EU

EU introduces plan to strengthen consumer protection

The European Commission has unveiled the 2030 Consumer Agenda, a strategic plan to reinforce protection, trust, and competitiveness across the EU.

With 450 million consumers contributing over half of the Union’s GDP, the agenda aims to simplify administrative processes for businesses, rather than adding new burdens, while ensuring fair treatment for shoppers.

The agenda sets four priorities to adapt to rising living costs, evolving online markets, and the surge in e-commerce. Completing the Single Market will remove cross-border barriers, enhance travel and financial services, and evaluate the effectiveness of the Geo-Blocking Regulation.

A planned Digital Fairness Act will address harmful online practices, focusing on protecting children and strengthening consumer rights.

Sustainable consumption takes a central focus, with efforts to combat greenwashing, expand access to sustainable goods, and support circular initiatives such as second-hand markets and repairable products.

The Commission will also enhance enforcement to tackle unsafe or non-compliant products, particularly from third countries, ensuring that compliant businesses are shielded from unfair competition.

Implementation will be overseen through the Annual Consumer Summit and regular Ministerial Forums, which will provide political guidance and monitor progress.

The 2030 Consumer Agenda builds on prior achievements and EU consultations, aiming to modernise consumer protection instead of leaving gaps in a rapidly changing market.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU proposal sparks alarm over weakened privacy rules

The Digital Omnibus has been released by the European Commission, prompting strong criticism from privacy advocates. Campaigners argue the reforms would weaken long-standing data protection standards and introduce sweeping changes without proper consultation.

Noyb founder Max Schrems claims the plan favours large technology firms by creating loopholes around personal data and lowering user safeguards. Critics say the proposals emerge despite limited political support from EU governments, civil society groups and several parliamentary factions.

The Omnibus is welcomed by industry which have called for simplification and changes to be made for quite a number of years. These changes should make carrying out business activities simpler for entities which do process vast amounts of data.

The Commission is also accused of rushing (errors can be found in the draft, including references to the GDPR) the process under political pressure, abandoning impact assessments and shifting priorities away from widely supported protections. View our analysis on the matter for a deep dive on the matter.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

The future of EU data protection under the Omnibus Package

Introduction and background information

The Commission claims that the Omnibus Package aims to simplify certain European Union legislation to strengthen the Union’s long-term competitiveness. A total of six omnibus packages have been announced in total.

The latest (no. 4) targets small mid-caps and digitalisation. Package no. 4 covers data legislation, cookies and tracking technologies (i.e. the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD)), as well as cybersecurity incident reporting and adjustments to the Artificial Intelligence Act (AIA).

That ‘simplification’ is part of a broader agenda to appease business, industry and governments who argue that the EU has too much red tape. In her September 2025 speech to German economic and business associations, Ursula von der Leyen sided with industry and stated that simplification is ‘the only way to remain competitive’.

As for why these particular laws were selected, the rationale is unclear. One stated motivation for including the GDPR is its mention in Mario Draghi’s 2024 report on ‘The Future of European Competitiveness’.

Draghi, the former President of the European Central Bank, focused on innovation in advanced technologies, decarbonisation and competitiveness, as well as security. Yet, the report does not outline any concrete way in which the GDPR allegedly reduces competitiveness or requires revision.

The GDPR appears only twice in the report. First, as a brief reference to regulatory fragmentation affecting the reuse of sensitive health data across Member States (MS).

Second, in the concluding remarks, it is claimed that ‘the GDPR in particular has been implemented with a large degree of fragmentation which undermines the EU’s digital goals’. There is, however, no explanation of this ‘large fragmentation’, no supporting evidence, and no dedicated section on the GDPR as its first mention being buried in the R&I (research and innovation) context.

It is therefore unclear what legal or analytical basis the Commission relies on to justify including the GDPR in this simplification exercise.

The current debate

There are two main sides to this Omnibus, which are the privacy forward and the competitive/SME side. The two need not be mutually exclusive, but civil society warns that ‘simplification’ risks eroding privacy protection. Privacy advocates across civil society expressed strong concern and opposition to simplification in their responses to the European Commission’s recent call for evidence.

