By Nick Stringer, a global technology, public policy, and regulatory affairs adviser. His extensive experience includes serving as the former Director of Regulatory Affairs at the UK Internet Advertising Bureau (IAB UK).
The European Commission (EC) today dropped its long-awaited Digital Omnibus, a package of reforms set to redefine the EU’s data and privacy landscape. This isn’t just a minor update: it’s the most substantial challenge and refinement to the rules since the GDPR was framed in 2016.
The core motivation is clear: simplify, clarify, and innovate. The EC is trying to cut red tape for businesses while still protecting fundamental rights. For me the biggest proposed change for the advertising industry is the move away from the broadest possible definition of personal data. Despite privacy campaigners and civil society group outrage, the new rules seek to adopt a risk-based approach (similar to the UK’s Information Commissioner’s Office (ICO)).
The bottom line? Not everything will be automatically classified as personal data, signaling a focus on high-risk data processing activities. But I don’t think this is the ‘de-regulatory gift to Big Tech’ (and other higher-risk data processing business models) that some critics claim. There’s no doubt that the proposals will kick-start another Brussels lobbying frenzy.
Other proposed reforms seek to:
- Make GDPR Workable: Instead of new rules, the focus is on clarifying existing obligations to reduce complexity and administrative burden.
- End ‘Cookie Fatigue’: Major revisions to the ePrivacy Directive are coming, designed to reduce the endless pop-ups and streamline how consent is managed, potentially by shifting towards universal, machine-readable privacy signals (e.g., via browsers, operating systems etc).
- Fuelling AI Innovation: Under pressure from the Trump administration, the reforms include critical adjustments to the AI Act to smooth its rollout and provide a clearer legal basis for using personal data (with safeguards) for the development of AI models.
What’s the Next Step?
While the reforms are significant, the EU’s legislative gears grind slowly. Don’t expect these new rules to be passed until late 2029 or early 2030. This gives companies a runway, but ignoring the process is risky. Regulation and compliance is eventually going to change.
The UK, post-Brexit, is moving in a parallel direction with its Data (Use and Access) Act. However, maintaining alignment with the EU will be crucial for the continued free flow of data, making close monitoring of the Omnibus process essential.
This marks the start of a multi-year journey and no doubt there will be lots more commentary and legal analysis. Regardless, now is the time to stay informed, keep abreast of developments, and assess the future operational impact on your organisation.
Nick Stringer is a prominent global technology, public policy, and regulatory affairs adviser, specialising in privacy and brand safety. He is helping organisations navigate the complex digital policy and regulatory landscape. Nick’s extensive experience includes serving as Director of Regulatory Affairs at the UK Internet Advertising Bureau (IAB UK) and as VP of International Affairs at the Trustworthy Accountability Group (TAG).
Follow him for all his ‘ByteWise Insights’ on LinkedIn, X, Medium, Threads, Substack or BlueSky.
