Protect the GDPR

Stop the European Commission's plan to undermine privacy rights

At the end of 2025, the European Commission presented the so-called Digital Omnibus. This Omnibus includes proposed changes to Europe's data legislation. The idea is that this would reduce the regulatory burden on companies, but in reality it is mainly good news for American tech giants and bad news for European companies and the privacy of citizens. For example, the Commission seeks to erode the definition of personal data and make it possible to use personal data to train AI systems.

What is going on?

Firstly, the definition of ‘personal data’ is becoming blurred. Until now, anything that could be traced back to you directly or indirectly was protected under the GDPR. That includes, for instance, your license plate number, your IP address, or the profiles that data brokers create about you. The Digital Omnibus instead says: it depends. If a company can determine for itself that an IP address belongs to you, then it is personal data. For one company, an IP address will therefore be personal data, and for another it will not. In addition, other information to which the company has access in order to trace an IP address, such as information on the internet, must also be taken into account. This makes assessing whether something is personal data unnecessarily complex. Large companies can then split access to data across entities in order to circumvent privacy rules.

Secondly, companies will soon be allowed to use all that personal data for “scientific research” without explicit consent. Although we endorse the importance of scientific research, the Commission is missing the mark with this relaxation. Even 100% commercial research now seems to fall under the definition. That opens the door to abuse by Big Tech.

Thirdly, it opens the door to the use of personal data for the development of AI without consent. It remains unclear where the line is drawn: when is consent required and when is it not? In addition, highly sensitive data will no longer be secure. According to the Omnibus, even that data may sometimes be used for AI without consent.

Big Tech companies are writing the law

The Digital Omnibus is not a simplification, but a complication and dismantling of European privacy protection. The Commission claims it wants to support small and medium-sized enterprises (SMEs), but in practice it is mainly companies that already possess enormous amounts of data and advanced AI systems that stand to benefit. It is not European startups that are being helped, but Big Tech companies from the United States.

This is no coincidence. Research published in January by the lobbying watchdog Corporate Europe Observatory shows that the European proposals closely align with the wishes of Big Tech lobbyists. At the same time, political pressure from the United States on Europe to weaken privacy legislation is increasing. The outcome is predictable: the European Commission gives in. Not to citizens or entrepreneurs, but to Trump and Silicon Valley.

In doing so, the European Commission is putting not only our rights at risk, but also our digital sovereignty. In a world where geopolitical tensions are rising and where the Trump administration openly uses technology as a tool of power, it is reckless to make Europe even more dependent on American platforms. The recent debate surrounding the possible American takeover of DigiD underscores the importance of our independence.

What is really at stake?

Not the tech companies that for years illegally collected our data and thereby compete unfairly with companies that do respect our privacy. The real losers are small and medium-sized businesses. The legislative changes create more legal uncertainty instead of less. Large companies can afford specialized lawyers and can exploit every loophole in the law; SMEs cannot.

The other major loser are citizens. Not only could our data soon be used to train AI systems, the proposed legislative changes also make it easier to track and profile internet users. In doing so, the Omnibus undermines several rulings of the European Court against large-scale tracking (by elevating part of those rulings into the general rule).

Under the guise of “reducing regulatory burden”, the European Commission is bending to the lobbying efforts of Trump and Big Tech. We call on the Dutch government to not go along with this and to block this proposal. No more gifts to Big Tech. No sell-out of our rights. This is the moment to choose: for our citizens, for businesses within the EU, and for our autonomy.

What are we doing?

Together with other privacy organizations such as Bits of Freedom, EDRi, and People versus Big Tech, we are urging Dutch and European politicians to vote against this plan. Together with 133 other European privacy organizations, we signed an open letter to the European Commission, and we are actively engaging with members of parliament in the Netherlands and in Brussels.