Industry positions vary in tone and ambition. For example, CrowdStrike calls for greater legal certainty under the Cybersecurity Act, such as making recital 55 binding rather than merely guiding and introducing a one-stop-shop mechanism for incident reporting.

Meta, by contrast, urges the Commission to go beyond ‘easing administrative burdens’, calling for a pause in AI Act enforcement and a sweeping reform of the EU data protection law. On the civil society side, Access Now argues that fundamental rights protections are at stake.

It warns that any reduction in consent prompts could allow tracking technologies to operate without users ever being given a real opportunity to refuse. A more balanced, yet cautious line can be found in the EDPB and EDPS joint opinion regarding easing records of processing activities for SMEs.

Similar to the industry, they support reducing administrative burdens, but with the caveat that amendments should not compromise the protection of fundamental rights, echoing key concerns of civil society.

Regarding Member State support, Estonia, France, Austria and Slovenia are firmly against any reopening of the GDPR. By contrast, the Czech Republic, Finland and Poland propose targeted amendments while Germany proposes a more systematic reopening of the GDPR.

Individual Members of the European Parliament have also come out in favour of reopening, notably Aura Salla, a Finnish centre-right MEP who previously headed Meta’s Brussels lobbying office.

Therefore, given the varied opinions, it cannot be said what the final version of the Omnibus would look like. Yet, a leaked draft document of the GDPR’s potential modifications suggests otherwise. Upon examination, it cannot be disputed that the views from less privacy-friendly entities have served as a strong guiding path.

Leaked draft document main changes

The leaked draft introduces several core changes.

Those changes include a new definition of personal and sensitive data, the use of legitimate interest (LI) for AI processing, an intertwining of the ePrivacy Directive (ePD) and GDPR, data breach reforms, a centralised data protection impact assessment (DPIA) whitelist/blacklist, and access rights being conditional on motive for use.

A new definition of personal data

The draft redefines personal data so that ‘information is not personal data for everyone merely because another entity can identify that natural person’. That directly contradicts established EU case law, which holds that if an entity can, with reasonable means, identify a natural person, then the information is personal data, regardless of who else can identify that person.

A new definition of sensitive data

Under current rules, inferred information can be sensitive personal data. If a political opinion is inferred from browsing history, that inference is protected.

The draft would narrow this by limiting sensitive data to information that ‘directly reveals’ special categories (political views, health, religion, sexual orientation, race/ethnicity, trade union membership). That would remove protection from data derived through profiling and inference.

Detected patterns, such as visits to a health clinic or political website, would no longer be treated as sensitive, and only explicit statements similar to ‘I support the EPP’ or ‘I am Muslim’ would remain covered.

Intertwining article 5(3) ePD and the GDPR

Article 5(3) ePD is effectively copied into the GDPR as a new Article 88a. Article 88a would allow the processing of personal data ‘on or from’ terminal equipment where necessary for transmission, service provision, creating aggregated information (e.g. statistics), or for security purposes, alongside the existing legal bases in Articles 6(1) and 9(2) of the GDPR.

That generates confusion about how these legal bases interact, especially when combined with AI processing under LI. Would this mean that personal data ‘on or from’ a terminal equipment may be allowed if it is done by AI?

The scope is widened. The original ePD covered ‘storing of information, or gaining access to information already stored, in the terminal equipment’. The draft instead regulates any processing of personal data ‘on or from’ terminal equipment. That significantly expands the ePD’s reach and would force controllers to reassess and potentially adapt a broad range of existing operations.

LI for AI personal data processing

A new Article 88c GDPR, ‘Processing in the context of the development and operation of AI’, would allow controllers to rely on LI to process personal data for AI processing. That move would largely sideline data subject control. Businesses could train AI systems on individuals’ images, voices or creations without obtaining consent.

A centralised data breach portal, deadline extension and change in threshold reporting

The draft introduces three main changes to data breach reporting.

