European Digital Rights raises concerns over Commission’s Digital Omnibus proposals
European Digital Rights (EDRi) warns that the European Commission’s new Digital Omnibus proposals could weaken long-standing EU privacy and AI safeguards. In a press release issued on 19 November 2025, the organisation argues that the reforms would dilute key protections in the GDPR, ePrivacy framework and AI Act by expanding exceptions for device-level data access, loosening limits on personal data processing, and delaying high-risk AI obligations.
The European Commission has released two major legislative proposals – the Digital Omnibus and the Digital Omnibus on AI – together with a Digital Fitness Check that reopens parts of the EU’s digital regulatory framework. The assessment below reflects concerns raised in a press release issued by European Digital Rights (EDRi) on 19 November 2025.
According to EDRi’s statement, the Digital Omnibus would alter core elements of the ePrivacy framework by transferring provisions on device-level data access into the GDPR. While consent would continue to be the general rule for most tracking, EDRi notes that the proposal introduces several broad exceptions allowing access without user approval. The group also highlights a proposed ‘privacy signal’ that would give users a standardised way to refuse tracking. EDRi points out that the mechanism would only become operational after a two-year transition period and would not apply to all media services.
The press release further claims that the proposal revises central provisions of the GDPR, including definitions of personal data, rules on automated decision-making, and the scope of data permitted for use in training AI systems. EDRi argues that these changes could expand the ability of public authorities and private companies to process personal data with fewer safeguards.
EDRi also raises significant concerns about the Digital Omnibus on AI, which proposes amendments to the EU AI Act. According to the organisation, the amendments would reduce transparency and oversight mechanisms, allow broader self-assessment by developers of high-risk systems, and delay several high-risk AI obligations without setting a fixed implementation timeline. The press release states that these changes could weaken the protective framework originally established in the AI Act.
In its broader critique, EDRi also comments on the legislative process, arguing that industry actors had comparatively greater access to the Commission during the drafting stage. The group also warns that the accompanying Digital Fitness Check places a wide range of digital rules under review simultaneously, potentially reshaping long-standing safeguards.
The Commission’s legislative proposals will now be considered by the European Parliament and the Council, which will determine their final form.
