Regulating the Regulator

What the Digital Omnibus Compromise Really Says About Innovation

In this post, I argue that the Digital Omnibus should not be read as a crude attempt to weaken the GDPR, but as a necessary attempt to restore discipline to the legal threshold at which the GDPR begins to apply. The real issue is not whether Europe values privacy, but whether the EDPB and supervisory ecosystem should continue to shape the outer perimeter of data protection law through guidance, enforcement posture, and cumulative interpretation, rather than through a clear legislative settlement.

There is a familiar choreography in European data protection politics, and it usually begins with someone proposing a modest clarification to the GDPR before someone else solemnly announces that fundamental rights are about to be lowered into the nearest canal. The choreography is effective because it invites everyone to debate privacy in the abstract, rather than ask the more uncomfortable institutional question that sits underneath the Digital Omnibus: who decides when the GDPR applies, and how much discretion should supervisory authorities retain when that threshold determines whether research, AI development, data sharing and ordinary digital services can operate with predictable legal risk?

My objection to the current direction of travel has never been that the GDPR should be hollowed out, nor that privacy should be made subordinate to innovation whenever someone in a hoodie says the word “model”. I object that the European Data Protection Board and its supervisory ecosystem have, through guidance, opinions, and enforcement posture, steadily expanded the practical perimeter of EU data protection law beyond what legal certainty, proportionality, and institutional balance can sustain. That is not a complaint about regulators doing their job; it is a complaint about regulators treating the boundary of their own jurisdiction as a matter for regulatory interpretation rather than legislative settlement.

The Commission’s original move in the Digital Omnibus should be read in that light, because the point was not deregulation but discipline, and the target was not the right to data protection but the accumulated scope creep that makes compliance increasingly difficult to price before a project begins. The Commission attempted to restore balance by clarifying trigger logic, actor-relative identifiability, pseudonymisation, scientific research, AI development, terminal-equipment access and automated decision-making, while placing parts of the Board’s perimeter-setting role within a more controlled institutional frame. In other words, the Commission was regulating the regulator, which explains why the reaction from the data protection establishment has been so revealing.

The definition of personal data is the constitutional hinge of the EU digital acquis, because almost every subsequent obligation turns on the moment at which information becomes legally attributable to an identified or identifiable natural person. Once that trigger fires, the full GDPR architecture follows: lawful basis, transparency, rights, security, transfers, accountability, breach notification, DPIAs, and, in many cases, a supervisory dialogue that no innovation team can safely ignore. A definition that is broad enough to catch real power over individuals can still be disciplined enough to exclude purely hypothetical identifiability. That distinction is precisely where recent disputes over pseudonymised data have become so important.

The Commission’s proposed Article 4 clarification captured a basic but often resisted proposition: information does not become personal data for every entity merely because some other entity, somewhere in the data chain, may have the means to identify the person. That proposition does not deny that pseudonymised data may be personal data, and it does not deny that singling out or linkage can matter; it simply insists that identifiability should be assessed in concreto, from the perspective of the actor whose obligations are being triggered, by reference to means reasonably likely to be used by that actor. That approach is not anti-rights because rights are not strengthened when legal triggers become unknowable.

The Presidency compromise retreats from that legislative settlement, and the retreat matters. The visible deletion of the Article 4 rewrite, combined with the new Article 29a route for an EDPB opinion on pseudonymisation, anonymisation and identifiability, moves the issue from hard legislative correction back into supervised interpretation. The compromise retains useful language about actual technical, organisational and legal capabilities, and it preserves the “means reasonably likely to be used” discipline. Still, the operative centre of gravity has shifted from a statutory perimeter to a Board-led articulation of that perimeter. For anyone concerned about EDPB scope creep, that is not a neutral drafting choice.

This is where the innovation lens becomes indispensable, because trigger uncertainty does not merely inconvenience lawyers who enjoy writing memos with cautious footnotes. Trigger uncertainty changes product design, research design, investment sequencing, data-partnership architecture, model-training strategy, contractual allocation of risk, and firms’ willingness to run European projects with European data. A dataset that has been pseudonymised, technically secured, contractually constrained and operationally separated from identification infrastructure can still become commercially awkward if every recipient must treat the Board’s next opinion as a latent expansion of the legal perimeter.

The same institutional pattern appears elsewhere in the compromise. Recital 40a pushes national supervisory authorities to ensure that national guidance, recommendations and best practices do not contradict guidance issued by the Board, which may reduce fragmentation at the Member State level but also strengthens the Board’s gravitational pull over interpretation. Article 70 is amended so that the Board may further specify criteria and conditions for decisions based on profiling under Article 22, which may be helpful if guidance remains disciplined by the legislative text, but troubling if guidance becomes the practical site at which the scope of legal permission is narrowed after the legislature has spoken.

This tension also appears in the scientific-research provisions, which are better understood as a warning sign than as a drafting curiosity. The compromise recognises methodology, autonomy, ethics, transparency, verifiability, and the contribution of research to society’s general knowledge and wellbeing. At the same time, the recitals still acknowledge that scientific research may occur in academic, industry, and other settings and may serve public, private, or commercial purposes. Yet the operative definition is more formal and potentially more contestable than an innovation-friendly reading of Recital 159 would require, which means that public-private research, industrial R&D and model-development work may have to spend more time proving that they qualify as research before they can benefit from the safeguards-based flexibility that the GDPR already promised.