  • Extending the notification deadline from 72 to 96 hours, giving privacy teams more time to investigate and report.
  • A single EU-level reporting portal, simplifying reporting for organisations active in multiple MS.
  • Raising the notification threshold when the rights and freedoms of data subjects are at ‘risk’ to ‘high risk’.

The first two changes are industry-friendly measures designed to streamline operations. The third is more contentious. While industry welcomes fewer reporting obligations, civil society warns that a ‘high-risk’ threshold could leave many incidents unreported. Taken together, these reforms simplify obligations, albeit at the potential cost of reducing transparency.

Centralised processing activity (PA) list requiring a DPIA

This is another welcome change as it would clarify which PAs would automatically require a DPIA and which would not. The list would be updated every 3 years.

What should be noted here is that some controllers may not see their PA on this list and assume or argue that a DPIA is not required. Therefore, the language on this should make it clear that it is not a closed list.

Access requests denials

Currently, a data subject may request a copy of their data regardless of the motive. Under the draft, if a data subject exploits the right of access by using that material against the controller, the controller may charge or refuse the request.

That is problematic for the protection of rights as it impacts informational self-determination and weakens an important enforcement tool for individuals.

For more information, an in depth analysis by noyb has been carried out which can be accessed here.

The Commission’s updated version

As of the 19th of November, the Commission has published its digital omnibus proposal. Most of the amendments in the leaked draft have remained. One of the measures dropped is the definition of sensitive data. This means that inferences could amount to sensitive data.

However, the final document keeps three key changes that erode fundamental rights protections:

  • Changing the definition of personal data to be a subjective and narrow one;
  • An intertwining of the ePD and the GDPR which also allows for processing based on aggregated and security purposes;
  • LI being relied upon as a legal basis for AI processing of personal data.

Still, positive changes remain:

  • A single-entry point for EU data breaches. This is a welcomed measure which streamlines reporting and appease some compliance obligations for EU businesses.
  • Another welcomed measure is the white/black-list of processing activities which would or would not require a DPIA. The same note remains with what the language of this text will look like.

Overall, these two measures are examples of simplification measures with concrete benefits.

Now, the European Parliament has the task to dissect this proposal and debate on what to keep and what to reject. Some experts have suggested that this may take minimum 1 year to accomplish given how many changes there are, but this is not certain.

We can also expect a revised version of the Commission’s proposal to be published due to the errors in language, numbering and article referencing that have been observed. This does not mean any content changes.

Final remarks

Simplification in itself is a good idea, and businesses need to have enough freedom to operate without being suffocated with red tape. However, changing a cornerstone of data protection law to such an extent that it threatens fundamental rights protections is just cause for concern.

Alarms have already been raised after the previous Omnibus package on green due diligence obligations was scrapped. We may now be witnessing a similar rollback, this time targeting digital rights.

As a result, all eyes are on 19 November, a date that could reshape not only the EU privacy standards but also global data protection norms.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU examines Amazon and Microsoft influence in cloud services

European regulators have launched three market investigations into cloud computing amid growing concerns about sector concentration.

The European Commission will assess whether Amazon Web Services and Microsoft Azure should be designated as gatekeepers for their cloud services under the Digital Markets Act, despite not meeting the formal threshold criteria.

Officials argue that cloud infrastructure now underpins AI development and many digital services, so competition must remain open and fair.

A move that signals a broader shift in EU oversight of strategic technologies. Rather than focusing solely on size, investigators will examine whether the two providers act as unavoidable gateways between businesses and users.

They will analyse network effects, switching costs and the role of corporate structures that might deepen market dominance. If the inquiries confirm gatekeeper status, both companies will face the DMA’s full obligations and a six-month compliance period.

A parallel investigation will explore whether existing DMA rules adequately address cloud-specific risks that might limit competition. Regulators aim to clarify whether obstacles to interoperability, restricted access to data, tying of services and imbalanced contractual terms require updated obligations.

Insights gathered from industry, public bodies and civil society will feed into a final report within 18 months, potentially leading to changes via a delegated act.

EU officials underline that Europe’s competitiveness, technological resilience and future AI capacity rely on a fair cloud environment. They argue that a transparent and contestable market will strengthen Europe’s strategic autonomy and encourage innovation.

