future of European Competitiveness’.

Draghi, the former President of the European Central Bank, focused on innovation in advanced technologies, decarbonisation and competitiveness, as well as security. Yet, the report does not outline any concrete way in which the GDPR allegedly reduces competitiveness or requires revision.

The GDPR appears only twice in the report. First, as a brief reference to regulatory fragmentation affecting the reuse of sensitive health data across Member States (MS).

Second, in the concluding remarks, it is claimed that ‘the GDPR in particular has been implemented with a large degree of fragmentation which undermines the EU’s digital goals’. There is, however, no explanation of this ‘large fragmentation’, no supporting evidence, and no dedicated section on the GDPR as its first mention being buried in the R&I (research and innovation) context.

It is therefore unclear what legal or analytical basis the Commission relies on to justify including the GDPR in this simplification exercise.

The current debate

There are two main sides to this Omnibus, which are the privacy forward and the competitive/SME side. The two need not be mutually exclusive, but civil society warns that ‘simplification’ risks eroding privacy protection. Privacy advocates across civil society expressed strong concern and opposition to simplification in their responses to the European Commission’s recent call for evidence.

Industry positions vary in tone and ambition. For example, CrowdStrike calls for greater legal certainty under the Cybersecurity Act, such as making recital 55 binding rather than merely guiding and introducing a one-stop-shop mechanism for incident reporting.

Meta, by contrast, urges the Commission to go beyond ‘easing administrative burdens’, calling for a pause in AI Act enforcement and a sweeping reform of the EU data protection law. On the civil society side, Access Now argues that fundamental rights protections are at stake.

It warns that any reduction in consent prompts could allow tracking technologies to operate without users ever being given a real opportunity to refuse. A more balanced, yet cautious line can be found in the EDPB and EDPS joint opinion regarding easing records of processing activities for SMEs.

Similar to the industry, they support reducing administrative burdens, but with the caveat that amendments should not compromise the protection of fundamental rights, echoing key concerns of civil society.

Regarding Member State support, Estonia, France, Austria and Slovenia are firmly against any reopening of the GDPR. By contrast, the Czech Republic, Finland and Poland propose targeted amendments while Germany proposes a more systematic reopening of the GDPR.

Individual Members of the European Parliament have also come out in favour of reopening, notably Aura Salla, a Finnish centre-right MEP who previously headed Meta’s Brussels lobbying office.

Therefore, given the varied opinions, it cannot be said what the final version of the Omnibus would look like. Yet, a leaked draft document of the GDPR’s potential modifications suggests otherwise. Upon examination, it cannot be disputed that the views from less privacy-friendly entities have served as a strong guiding path.

Leaked draft document main changes

The leaked draft introduces several core changes.

Those changes include a new definition of personal and sensitive data, the use of legitimate interest (LI) for AI processing, an intertwining of the ePrivacy Directive (ePD) and GDPR, data breach reforms, a centralised data protection impact assessment (DPIA) whitelist/blacklist, and access rights being conditional on motive for use.

A new definition of personal data

The draft redefines personal data so that ‘information is not personal data for everyone merely because another entity can identify that natural person’. That directly contradicts established EU case law, which holds that if an entity can, with reasonable means, identify a natural person, then the information is personal data, regardless of who else can identify that person.

A new definition of sensitive data

Under current rules, inferred information can be sensitive personal data. If a political opinion is inferred from browsing history, that inference is protected.

The draft would narrow this by limiting sensitive data to information that ‘directly reveals’ special categories (political views, health, religion, sexual orientation, race/ethnicity, trade union membership). That would remove protection from data derived through profiling and inference.

Detected patterns, such as visits to a health clinic or political website, would no longer be treated as sensitive, and only explicit statements similar to ‘I support the EPP’ or ‘I am Muslim’ would remain covered.

Intertwining article 5(3) ePD and the GDPR

Article 5(3) ePD is effectively copied into the GDPR as a new Article 88a. Article 88a would allow the processing of personal data ‘on or from’ terminal equipment where necessary for transmission, service provision, creating aggregated information (e.g. statistics), or for security purposes, alongside the existing legal bases in Articles 6(1) and 9(2) of the GDPR.

That generates confusion about how these legal bases interact, especially when combined with AI processing under LI. Would this mean that personal data ‘on or from’ a terminal equipment may be allowed if it is done by AI?

The scope is widened. The original ePD covered ‘storing of information, or gaining access to information already stored, in the terminal equipment’. The draft instead regulates any processing of personal data ‘on or from’ terminal equipment. That significantly expands the ePD’s reach and would force controllers to reassess and potentially adapt a broad range of existing operations.