The AI and special-category changes are more encouraging, although their usefulness depends on whether regulators apply them with restraint. The new derogation for incidental and residual special-category processing in AI development and operation recognises a reality that privacy lawyers have too often handled with doctrinal melodrama: large-scale training, testing and validation data may contain special-category traces that the controller neither sought nor needs for the processing. The sensible answer is not to convert Article 9 into a super-trigger that freezes the project, but to require avoidance measures, lifecycle controls, erasure where feasible, protection where erasure is disproportionate, and documentation that allows the controller’s safeguards to be tested.

The biometric verification provision also deserves a more generous reception than it will probably receive from the usual suspects. The compromise distinguishes one-to-one verification from one-to-many identification. That distinction matters because authentication can reduce fraud, secure access, and support trustworthy digital services without creating the same population-scale surveillance risks as biometric identification systems. The safeguard that biometric data, or the means needed for verification, must remain under the sole control of the data subject is demanding. Yet the very fact that the text distinguishes verification from identification shows that the law can regulate risk more intelligently when it stops treating every technical process as its most invasive form.

Article 22 is another example of that attempt to restore risk calibration, because the compromise clarifies that a solely automated decision may be permissible where the decision is necessary for the contract, authorised by law, or based on explicit consent, and where appropriate safeguards are in place. The clarification that contractual necessity is not defeated merely because a human could also take the decision is especially important, since a contrary rule would turn “necessity” into an anti-automation presumption rather than a proportionality assessment. The difficulty, once again, lies in whether the Board’s future profiling guidance will support that calibrated structure or re-inscribe a more restrictive supervisory preference through interpretive detail.

The ePrivacy and terminal-equipment changes show both the promise and the fragility of the compromise. The text accepts that endless consent prompts have become a regulatory design failure, and it creates no-consent routes for transmission, explicitly requested services, anonymous aggregated audience measurement and security. The audience-measurement exception is sensible where the information is truly anonymous, aggregated, not combined with other service or third-party data, not shared, and not reused for another purpose. In contrast, the security exception is equally defensible where access is strictly necessary for cybersecurity, the protection of personal data, privacy, or fraud prevention. These are exactly the sorts of low-risk or necessary operations that should never have been trapped in banner theatre.

Yet the compromise also shows how easily simplification can become a new compliance industry. The contextual advertising language appears to have been struck down, even though genuinely contextual advertising, based on the immediate content of a page or query without profiling or retention, is precisely the kind of less-invasive advertising model that European law should encourage if it wants to reduce behavioural tracking. The new automated and machine-readable consent framework may improve user experience, but only if standards are neutral, granular, privacy-preserving, non-self-preferencing, and commercially workable; otherwise, Europe will replace cookie-banner theatre with standards theatre, browser politics, and a new layer of compliance uncertainty.

The transition periods deepen that concern, because Article 88a would apply after six months, Article 88b duties and ePrivacy Article 5(3) national measures would operate on a 24-month horizon, and browser and operating-system obligations would take even longer to bite. A system that promises simplification in principle but postpones operational clarity through a chain of standards, Member State measures and future technical implementation cannot credibly claim to deliver immediate relief to innovators. The result may be a familiar European compromise: a good diagnosis, an over-institutionalised cure and enough transitional complexity to keep consultants comfortable for another legislative cycle.

The broader point is that innovation policy cannot be built on regulatory benevolence, because firms, researchers and public bodies do not need regulators to be kind; they need the law to be sufficiently predictable that lawful projects can be designed without waiting for the next interpretive turn. Europe can protect fundamental rights and support innovation only if the rules identify real risks, allocate responsibility clearly and constrain discretion at the point where legal obligations attach. When the perimeter of the GDPR depends too heavily on supervisory interpretation, innovation becomes not merely regulated. Still, structurally uncertain, and structural uncertainty is the most expensive form of regulation because nobody can calculate its final cost.

That is why the Commission’s attempt to regulate the regulator should not be dismissed as a deregulatory provocation. It was a necessary response to a governance problem that has been politely misdescribed for too long as interpretive prudence. The EDPB has an indispensable role in ensuring consistency. Still, consistency is not the same as constitutional ownership of the GDPR’s trigger conditions, and the Board should not be allowed to preserve ambiguity where the legislature is trying to restore legal certainty. A regulator that interprets the law should not become the institution that decides, through cumulative guidance, how far its own jurisdiction extends.

The final text should therefore recover the Commission’s central insight while preserving the compromise’s better safeguards. Actor-relative identifiability should be codified, not merely gestured at through recitals and future opinions. Pseudonymisation should remain a serious risk-reduction and governance tool, not a fiction and not a forbidden inference. Scientific research should include robust public-private and industry-led work in which methodology, integrity, and safeguards are in place. AI residual-data rules should prevent Article 9 from becoming a super-trigger for incidental traces. Biometric verification should remain distinct from biometric identification. ePrivacy reform should reduce pointless prompts rather than shifting transaction costs into standards politics.

The Digital Omnibus will not decide whether Europe values privacy, because Europe plainly does and should. The more serious question is whether Europe can protect privacy through a legal architecture that is intelligible enough for innovators to use, researchers to trust, and regulators to enforce, without expanding their mandates by interpretation. The Commission understood that legal certainty is not the enemy of rights. Still, one of their conditions, and the compromise, should be judged by whether it preserves that insight or politely hands the perimeter back to the institutions whose scope creep made reform necessary.