The inquiries will shape how digital platforms are regulated as cloud services become increasingly central to economic and social life.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Europe ramps up bid for digital independence

European leaders gathered in Berlin for the Summit on European Digital Sovereignty, where France and Germany unveiled a series of major commitments aimed at boosting the EU’s technological autonomy and competitiveness. The event brought together more than 900 policymakers, industry figures, and researchers from across the bloc to outline new measures aimed to reducing reliance on non-EU technologies, strengthening digital infrastructure, and supporting European innovation.

Paris and Berlin identified seven strategic areas for action, including simplifying the EU digital regulation, strengthening competition in strategic markets, and establishing higher protection standards for Europe’s most sensitive data. The two countries also endorsed the expansion of digital commons, backed the rollout of the EU Digital Identity Wallet, and committed to broadening the use of open-source tools within public administrations.

A new Franco-German task force will work on defining what constitutes a European digital service, developing indicators of sovereignty, and shaping policy tools to reinforce strategic sectors, including cloud services, AI, and cybersecurity.

The summit also highlighted ambitions to make Europe a leader in frontier AI by fostering public-private collaboration and attracting large-scale investment. European tech companies pledged over €12 billion for key digital technologies, signalling a strong private-sector commitment to the sovereignty agenda.

German Chancellor Friedrich Merz and French President Emmanuel Macron both praised the progress made, stressing that Europe must shape its technological future on its own terms and accelerate the development and adoption of homegrown solutions.

With political momentum, cross-border cooperation, and significant financial backing, the summit marked one of the EU’s most coordinated pushes yet to build a secure, competitive, and sovereign digital ecosystem.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

New EU rules aim to accelerate GDPR complaint handling

The Council of the European Union has approved new rules aimed at speeding up the handling of cross-border data protection complaints, marking a significant update to the enforcement of the General Data Protection Regulation (GDPR) across the bloc. The new regulation aims to address long-standing bottlenecks in cooperation between national data protection authorities, which often hinder investigations involving companies operating across multiple EU countries.

Among the key changes is the introduction of harmonised criteria for determining whether a complaint is admissible, ensuring that citizens receive the same treatment no matter where they file a GDPR complaint. The rules also strengthen the rights of both complainants and companies under investigation, including clearer procedures for participation in the case and access to preliminary findings.

To reduce administrative burdens, the regulation introduces a simplified cooperation procedure for straightforward cases, allowing authorities to close cases more quickly without relying on the full cooperation framework.

Standard investigations will now be subject to a maximum 15-month deadline, extendable by another 12 months for particularly complex cases. Simple cooperation cases must be concluded within 12 months.

With the Council’s adoption, the legislative process is complete. The regulation will enter into force 20 days after its publication in the EU’s Official Journal and will begin to apply 15 months later. It updates the GDPR’s cross-border enforcement system, under which a single lead authority handles cases but must coordinate with other national regulators when individuals in multiple member states are affected.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

WhatsApp to support cross-app messaging

Meta is launching a ‘third-party chats’ feature on WhatsApp in Europe, allowing users to send and receive messages from other interoperable messaging apps.

Initially, only two apps, BirdyChat and Haiket, will support this integration, but users will be able to send text, voice, video, images and files. The rollout will begin in the coming months for iOS and Android users in the EU.

Meta emphasises that interoperability is opt-in, and messages exchanged via third-party apps will retain end-to-end encryption, provided the other apps match WhatsApp’s security requirements. Users can choose whether to display these cross-app conversations in a separate ‘third-party chats’ folder or mix them into their main inbox.

By opening up its messaging to external apps, WhatsApp is responding to the EU’s Digital Markets Act (DMA), which requires major tech platforms to allow interoperability. This move could reshape how messaging works in Europe, making it easier to communicate across different apps, though it also raises questions about privacy, spam risk and how encryption is enforced.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Researchers join forces to advance Europe’s digital autonomy

Europe is stepping up efforts to strengthen its digital independence with the creation of the European Network for Technological Resilience and Sovereignty (ETRS), launched ahead of the Summit on European Digital Sovereignty in Berlin. Bringing together leading think tanks and experts from across the continent, the network aims to boost Europe’s capacity for innovation and reduce its reliance on foreign technologies, particularly in critical areas such as AI, cloud infrastructure, and semiconductors.