LI for AI personal data processing

A new Article 88c GDPR, ‘Processing in the context of the development and operation of AI’, would allow controllers to rely on LI to process personal data for AI processing. That move would largely sideline data subject control. Businesses could train AI systems on individuals’ images, voices or creations without obtaining consent.

A centralised data breach portal, deadline extension and change in threshold reporting

The draft introduces three main changes to data breach reporting.

  • Extending the notification deadline from 72 to 96 hours, giving privacy teams more time to investigate and report.
  • A single EU-level reporting portal, simplifying reporting for organisations active in multiple MS.
  • Raising the notification threshold when the rights and freedoms of data subjects are at ‘risk’ to ‘high risk’.

The first two changes are industry-friendly measures designed to streamline operations. The third is more contentious. While industry welcomes fewer reporting obligations, civil society warns that a ‘high-risk’ threshold could leave many incidents unreported. Taken together, these reforms simplify obligations, albeit at the potential cost of reducing transparency.

Centralised processing activity (PA) list requiring a DPIA

This is another welcome change as it would clarify which PAs would automatically require a DPIA and which would not. The list would be updated every 3 years.

What should be noted here is that some controllers may not see their PA on this list and assume or argue that a DPIA is not required. Therefore, the language on this should make it clear that it is not a closed list.

Access requests denials

Currently, a data subject may request a copy of their data regardless of the motive. Under the draft, if a data subject exploits the right of access by using that material against the controller, the controller may charge or refuse the request.

That is problematic for the protection of rights as it impacts informational self-determination and weakens an important enforcement tool for individuals.

For more information, an in depth analysis by noyb has been carried out which can be accessed here.

The Commission’s updated version

On 19 November, the European Commission is expected to present its official simplification package. This section will be updated once the final text is published.

Final remarks

Simplification in itself is a good idea, and businesses need to have enough freedom to operate without being suffocated with red tape. However, changing a cornerstone of data protection law to such an extent that it threatens fundamental rights protections is just cause for concern.

Alarms have already been raised after the previous Omnibus package on green due diligence obligations was scrapped. We may now be witnessing a similar rollback, this time targeting digital rights.

As a result, all eyes are on 19 November, a date that could reshape not only the EU privacy standards but also global data protection norms.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Cloudflare outage disrupts leading crypto platforms

Cloudflare experienced a significant network outage on Tuesday, which disrupted access to major cryptocurrency platforms, including Coinbase, Kraken, Etherscan, and several DeFi services, resulting in widespread ‘500 Internal Server Error’ messages.

The company acknowledged the issue as an internal service degradation across parts of its global network and began rolling out a fix. However, users continued to face elevated error rates during the process.

Major Bitcoin and Ethereum platforms, as well as Aave, DeFiLlama, and several blockchain explorers, were impacted. The disruption spread beyond crypto, affecting several major Web2 platforms, while services like BlueSky and Reddit stayed fully operational.

Cloudflare shares dropped 3.5% in pre-market trading as the company investigated whether scheduled maintenance at specific data centres played any role.

The incident marks the third significant Cloudflare disruption affecting crypto platforms since 2019, highlighting the industry’s ongoing reliance on centralised infrastructure providers despite its focus on decentralisation.

Industry experts pointed to recent outages from Cloudflare and Amazon Web Services as evidence that critical digital services cannot rely solely on a single vendor for reliability. Kraken restored access ahead of many peers, while Cloudflare stated that the issue was resolved and would continue to monitor for full stability.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

CelcomDigi convergence project earns ZTE top 5G service honour

ZTE has won the Best Mobile/5G Service Innovation award at the 2025 Global Connectivity Awards for its work on Malaysia’s CelcomDigi dual-network convergence. The project integrates network assets across four regions and six operators, marking the largest deployment of its kind in the country.

The company introduced an intelligent, integrated, and connected management model built on big-data platforms for site deployment, optimisation, and value analysis. Eight smart tools support planning, commissioning, and operations, enabling end-to-end oversight of project delivery and performance.

Phase-one results show a 15 percent rise in coverage, 25 percent faster downloads, higher traffic, and a more than 60 percent reduction in complaints. ZTE also deployed AI-based energy-saving systems to reduce emissions and advance sustainability goals across the network.

The project incorporates talent-building measures by prioritising localisation and working with Malaysian universities. ZTE says this approach supports long-term sector resilience alongside near-term performance gains.

CAPACITY’s Global Connectivity Awards, held in Malaysia, evaluate innovation, execution, and industry impact. ZTE states that it will continue to develop new project management models and partner globally to build more efficient, intelligent, and sustainable communications networks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Old laws now target modern tracking technology

Class-action privacy litigation continues to grow in frequency, repurposing older laws to address modern data tracking technologies. Recent high-profile lawsuits have applied the California Invasion of Privacy Act and the Video Privacy Protection Act.

