Netherlands questions EU Digital Omnibus
The Netherlands has broadly supported the European Commission’s effort to simplify digital legislation through the Digital Omnibus package. However, it has raised firm concerns that proposed changes to data-protection rules, particularly the definition of personal data, could weaken fundamental rights protections across the European Union.
The Dutch government has published its assessment of the European Commission’s Digital Omnibus and Omnibus on Artificial Intelligence proposals. The Dutch position supports regulatory simplification where it improves implementation and legal certainty, but is wary about reforms that, in its assessment, dilute existing rights or oversight mechanisms.
The Digital Omnibus forms part of a wider EU effort to reduce administrative burdens and streamline compliance across digital legislation, including the General Data Protection Regulation (GDPR), the Artificial Intelligence Act, and related data and cybersecurity frameworks. The Netherlands supports the general objective of enhancing legal clarity and reducing unnecessary reporting requirements, particularly for small and medium-sized enterprises.
However, the government has expressed significant reservations about proposed amendments to the GDPR, most notably a modification to the definition of personal data. According to the Dutch position, this change goes beyond technical clarification and could narrow the scope of data protection in ways that affect the fundamental right to privacy and data protection under EU law.
These concerns align with positions raised by European data protection authorities, including the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS), and several German data protection authorities. The Netherlands has emphasised that any adjustment to the definition of personal data must be assessed carefully for its long-term legal and societal consequences, particularly for individuals’ rights.
The Dutch government has also questioned proposals that would expand the European Commission’s implementing powers in areas traditionally overseen by independent data-protection authorities. This includes decisions related to data-protection impact assessments, breach notification thresholds, and the use of pseudonymization. In the Dutch view, shifting such responsibilities risks weakening independent oversight in a field closely tied to fundamental rights.
In the context of AI, the Netherlands has raised concerns about proposals that could allow broader use of sensitive personal data for the development and operation of AI systems. It has warned that loosening safeguards, even in the name of simplification or innovation, may reduce protections for individuals if not accompanied by strong necessity and proportionality requirements.