Today, more than 80% of these technologies originate from the US and China, posing significant economic and strategic risks to Europe.

Led by founding members, including Germany’s Bertelsmann Stiftung, Belgium’s Centre for European Policy Studies (CEPS), France’s AI & Society Institute, and the Polish Economic Institute (PEI), the ETRS aims to establish a shared knowledge base to inform evidence-driven policymaking. The initiative aspires to act as a ‘knowledge engine,’ connecting academia, civil society, industry, and public institutions.

Its goal is to transform fragmented national efforts into a coordinated, values-driven approach that helps Europe enhance its technological resilience while safeguarding democratic principles.

Through joint research, strategic mapping of technology dependencies, and practical policy recommendations, the network intends to support a more sovereign digital infrastructure for Europe. Beginning in 2026, ETRS will roll out strategic initiatives, including expert workshops and an international pool of specialists focused on digital sovereignty, to translate its mission into actionable steps.

Founders emphasise that deeper data-driven analysis and cooperation are essential for Europe to regain agency in the global digital arena.

The network is open to new members, with more than a dozen institutions already joining alongside the founding organisations. ETRS invites think tanks, research bodies, and independent experts across Europe to contribute to its mission of building a resilient, competitive, and democratic digital future for the continent.

More information, as well as the policy toolkit prepared for the summit, is available at the initiative’s official website.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU moves to reinforce cooperation against VAT fraud

The European Commission has presented a plan to strengthen cooperation among the European Public Prosecutor’s Office, the European Anti-Fraud Office, and member states as part of a broader effort to combat VAT fraud.

The proposal establishes a legal framework for the sharing of information. It grants the EU bodies immediate access to VAT data, which is expected to enhance the detection of cross-border tax evasion schemes.

Real-time reporting of cross-border trade, delivered through the VAT in the Digital Age package, provides national authorities with the information needed to identify suspicious activity, rather than relying on delayed or incomplete records.

Carousel fraud alone costs EU taxpayers billions each year and remains a significant element of the broader VAT compliance gap, which stood at over €89 billion in 2022.

The Commission argues that faster access to VAT information will help investigators uncover fraudulent networks, halt their activities and pursue prosecutions more effectively.

EPPO, OLAF and the Eurofisc network would gain direct communication channels, enabling closer coordination and rapid intelligence sharing throughout the Union.

A proposal that will now move to the Council for agreement and to the European Parliament and the Economic and Social Committee for consultation.

Once adopted and published, the changes will take effect and initiate the implementation phase across the EU.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU investigates Google over potential Digital Markets Act breach

The European Commission has opened an investigation into whether Google may be breaching the Digital Markets Act by unfairly demoting news publishers in search results.

An inquiry that centres on Google’s ‘site reputation abuse policy’, which appears to lower rankings for publishers that host content from commercial partners, even when those partnerships support legitimate ways of monetising online journalism.

The Commission is examining whether Alphabet’s approach restricts publishers from conducting business, innovating, and cooperating with third-party content providers. Officials highlighted concerns that such demotions may undermine revenue at a difficult moment for the media sector.

These proceedings do not imply a final decision; instead, they allow the EU to gather evidence and assess Google’s practices in detail.

If the Commission finds evidence of non-compliance, it will present preliminary findings and request corrective measures. The investigation is expected to conclude within 12 months.

Under the DMA, infringements can lead to fines of up to ten percent of a company’s worldwide turnover, rising to twenty percent for repeated violations, alongside possible structural remedies.

Senior Commissioners stressed that gatekeepers must offer fair and non-discriminatory access to their platforms. They argued that protecting publishers’ ability to reach audiences supports media pluralism, innovation, and democratic resilience.

Google Search, designated as a core platform service under the DMA, has been required to comply fully with the regulation since March 2024.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!