A unanimous jury verdict recently found Meta Platforms violated CIPA Section 632 (which is now under appeal) by eavesdropping on users’ confidential communications without consent. The court ruled that Meta intentionally used its SDK within a sexual health app, Flo, to intercept sensitive real-time user inputs.

That judgement suggests an electronic device under the statute need not be physical, with a user’s phone qualifying as the requisite device. The legal success in these cases highlights a significant, rising risk for all companies utilising tracking pixels and software development kits (SDKs).

Separately, the VPPA has found new power against tracking pixels in the case of Jancik v. WebMD concerning video-viewing data. The court held that a consumer need not pay for a video service but can subscribe by simply exchanging their email address for a newsletter.

Companies must ensure their privacy policies clearly disclose all such tracking conduct to obtain explicit, valid consent. The courts are taking real-time data interception seriously, noting intentionality may be implied when a firm fails to stem the flow of sensitive personally identifiable information.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

ALX and Anthropic partner with Rwanda on AI education

A landmark partnership between ALX, Anthropic, and the Government of Rwanda has launched a major AI learning initiative across Africa.

The program introduces ‘Chidi’, an AI-powered learning companion built on Anthropic’s Claude model. Instead of providing direct answers, the system is designed to guide learners through critical thinking and problem-solving, positioning African talent at the centre of global tech innovation.

An initiative, described as one of the largest AI-enhanced education deployments on the continent, that will see Chidi integrated into Rwanda’s public education system. A pilot phase will involve up to 2,000 educators and select civil servants.

According to the partners, the collaboration aims to ensure Africa’s youth become creators of AI technology instead of remaining merely consumers of it.

A three-way collaboration that unites ALX’s training infrastructure, Anthropic’s AI technology, and Rwanda’s progressive digital policy. The working group, the researchers noted, will document insights to inform Rwanda’s national AI policy.

The initiative sets a new standard for inclusive, AI-powered learning, with Rwanda serving as a launch hub for future deployments across the continent.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Berlin summit links digital strategy to wider European security

German Chancellor Friedrich Merz and French President Emmanuel Macron will host a Berlin summit to reduce Europe’s reliance on US tech platforms and to shape a more independent EU digital strategy. The meeting coincides with planned revisions to EU AI and data rules.

The push for digital independence reflects growing concern that Europe risks falling behind the US in strategic technologies. Leaders argue that regulatory changes must support competitiveness while maintaining core privacy and safety principles.

Germany is also hosting a two-day European security conference in Berlin, featuring German Defence Minister Boris Pistorius. The parallel agendas highlight how digital strategy and geopolitical security are increasingly linked in EU policy debates.

The German foreign minister, Johann Wadephul, has meanwhile backed the EU enlargement in the Western Balkans during a visit to Montenegro, signalling continued geopolitical outreach alongside internal reforms.

The Berlin discussions are expected to shape Europe’s stance ahead of upcoming AI and data proposals, setting the tone for broader talks on industrial policy, technology sovereignty, and regional security.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Report calls for new regulations as AI deepfakes threaten legal evidence

US courtrooms increasingly depend on video evidence, yet researchers warn that the legal system is unprepared for an era in which AI can fabricate convincing scenes.

A new report led by the University of Colorado Boulder argues that national standards are urgently needed to guide how courts assess footage generated or enhanced by emerging technologies.

The authors note that judges and jurors receive little training on evaluating altered clips, despite more than 80 percent of cases involving some form of video.

Concerns have grown as deepfakes become easier to produce. A civil case in California collapsed in September after a judge ruled that a witness video was fabricated, and researchers believe such incidents will rise as tools like Sora 2 allow users to create persuasive simulations in moments.

Experts also warn about the spread of the so-called deepfake defence, where lawyers attempt to cast doubt on genuine recordings instead of accepting what is shown.

AI is also increasingly used to clean up real footage and to match surveillance clips with suspects. Such techniques can improve clarity, yet they also risk deepening inequalities when only some parties can afford to use them.

High-profile errors linked to facial recognition have already led to wrongful arrests, reinforcing the need for more explicit courtroom rules.

The report calls for specialised judicial training, new systems for storing and retrieving video evidence and stronger safeguards that help viewers identify manipulated content without compromising whistleblowers.

Researchers hope the findings prompt legal reforms that place scientific rigour at the centre of how courts treat digital evidence as it shifts further into an AI-driven era.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SAP unveils new models and tools shaping enterprise AI

The German multinational software company, SAP, used its TechEd event in Berlin to reveal a significant expansion of its Business AI portfolio, signalling a decisive shift toward an AI-native future across its suite.

The company expects to deliver 400 AI use cases by the end of 2025, building on more than 300 already in place.

