The deregulation turn

For its first decade the direction of EU data law was, unevenly, toward more protection. In late 2025 that reversed.

On 19 November 2025 the European Commission published the Digital Omnibus, a package presented as a “simplification” of the digital rulebook. Digital-rights groups read it differently, as the largest rollback of data-protection rights in EU history, moved quickly and with limited scrutiny. Three changes bear directly on surveillance and profiling.

The definition of personal data would be narrowed, so that a company could treat data as non-personal, and outside the GDPR, if it cannot itself identify the person, even where someone else can. That would lift a large volume of data out of protection entirely.

A legitimate-interest basis would be opened for training AI systems on personal data, letting firms use posts, photos and other material to train models without meaningful consent, and without a clear route to opt out or to have the data removed once used.

Parts of the ePrivacy rules would be folded into the GDPR, loosening the long-standing requirement to obtain consent before storing or reading information on a person’s device. That would normalise device-level access that ePrivacy was written to gate.

Each change weakens a protection that the defensive playbooks rely on. A deletion right that reaches less data, a consent rule that guards fewer devices, and a training exception with no opt-out are not abstract adjustments. They move the baseline against which every individual measure is judged.

Last reviewed: 2026-07-08.