It also argues that its early use cases already generate substantial returns, offering meaningful value for firms seeking operational gains instead of incremental upgrades.

A firm that places AI-native architecture at the centre of its strategy. SAP HANA Cloud now supports richer model grounding through multi-model engines, long-term agentic memory, and automated knowledge graph creation.

SAP aims to integrate these tools with SAP Business Data Cloud and Snowflake through zero-copy data sharing next year.

The introduction of SAP-RPT-1, a new relational foundation model designed for structured enterprise data rather than general language tasks, is presented as a significant step toward improving prediction accuracy across finance, supply chains, and customer analytics.

SAP also seeks to empower developers through a mix of low-code and pro-code tools, allowing companies to design and orchestrate their own Joule Agents.

Agent governance is strengthened through the LeanIX agent hub. At the same time, new interoperability efforts based on the agent-to-agent protocol are expected to enable SAP systems to work more smoothly with models and agents from major partners, including AWS, Google, Microsoft, and ServiceNow.

Improvements in ABAP development, including the introduction of SAP-ABAP-1 and a new Visual Studio Code extension, aim to support developers who prefer modern, AI-enabled workflows over older, siloed environments.

Physical AI also takes a prominent role. SAP demonstrated how Joule Agents already operate inside autonomous robots for tasks linked to logistics, field services, and asset performance.

Plans extend from embodied AI to quantum-ready business algorithms designed to enhance complex decision-making without forcing companies to re-platform.

SAP frames the overall strategy as a means to support Europe’s digital sovereignty, which is strengthened through expanded infrastructure in Germany and cooperation with Deutsche Telekom under the Industrial AI Cloud project.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Researchers join forces to advance Europe’s digital autonomy

Europe is stepping up efforts to strengthen its digital independence with the creation of the European Network for Technological Resilience and Sovereignty (ETRS), launched ahead of the Summit on European Digital Sovereignty in Berlin. Bringing together leading think tanks and experts from across the continent, the network aims to boost Europe’s capacity for innovation and reduce its reliance on foreign technologies, particularly in critical areas such as AI, cloud infrastructure, and semiconductors.

Today, more than 80% of these technologies originate from the US and China, posing significant economic and strategic risks to Europe.

Led by founding members, including Germany’s Bertelsmann Stiftung, Belgium’s Centre for European Policy Studies (CEPS), France’s AI & Society Institute, and the Polish Economic Institute (PEI), the ETRS aims to establish a shared knowledge base to inform evidence-driven policymaking. The initiative aspires to act as a ‘knowledge engine,’ connecting academia, civil society, industry, and public institutions.

Its goal is to transform fragmented national efforts into a coordinated, values-driven approach that helps Europe enhance its technological resilience while safeguarding democratic principles.

Through joint research, strategic mapping of technology dependencies, and practical policy recommendations, the network intends to support a more sovereign digital infrastructure for Europe. Beginning in 2026, ETRS will roll out strategic initiatives, including expert workshops and an international pool of specialists focused on digital sovereignty, to translate its mission into actionable steps.

Founders emphasise that deeper data-driven analysis and cooperation are essential for Europe to regain agency in the global digital arena.

The network is open to new members, with more than a dozen institutions already joining alongside the founding organisations. ETRS invites think tanks, research bodies, and independent experts across Europe to contribute to its mission of building a resilient, competitive, and democratic digital future for the continent.

More information, as well as the policy toolkit prepared for the summit, is available at the initiative’s official website.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Nokia to build Surge’s 5G fixed-wireless network in Indonesia

Indonesian telecom provider Surge (Solusi Sinergi Digital) and Nokia have entered a multi-year agreement to roll out a 5G Fixed Wireless Access (FWA) network across Java, Papua, and Maluku.

Nokia will leverage its existing FTTx, IP and optical infrastructure for backhaul, and deploy a new RAN and customer premises equipment (CPE) tailored for FWA. The deployment will utilise Nokia’s AirScale RAN portfolio, comprising baseband, remote radio heads, and zero-footprint sites, all enabled by its energy-efficient ReefShark chip technology.

To help manage the network, Surge will utilise Nokia’s MantaRay NM network management system, which provides a unified view of operations. The agreement also includes deployment, maintenance and support services, with AI-based performance, efficiency and safety enhancements.

This project supports broader aims of digital inclusion in Indonesia: Surge plans to offer flat-rate 5G FWA services at around IDR 100,000 (~US$6) per month, with speeds of up to 100 Mb/s and no data cap.

From a policy and infrastructure standpoint, the deal is noteworthy. It shows how 5G FWA can be used to address connectivity gaps in regions where fibre rollout is challenging, and how advanced RAN technologies, combined with AI-led operations, can make large-scale broadband deployment more feasible.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot