ICLE Comments to the European Commission on GDPR and ePrivacy in the Digital Omnibus
Executive Summary
We thank the European Commission for the opportunity to comment on data-privacy provisions of the Digital Omnibus. ICLE is a nonprofit, nonpartisan research centre that applies law & economics analysis to technology governance, competition, and consumer-protection policy. Our interest is to ensure that the EU’s digital rulebook advances consumer welfare and innovation through clear, predictable, and proportionate rules grounded in evidence and sound economics.
The Commission’s Digital Omnibus proposal (COM(2025)837) moves in the right direction. It recognises that the GDPR and the ePrivacy framework have become harder to apply, less predictable to enforce, and increasingly detached from technological reality. The proposal therefore deserves broad support. It would make the law more workable in several important respects, particularly by clarifying the definition of personal data and confirming that legitimate interest can support AI development subject to safeguards.
The package nevertheless remains incomplete. Its ePrivacy reforms are too cautious to resolve the cookie-banner problem, and the proposal does not address the deeper institutional dynamics that helped create the current dysfunction. The same authorities that expanded the scope of existing rules, and interpreted exemptions narrowly, will interpret the new ones. Without enforcement reform, textual simplification alone will deliver only part of the promised benefit.
ICLE’s position can be summarised in four propositions.
First, the entity-relative definition of personal data should be adopted. The proposed amendment to Article 4(1) reflects the CJEU’s recognition in EDPS v SRB that pseudonymised data are not personal data for every actor in every circumstance. It also follows the longstanding logic of Recital 26, which asks whether identification is reasonably likely in practice. A workable legal system should not impose the full weight of the GDPR on an entity that cannot realistically identify the person concerned. The amendment would improve legal certainty, strengthen incentives for pseudonymisation and data minimisation, and help arrest the drift toward treating the GDPR as a ‘law of everything’. The co-legislators should adopt the amendment and retain Article 41a, while clarifying that implementing acts create a rebuttable presumption of non-identifiability for the relevant entity.
Second, the AI provisions are welcome and necessary. Article 88c would confirm that the development and operation of AI systems may rely on legitimate interest, subject to safeguards and an unconditional right to object. That clarification is needed. The EDPB has acknowledged that legitimate interest may apply, but it has done so in terms that preserve maximum enforcement discretion and leave controllers without meaningful certainty. Legislation is the appropriate vehicle for resolving this question. Article 9(2)(k), which addresses residual special-category data in training datasets, is also directionally sound. It recognises a technical reality: large-scale training datasets cannot be purified with perfect ex ante accuracy, and the law should require proportionate safeguards rather than impossible guarantees. The legislature should therefore adopt these provisions rather than defer to non-binding guidance.
Third, the cookie and ePrivacy reforms do not go far enough. The Commission correctly diagnoses consent fatigue and the failure of endless cookie banners, but the proposed solution in Articles 88a and 88b remains too narrow. By moving personal-data processing into the GDPR while leaving non-personal terminal-equipment data under Article 5(3) of the ePrivacy Directive, the proposal creates a two-regime structure that is legally awkward and likely to produce perverse incentives. The audience-measurement exemption is too narrow to cover common analytics arrangements, and the package omits low-risk exemptions for fraud detection, basic advertising measurement, frequency capping, and similar functions. Browser-based consent signals may also become a one-way ratchet if regulators accept automated refusals broadly but reject automated opt-ins as insufficiently specific. The co-legislators should broaden the exemptions, resolve the two-regime problem, and ensure that automated signals operate in both directions.
Fourth, enforcement reform is the missing piece. The strongest substantive provisions in the Digital Omnibus will underperform if they are interpreted by institutions with structural incentives to maximise the scope of data-protection law and minimise legislative constraint. In practice, the EDPB’s guidelines and opinions already function as quasi-legislation, yet the most influential of those instruments remain difficult to challenge and lack meaningful ex ante accountability. The same dynamic appears in the objections raised against the Omnibus itself. The Commission acknowledges the need for more consistent and harmonised enforcement but proposes no mechanism capable of delivering it. ICLE therefore urges the co-legislators to treat enforcement reform as a parallel priority—whether through a dedicated roadmap, mandatory proportionality assessments for EDPB outputs, stronger consultation requirements, or more ambitious institutional reform that separates investigation from adjudication and creates an independent multidisciplinary tribunal for consequential cross-border cases.
I. Clarifying the Definition of Personal Data (Art. 4(1) and Art. 41a)
A. The Commission’s Proposed Clarification
The Commission proposes amending Article 4(1) GDPR to clarify that information does not constitute personal data for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity.[1]
The proposal also introduces a new Article 41a. This provision would empower the Commission, in close cooperation with the European Data Protection Board (EDPB), to adopt implementing acts specifying technical criteria for determining when pseudonymised data no longer constitute personal data for certain entities.[2]
Together, these provisions move the GDPR toward an entity-relative concept of identifiability, grounded in realistic identification risk.
B. Why the Definition Matters
In practice, the GDPR has increasingly operated as a ‘law of everything’ in the digital economy.[3] Data protection authorities and activist organisations frequently advocate extremely broad readings of ‘personal data’. Under those interpretations, any pseudonymous identifier capable of singling out a user qualifies as personal data, even where the controller has no realistic means of identifying the individual behind it.[4]
This interpretation extends the GDPR’s obligations far beyond the circumstances the regulation was designed to address. The GDPR’s safeguards were built for situations in which individuals can be identified and therefore face concrete risks. When the same obligations apply to processing that presents no realistic identification risk, the regulatory framework becomes misaligned with the harms it aims to prevent.
The consequences are tangible. Compliance costs reach levels the Commission itself estimates at roughly EUR 5 billion annually.[5] More importantly, the legal framework strains under the pressure of applying identification-based rules to non-identifiable data. Organisations must choose between nominal compliance and genuine data protection.
Recent CJEU case law has begun to correct this trajectory. In European Data Protection Supervisor v Single Resolution Board, the Grand Chamber rejected the claim that pseudonymised data constitute personal data ‘in all cases and for every person’.[6] Identifiability, the Court held, ‘depends, in essence, on the circumstances of the processing of the data in each individual case’.[7] The Court expressly rejected the EDPS’s position—the position supported by the EDPB as intervener—that pseudonymised data must always be treated as personal data for every actor.[8]
ICLE previously noted that the original Digital Omnibus consultation omitted any reform of the GDPR’s personal-data definition, representing a significant missed opportunity.[9] Now that the Commission has proposed such reform, the central policy question is how to secure the benefits of a workable definition rather than allowing the initiative to be diluted through restrictive interpretation.
The definition matters. Yet clarifying the definition alone may not suffice if enforcement structures remain unchanged. Section IV returns to this point.
C. The Constitutional Case for a Realistic Identifiability Standard
Some critics argue that the proposed definition conflicts with Article 8 of the Charter of Fundamental Rights, which protects the right to ‘protection of personal data’.[10] Noyb contends that because Article 8 CFR refers to the definition in Directive 95/46, the legislature ‘has no powers to change the definition of “personal data” to encompass less than the understanding of Directive 95/46’.[11]
That argument is difficult to sustain.
Article 8 protects personal data, but the Charter does not itself define identifiability in operational terms. The Charter’s Explanations state that Article 8 is based on Directive 95/46 and Regulation 45/2001. That reference does not constitutionalise the broadest possible interpretation of the Directive beyond legislative clarification.[12]
Directive 95/46 already incorporated a contextual identifiability standard. Recital 26 required consideration of ‘all the means likely reasonably to be used’ to identify a person.[13] The CJEU relied directly on that formulation in Breyer. The Court asked whether combining a dynamic IP address with ISP-held data constituted a means ‘which may likely reasonably be used’ to identify the data subject. Identification would not be reasonably likely where it was ‘prohibited by law or practically impossible’ or where it required disproportionate effort in time, cost, or manpower, such that ‘the risk of identification appears in reality to be insignificant’.[14]
A legislative clarification built around realistic identifiability therefore remains within the Charter’s constitutional framework. Article 52(1) CFR expressly allows proportionate limitations that pursue legitimate aims and respect the essence of fundamental rights. The proposed amendment preserves the essence of Article 8—personal data remain protected—while calibrating the trigger for protection. Data qualify as personal data when a given entity can realistically identify the individual concerned.
Advocate General Spielmann framed the point succinctly in SRB:
It seems to me disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from [the GDPR].[15]
Proportionality analysis must run in both directions. Article 52(1) CFR requires that limitations of fundamental rights be proportionate. Overbroad interpretations of personal data also constrain other fundamental rights, including the freedom to conduct a business (Article 16 CFR) and the freedom of the arts and sciences (Article 13 CFR).
The question therefore runs in both directions. One may ask whether narrowing the personal-data definition disproportionately limits data protection. One must also ask whether treating pseudonymised data as personal data for every entity, regardless of realistic identification risk, disproportionately restricts the rights of those who process such data.
The EDPB and EDPS Joint Opinion addresses only the first question. Its proportionality analysis tests whether limitations on data protection are justified, but it does not examine whether the scope of data protection itself remains proportionate to the burdens it imposes. That asymmetry leaves the analysis incomplete.
D. CJEU Case Law Supports the Commission’s Approach
The Joint Opinion argues that the proposal introduces ‘significant changes that go beyond the stated aim of introducing “targeted” or “technical” amendments’.[16] Even if the proposal extends beyond mere codification, that does not present a constitutional problem. Courts interpret existing law; legislatures clarify and recalibrate legal standards within constitutional limits.
The EDPB further claims the proposal extracts ‘only a single element from a single case’ without the surrounding doctrinal context.[17] Noyb cites several CJEU decisions as contradicting the proposal.[18] On closer examination, those cases largely support an entity-relative interpretation of identifiability.
A recurring problem in the objections is doctrinal conflation. Decisions addressing whether information ‘relates to’ a person, or discussing the breadth of ‘any information’, are treated as though they resolve the separate question of whether a person is identifiable to a given entity.
1. Breyer
Breyer establishes the objective ‘reasonable means’ standard reflected in the proposal. The Court did not hold that theoretical identification suffices. Instead, it asked whether combining a dynamic IP address with ISP-held information constituted a means ‘which may likely reasonably be used’ to identify the data subject. Identification would not qualify where it was legally prohibited or required disproportionate effort such that ‘the risk of identification appears in reality to be insignificant’.[19]
The IP address counted as personal data because legal channels existed allowing the media service provider to obtain the necessary information through public authorities.[20] Noyb’s reliance on paragraph 48 to argue that ‘the possibility was sufficient’ omits the Court’s conditioning analysis.[21]
2. Nowak
Nowak concerns a different element of the definition. The Court explained that information ‘relates to’ a person where its content, purpose, or effect links it to that individual.[22] Exam answers qualified because they reflected the candidate’s knowledge, served the purpose of evaluating that candidate, and affected the candidate’s rights.
That reasoning clarifies the ‘relating to’ limb of personal data. It does not address pseudonymisation or identifiability by downstream actors.
3. Nacionalinis
Nacionalinis holds that pseudonymised data remain personal data where they can be attributed to a natural person through additional information.[23] This would defeat any proposal categorically excluding pseudonymised data.
The decision does not answer the more precise question later addressed in SRB: for which actor, in which context, and using which realistically available means is the individual identifiable?
4. Pankki
Pankki emphasises that ‘any information’ reflects the legislature’s intent to give the concept of personal data a wide scope.[24] The judgment simultaneously recalls Recital 26’s requirement to consider ‘all the means reasonably likely to be used’ to identify the person.[25]
Breadth applies only after the identifiability threshold has been crossed.
5. IAB Europe
In IAB Europe, the Court held that a TC String may constitute personal data where combining it with other identifiers allows identification.[26] The analysis turned on the fact that the TC String forms part of an ecosystem designed for combination with other identifiers and downstream actors.
The Court emphasised systemic identifiability rather than abstract possibility. The case therefore concerns a technical architecture designed to enable identification.
6. OC (OLAF)
OC addressed whether statements in an OLAF press release enabled the public to identify the individual concerned by combining them with online information.[27] SRB cited the case for precisely that proposition.[28]
At the same time, SRB also relied on OC to reiterate that identification is not reasonably likely where legal or practical constraints make the risk insignificant.
The case illustrates a mosaic scenario: identifiability arises because a sufficiently specific bundle of attributes is released into an environment where cross-referencing is reasonably likely.
The Omnibus proposal’s third sentence reflects that logic. Information does not become personal data for an entity ‘merely because’ a potential recipient possesses identification means. Where a controller intentionally designs disclosure for identifiable recipients, the data remain personal for the controller as well.[29]
Taken together, the case law supports the Commission’s direction more than critics acknowledge.
E. The Third Sentence and Indirect Identifiability
The proposal’s third sentence raises a narrower technical question. In SRB, the Court held that when data are made available to a recipient who possesses identification means, those data may become personal data both for the recipient and indirectly for the transmitting entity.[30]
Scania reaches a similar conclusion: data become personal data for the manufacturer ‘indirectly’ when it provides them to independent operators capable of identification.[31]
The Joint Opinion interprets the proposal as severing this indirect responsibility. That reading overlooks the qualifier ‘merely because’. Where a controller designs a data flow for recipients with identification means, the data remain personal data for the controller.
The Joint Opinion’s alternative interpretation creates a deeper problem. If data become personal for Entity A whenever any downstream recipient could identify the individual, the entity-relative approach becomes meaningless. In modern data ecosystems, some downstream actor will almost always possess identification capabilities. Pseudonymised data would therefore remain personal data in practice for every actor in the chain—the very result SRB rejected.
The sentence could benefit from clearer drafting. The underlying principle, however, remains sound.
F. Making the Entity-Relative Test Work in Practice
The entity-relative test functions as a design incentive. Organisations that structure systems to prevent identification benefit from reduced regulatory obligations. Organisations that retain identification capabilities remain fully subject to the GDPR.
The standard already exists in EU law. Recital 26 GDPR refers to ‘all the means reasonably likely to be used’, including objective factors such as costs, time, and available technology. The Omnibus proposal moves this standard from interpretive guidance into operative text, strengthening legal certainty.
Noyb argues that the proposal creates ‘major uncertainty’.[32] Taken seriously, that argument would undermine the existing Recital 26 standard on which the GDPR already relies.
1. Burden of proof
Advocate General Spielmann proposed a workable burden-of-proof framework. Controllers seeking to rely on non-identifiability must demonstrate, through factual evidence, that their technical and organisational measures prevent identification.[33] Once the controller meets that burden, the regulator may show why those measures are insufficient.[34]
This structure provides supervisory authorities with a clear enforcement pathway. Controllers must demonstrate—not merely assert—that internal separation of roles, technical safeguards, and contractual arrangements genuinely prevent re-identification.
2. Singling out vs identification
Some critics argue that the ability to single out a device or session necessarily implies identifiability. Recital 26 itself distinguishes these concepts. A controller may distinguish a device or browser session without attributing that information to an identified natural person.
Identification requires the ability to attribute data to a natural person and to distinguish that individual from others in a way that enables action directed at that person.[35]
3. Information asymmetry
Noyb argues that the entity-relative approach creates a ‘chicken-and-egg problem’: regulators and data subjects cannot determine whether data are personal without access to the controller’s internal systems.[36]
This concern exists under current law as well. Article 11(1) GDPR already recognises situations in which controllers cannot identify data subjects and adjusts obligations accordingly.[37] The proposal does not create the problem. It clarifies how it should be assessed.
4. Guarding against strategic ignorance
Stalla-Bourdillon warns that the entity-specific test could ‘reward willful blindness’, allowing companies to avoid learning about re-identification risks.[38]
The GDPR already contains safeguards against that behaviour. Article 11(1) does not allow controllers to avoid awareness deliberately. The ‘means reasonably likely to be used’ standard includes methods the entity should reasonably know about. Recital 26 requires assessment of available technology, not merely subjective knowledge.
5. Distributional effects
Noyb argues that the proposal benefits large technology firms while leaving SMEs subject to the GDPR.[39] This framing treats data protection reform as primarily redistributive.
In practice, any entity processing pseudonymised data that it cannot re-identify benefits from the clarification. Research institutions, health-data intermediaries, analytics providers, and SMEs that receive aggregated datasets all fall into this category.
More importantly, the proposal creates correct incentives. Organisations that design systems to avoid identification receive regulatory benefits. That aligns with the GDPR’s data-minimisation principle.
G. Who Should Define Personal Data?
The EDPB and EDPS treat the proposed amendments to Article 4(1) and Article 41a as the most serious problem in the Digital Omnibus package.[40] Their recommendation is categorical: remove the amendment[41] and rely instead on forthcoming EDPB guidance on pseudonymisation and anonymisation.[42]
This proposal highlights a structural problem in EU data-protection governance. Allowing the enforcement authority to determine the scope of the law it enforces creates an inherent conflict of interest.[43]
EDPB guidelines are formally non-binding. In practice, they operate as quasi-legislation. They shape national supervisory authority enforcement, guide market behaviour, and prove extremely difficult to challenge judicially.
Recent CJEU confirmation that binding EDPB decisions are subject to direct judicial review only underscores the accountability gap.[44] Guidelines that remain formally non-binding but practically determinative receive far less judicial scrutiny.
The Joint Opinion illustrates this problem. It asserts that the proposal would ‘adversely affect’ fundamental rights but offers no empirical evidence, enforcement modelling, or quantitative analysis supporting that claim.
Implementing acts adopted under Article 41a would provide greater accountability. They require formal Commission adoption, EDPB consultation, comitology oversight, and judicial review under Article 263 TFEU.
The Joint Opinion correctly notes one drafting ambiguity. It asks whether implementing acts would create a rebuttable presumption of non-identifiability or merely constitute one factor among others.[45] That is a fair concern.
The co-legislators should clarify that compliance with implementing-act criteria creates a rebuttable presumption that pseudonymised data do not constitute personal data for the relevant entity.
H. Recommendations
1. Adopt the Article 4(1) amendment
The entity-relative definition of personal data represents the most important improvement in the proposal. It aligns with SRB, Breyer, and Recital 26 GDPR. It creates appropriate incentives for pseudonymisation and data minimisation, and it prevents further expansion of the GDPR into a ‘law of everything’.
2. Clarify the third sentence
The text should explicitly preserve the principle that when a controller designs a data flow for recipients with identification means, the data remain personal data for the controller. The phrase ‘merely because’ likely preserves this principle, but the drafting should be tested against the Scania and OC scenarios.
3. Adopt Article 41a with a rebuttable presumption
Implementing acts adopted with EDPB consultation and comitology oversight provide greater accountability than EDPB-only guidance. Compliance with implementing-act criteria should create a rebuttable presumption of non-identifiability.
4. Do not delegate this issue solely to the EDPB
Leaving the question to EDPB guidance would preserve the institutional status quo that ICLE has repeatedly identified as the central structural weakness in EU data-protection governance.
II. AI and the GDPR (Art. 88c and Art. 9(2)(k))
A. The Commission’s Proposed Amendments
The Commission proposes two new provisions addressing the legal framework for AI development under the GDPR.
Article 88c clarifies that processing personal data in the context of the ‘development and operation’ of an AI system or AI model may rely on legitimate interests within the meaning of Article 6(1)(f) GDPR, provided the controller implements appropriate technical and organisational safeguards.[46] These safeguards include data minimisation during source selection and training, protection against disclosure of residually retained data, enhanced transparency, respect for machine-readable opt-out signals, and an unconditional right to object.[47]
Article 9(2)(k) introduces a limited derogation from the prohibition on processing special categories of personal data.[48] The derogation applies where such data appear residually in AI training, testing, or validation datasets.[49] Controllers must implement effective measures to avoid processing special categories, remove such data once identified, and—where removal would require disproportionate effort—ensure the data cannot be used to produce outputs or disclosed to third parties.
Together, these provisions address two structural challenges in applying the GDPR to AI development: uncertainty over the lawful basis for training models at scale and the practical inevitability that large-scale datasets will contain some amount of special-category data.
B. Legislative Clarification Is Necessary
The legal basis for AI training in the EU remains unsettled. EDPB Opinion 28/2024 acknowledges that legitimate interest may support AI model training, but the Opinion frames that possibility in language designed to preserve maximum enforcement discretion.[50] It recognises the possibility while leaving the balancing test so open-ended that compliance remains uncertain.
The result is a regulatory environment defined by ambiguity. Companies training AI models in the EU operate under a continuing risk of enforcement action—not because the law clearly prohibits their activities, but because the enforcer has declined to clarify whether they are permitted.
This ambiguity reflects a regulatory choice. As ICLE observed in its October 2025 submission, the EDPB’s approach illustrates a structural problem in EU data protection governance: ‘lengthy compliance measures without guarantees’, combined with ‘a threat of discretionary enforcement’ that ‘chills investment and innovation at the margins’.[51]
National supervisory authorities have already reached divergent conclusions. CNIL’s AI guidance demonstrates that balanced enforcement is possible. It provides concrete recommendations on dataset selection, pseudonymisation, and safeguards that give controllers a workable compliance framework.[52] One or two national authorities, however, cannot establish EU-wide legal certainty.[53]
The EDPB’s Joint Opinion argues that Article 88c is unnecessary because the EDPB Opinion on AI models already recognises legitimate interest as a potential legal basis.[54] This reasoning misunderstands the role of legislation. An enforcer’s non-binding opinion—revisable or withdrawable at any time—cannot substitute for a binding legislative rule.
Legislation exists precisely to define legal standards that cannot be altered at the enforcer’s discretion. Suggesting that an enforcer’s acknowledgement of a legal possibility renders legislation unnecessary inverts the constitutional relationship between legislature and enforcer.[55]
This pattern appears repeatedly in the Joint Opinion. On the definition of personal data, the EDPB argues that forthcoming pseudonymisation guidance should replace legislative amendment.[56] On DPIAs, it seeks exclusive control over relevant lists.[57] On breach-notification templates, it proposes to ‘prepare and approve’ them without Commission oversight.[58]
The cumulative picture is of an institution seeking to maximise its interpretive authority while minimising legislative and executive supervision. Article 88c is necessary precisely because it subjects the legal framework for AI training to democratic decision-making rather than leaving it to an enforcer whose institutional incentive is to preserve maximum discretion.
C. Legitimate Interest Is the Only Scalable Lawful Basis
The GDPR establishes no hierarchy among lawful bases. The EDPB itself has confirmed this.[59] Framing the debate over AI training as a choice between consent (proper) and legitimate interest (second-best) therefore misrepresents the legal framework.[60]
The relevant question is which lawful basis is proportionate and workable for training AI systems at internet scale. For three reasons, the answer is legitimate interest.
1. Consent does not scale
Large language models are trained on vast datasets drawn from publicly available internet sources. Obtaining informed, specific consent from every individual whose information appears in those sources is operationally impossible.
Even when controllers rely on first-party datasets, the scale of training data—often billions of documents—makes individual consent impracticable. Consent also carries a right of withdrawal under Article 7(3), which is difficult to operationalise once data have been incorporated into model training.
This mismatch between consent’s architecture and AI training’s operational reality does not justify prohibiting the technology.
2. Legitimate interest already includes a right to object
Critics argue that relying on legitimate interest ‘shifts the burden to 450 million Europeans’.[61] This framing overlooks how the GDPR already operates. Legitimate interest with a right to object is a standard mechanism under the Regulation. Direct marketing provides the clearest example under Article 21(2).
Article 88c actually strengthens data-subject protections. The provision creates an unconditional right to object that does not require individuals to demonstrate ‘grounds relating to his or her particular situation’, as Article 21(1) normally requires.[62]
Requiring consent for every publicly available data point would instead entrench incumbents that already possess large datasets while preventing new entrants from assembling training data retrospectively.
3. The search engine analogy
Generative AI occupies a developmental stage comparable to search engines in the late 1990s. Early search engines indexed publicly available web content without obtaining prior consent from every website author or individual referenced online.
If maximalist interpretations of data protection law had prevailed at that time—treating indexed pages as personal data requiring consent before processing—search engines would never have emerged.
The CJEU instead developed a balanced framework. In Google Spain, the Court recognised that operating a search engine constitutes a legitimate interest, subject to balancing against the rights of data subjects.[63] In GC and Others, the Court accepted that search engines cannot exercise systematic ex ante control over all indexed content, including sensitive data.[64] The Court endorsed a notice-and-takedown model rather than requiring prior filtering.
Advocate General Szpunar emphasised the ‘impracticality’ of requiring systematic ex ante monitoring of content encountered at internet scale.[65]
AI training faces the same structural challenge. The objective of training is to identify statistical patterns and predict plausible outputs, not to retrieve or disclose specific personal data.[66] Individual data points become diluted within extremely large datasets and rarely exert a ‘measurable influence’ on model outputs.
The Cologne Higher Regional Court highlighted this distinction, explaining that AI systems ‘cannot be equated with a “data archive”’ but ‘regularly consist solely of parameters for probability calculations’.[67]
Conditioning the legality of such technology on uncertain and evolving interpretations of data protection law risks creating a de facto prohibition that benefits neither data subjects nor the EU economy.
Claims that Google Spain paragraph 81 excludes commercial web scraping from legitimate interest misread the judgment.[68] The Court recognised the search engine operator’s legitimate interest and then balanced it against data-subject rights. The judgment does not categorically exclude commercial scraping from Article 6(1)(f).[69]
Article 88c reflects this framework.[70] The provision does not exempt AI training from the legitimate-interest balancing test.[71] Recital 30 confirms that ‘all other conditions of Article 6(1)(f)’ and ‘all other requirements and principles’ of the GDPR remain applicable.[72]
What Article 88c changes is the starting point of the analysis. Today, controllers must effectively persuade each supervisory authority that AI training can qualify as a legitimate interest. Article 88c makes that threshold determination legislatively. Supervisory authorities and courts may still conclude that specific training operations fail the balancing test, but they can no longer treat the legitimacy of AI training itself as an open question.
The objection that the provision ‘merely restates’ Article 6(1)(f) without clarifying the necessity or balancing tests misidentifies its function.[73] Article 88c is a legislative signal that the EDPB’s strategically ambiguous Opinion 28/2024 did not provide. Recitals 30 and 31 supply substantial guidance on the balancing factors, including beneficial uses for data subjects and society, reasonable expectations, enhanced transparency, the unconditional right to object, respect for technical indications limiting data use, and privacy-preserving techniques.[74]
The provision could usefully be supplemented by more specific criteria. But the choice between an imperfect legislative provision and no provision at all is clear.
D. Assessing Necessity in AI Training
The necessity test under Article 6(1)(f) asks whether the processing is necessary to pursue the legitimate interest—not whether less data could theoretically be used.
The Cologne Higher Regional Court’s analysis provides the most detailed judicial treatment to date. The Court rejected the claim that synthetic data offer an equivalent alternative, finding it ‘hardly plausible’ that ‘the significantly smaller amount of data to be obtained in this way … leads to comparable results when training the AI’.[75]
The Court also rejected the suggestion that controllers must justify the necessity of each individual data point:
The training of an AI requires the use of masses of data to generate patterns and probability parameters … the individual data hardly ever has a measurable influence.[76]
Necessity analysis should therefore focus on categories of data and dataset-selection criteria, rather than individual records.
CNIL’s recommendations illustrate a workable approach. Controllers should establish clear dataset-selection rules, apply pseudonymisation or de-identification before training where possible, and exclude categories of data unnecessary for the training objective.[77] These requirements are auditable and scalable.
By contrast, a record-by-record necessity assessment is incompatible with the scale of modern AI training.
Opponents often cite KNLTB paragraph 51 as evidence that legitimate interest requires something close to prior consent.[78] A closer reading shows that the passage addresses how controllers must inform data subjects of their right to object. It does not require controllers to obtain prior agreement before relying on Article 6(1)(f).
Paragraph 49 of KNLTB confirms that ‘a commercial interest of the controller could constitute a legitimate interest … provided that it is not contrary to the law’.[79]
E. Balancing Interests and Safeguards
The balancing test weighs the controller’s interests against the interests, rights, and freedoms of data subjects. Several factors are relevant in the AI context.
1. The public interest in AI development
The interest at stake extends beyond commercial gain. The Commission identifies AI as ‘key in providing for economic growth and supporting innovation with socially beneficial outcomes’.[80] Recital 31 lists concrete benefits, including bias detection, safer outputs, and improved accessibility.[81]
EU competitiveness considerations reinforce this interest. The European Council has emphasised the strategic importance of AI development, while the Draghi and Letta reports both identify regulatory fragmentation as an obstacle to European innovation.[82]
These policy assessments reflect the legislature’s judgment that enabling AI development within proportionate safeguards serves the general interest.
2. Reasonable expectations
Reasonable expectations depend on context. Critics often argue that individuals do not expect publicly available information to be used for AI training. That claim oversimplifies the analysis.
Recital 31 directs attention to the specific context of processing, including the relationship between the data subject and the controller, transparency measures, technical signals limiting reuse, and the availability of an unconditional right to object.[83]
The Cologne Higher Regional Court adopted a similarly contextual approach. The Court did not treat AI training as equivalent to building a searchable archive of personal dossiers. Instead, it assessed whether safeguards limited the interference with individual rights.
Those safeguards included the dilution of individual data points in large datasets, the absence of continuous monitoring of private life, and the practical possibility for individuals to remove publicly available information or object to its use.[84]
3. Proportionate safeguards
Article 88c requires concrete safeguards: data minimisation during dataset selection, protection against disclosure of residual personal data, enhanced transparency, respect for machine-readable opt-out signals, and an unconditional right to object.[85]
Recital 31 further specifies that processing ‘should not give rise to the continuous monitoring of the data subject’s private life’.[86]
These measures impose auditable obligations on controllers while preserving a strong objection right for data subjects.
F. Special Categories of Data and Technical Reality
Article 9(2)(k) addresses a practical constraint of large-scale AI training: special categories of personal data will inevitably appear in training datasets despite efforts to exclude them.
AI training often involves processing millions or billions of documents collected from publicly accessible internet sources. Such corpora will inevitably contain information revealing racial or ethnic origin, political opinions, religious beliefs, health conditions, sexual orientation, or other Article 9(1) categories.[87]
Perfect ex ante filtering is technically impossible. The CJEU’s broad interpretation of special categories—extending even to data from which sensitive information can be inferred[88]—means that almost any large-scale text corpus will contain some Article 9 information.
Without Article 9(2)(k), controllers face a binary choice: guarantee perfect exclusion of special-category data or abandon AI training in the EU.
Recital 33 recognises this reality. The derogation responds to the ‘capabilities of the controller to identify and remove special categories of personal data’ while avoiding rules that would ‘disproportionately hinder the development and operation of AI’.[89]
The derogation remains narrow. Controllers must implement effective measures to avoid processing special categories and must remove such data once identified. Where removal would require retraining an entire model, controllers must ensure the data cannot be used to generate outputs or disclosed to third parties.[90]
The search-engine case law again provides the closest analogy. In GC and Others, the Court acknowledged that search engines inevitably encounter sensitive data and adopted a removal-upon-request framework, rather than requiring categorical prior exclusion.[91]
The Cologne Higher Regional Court reached a similar conclusion, citing CNIL guidance:
if, despite the measures taken, the organisation incidentally and residually processes sensitive data that it did not seek to collect, this is not considered illegal.[92]
The principle is straightforward. Where processing occurs at a scale that makes perfect filtering impossible, proportionate regulation requires reasonable preventative measures and effective remediation—not a blanket prohibition.
The Joint Opinion ‘generally welcomes’ Article 9(2)(k) and proposes several refinements, including clarifying that the derogation applies only to ‘incidental and residual’ processing, excluding user prompts received during deployment, and requiring safeguards throughout the AI development lifecycle.[93]
G. Safeguards and the Right to Object
The unconditional right to object represents the central safeguard in Article 88c. Unlike the standard Article 21(1) mechanism, data subjects need not demonstrate grounds relating to a particular situation. Controllers must cease processing the data subject’s data upon receiving an objection.[94]
The Joint Opinion proposes two adjustments. First, it suggests relocating the right to Article 21 GDPR itself to increase visibility and enforceability. That drafting improvement is reasonable.
Second, the Joint Opinion proposes that data subjects be informed ‘sufficiently in advance of the processing’ so that they may exercise the right ‘from the outset’.[95]
This requirement raises practical challenges. Where AI training relies on publicly available internet data, identifying and notifying every data subject individually may be impossible.
Recital 31 appears to recognise this constraint. It emphasises enhanced transparency and respect for machine-readable signals limiting the use of data for AI development. This framework suggests general transparency measures and technical opt-out signals, rather than individualised advance notice.[96]
Advance notice should be required where technically feasible. The legislature should avoid imposing a standard that renders web-scale training impossible in practice.
A separate concern arises after data ingestion. Critics argue that once personal data have been incorporated into trained models, meaningful deletion becomes technically impossible.[97] The same challenge affects other rights, including the right to erasure under Article 17.
The right to object therefore operates prospectively. Controllers must exclude the objecting individual’s data from future training runs. For models already trained, Article 9(5) requires safeguards ensuring the data cannot be used to generate outputs or disclosed to third parties.[98]
Requiring controllers to retrain models from scratch upon every objection would make AI development economically unviable in Europe without meaningfully strengthening data-subject protection.
H. Recommendations
1. Adopt Article 88c
Legislative clarification that AI training may constitute a legitimate interest is necessary. EDPB Opinion 28/2024 is non-binding, strategically vague, and revocable. Legislation provides the certainty required for investment and compliance.
2. Adopt Article 9(2)(k)
The derogation reflects the technical reality of large-scale AI training while maintaining strong safeguards for sensitive data.
3. Do not condition Article 88c on EDPB Opinion 28/2024
The legislature should not delegate the framework for AI training to the EDPB. The institutional incentive to preserve enforcement discretion is precisely the problem that Article 88c seeks to address.
III. Cookie Consent and ePrivacy (Art. 88a, Art. 88b, and Art. 5(3) ePrivacy Directive)
A. The Commission’s Proposed Amendments
The Commission proposes three interconnected changes to the regulation of cookies and terminal-equipment data access.
First, a new Article 88a GDPR would govern the storing of, and access to, personal data on users’ terminal equipment.[99] Consent remains the default rule, but four exemptions apply where processing is strictly necessary for transmitting an electronic communication, providing a service explicitly requested by the data subject, creating aggregated audience-measurement information for the controller’s own use, or maintaining or restoring the security of a service.[100] Additional consent-management rules require controllers to offer a single-click refusal button, prohibit repeated consent requests for the same purpose while consent remains valid, and impose a six-month cooling-off period after a refusal.[101]
Second, a new Article 88b would require controllers to accept automated, machine-readable consent and objection signals.[102] Browser providers that are not SMEs must implement these signals within 48 months of the regulation’s entry into force.[103] Media service providers are exempted from the obligation to respect automated signals.[104]
Third, Article 5(3) of the ePrivacy Directive would be amended so that it no longer applies to personal data—which would instead fall under Article 88a GDPR—but would continue to apply to non-personal data stored on or accessed from terminal equipment.[105]
The Commission describes these reforms as ‘long-overdue’, acknowledging that cookie consent banners are widely perceived as a nuisance that ‘might not achieve their aim’.[106] That diagnosis is correct. The treatment, however, remains inadequate. Among the Digital Omnibus reforms, the ePrivacy provisions are the weakest.
B. The Problem the Reform Attempts to Address
Article 5(3) of the ePrivacy Directive requires prior consent for storing information on, or accessing information from, a user’s terminal equipment, subject to two narrowly defined exemptions.[107] Under the EDPB’s interpretation, this requirement extends far beyond cookies. It covers tracking pixels, IP-based tracking, and even URL parameters, regardless of whether the data qualify as personal data.[108]
The EDPB also interprets the exemptions narrowly. Routine practices—such as using URL fragments to identify which advertising partner generated traffic, or deploying basic mechanisms to detect advertising fraud—are treated as requiring prior consent.
The result is a consent regime that mandates banners for processing activities posing minimal privacy risk. Cookie banners have become, as the Commission itself recognises, a ‘regulatory solution’ that fails to achieve its intended purpose.[109] The underlying cause is the progressive expansion of Article 5(3)’s scope through enforcement interpretation rather than legislative change.
C. Why the Reform Falls Short
The Commission’s reform addresses the symptoms of the problem but not its structure. Four shortcomings are particularly significant.
1. The two-regime architecture
The most fundamental flaw is architectural. By moving only personal-data processing from the ePrivacy Directive into the GDPR, the proposal creates two parallel regulatory regimes: Article 88a GDPR for personal data on terminal equipment, and Article 5(3) ePrivacy for non-personal data.
As the EDPB and EDPS themselves acknowledge, ‘information stored in the terminal equipment may include personal data and non-personal data, which may lead to uncertainty as to which rules apply to a particular operation’.[110]
The consequences are counterproductive. Controllers must first determine whether the information stored on a user’s device qualifies as personal data before knowing which legal regime applies. That determination may itself be contested.
The result is an inversion of regulatory logic. Non-personal data remain subject to the stricter ePrivacy consent regime, while personal data move to the GDPR, where additional exemptions apply. As noyb observes, this structure ‘could lead to controllers aiming at processing “personal data” in order to benefit from the less restrictive provisions in the GDPR’.[111] A reform intended to simplify the framework instead multiplies its complexity.
ICLE’s response diverges from noyb’s. Non-personal data should be integrated into the same risk-based framework as personal data so that low-risk processing is not trapped in a stricter legacy regime merely because it falls outside the GDPR.
Noyb instead proposes aligning Article 5(3) with an amended Article 88a so that the stricter device-access logic continues to govern both personal and non-personal data.[112] That approach would remove one inconsistency only by extending the more restrictive regime rather than simplifying the framework.
2. The analytics exemption is too narrow
Article 88a(3)(c) exempts processing for ‘creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use’.[113]
Each element of this formulation restricts the exemption beyond practical usefulness.
The requirement that information be ‘aggregated’ excludes user-level analytics, which underpin basic functions such as session tracking, page-journey analysis, and conversion measurement. Industry commentary already concludes that analytics tools operating across services, platforms, and customers ‘are unlikely to fall within the scope of this exemption’.[114]
The requirement that measurement be carried out ‘by the controller … solely for its own use’ excludes third-party analytics providers operating as processors on the controller’s behalf. This excludes widely used services such as Google Analytics.
The exemption therefore becomes narrower than the equivalent UK provision, which explicitly permits third-party analytics providers acting as data processors.[115]
The EDPB and EDPS reinforce this narrow reading by arguing that the exemption should apply only to ‘anonymous aggregated information’ that does ‘not relate to a specific data subject’.[116] This interpretation renders the exemption largely ineffective, because meaningful audience measurement necessarily involves temporary processing of individual-level data before aggregation.
3. Missing low-risk exemptions
Article 88a(3)’s exemption list omits several low-risk processing activities essential to the functioning of the ad-funded internet.
Fraud detection provides the clearest example. Detecting invalid traffic and bot activity requires access to device-level signals. Under the current framework, this creates the perverse outcome that fraudsters must consent to the mechanisms designed to detect them. The Commission’s security exemption applies only to maintaining the security of a service ‘requested by the data subject’, a formulation likely to exclude advertising-fraud prevention under prevailing DPA interpretations.
Advertising measurement raises a similar issue. Basic attribution—determining whether a user who saw an advertisement subsequently visited the advertiser’s website—forms the economic foundation of online advertising. The Digital Omnibus introduces no consent exemption for any advertising-related function.[117]
This omission is difficult to reconcile with the Commission’s risk-based logic. If aggregated audience statistics are sufficiently low-risk to exempt from consent, measuring whether an advertisement led to a website visit poses no materially greater privacy risk.
The same problem arises with URL parameter processing. EDPB guidelines treat URL parameters—such as UTM tags identifying the marketing campaign that generated traffic—as falling within Article 5(3)[118] Yet these parameters are transmitted automatically by the user’s browser as part of the HTTP request. The server does not instruct the device to disclose them. The Commission’s reform leaves this interpretation untouched.
Contextual advertising presents a final example. Even the EDPB and EDPS suggest that the co-legislators should ‘consider introducing an additional use case in proposed Article 88a(3)’ for contextual advertising because it ‘is more privacy friendly than behavioural advertising’.[119]
The fact that enforcement authorities themselves recommend a broader exemption than the Commission proposes illustrates the reform’s excessive caution. Moreover, contextual advertising still relies on device-derived information for attribution, frequency capping, and other operational functions. A proportionate regime should attach exemptions to low-risk activities and safeguards, rather than relying on simplistic distinctions between contextual and behavioural advertising.
4. Browser consent signals as a one-way ratchet
Article 88b introduces automated browser-level consent signals. In principle, this mechanism could simplify consent management. In practice, it risks becoming a one-way ratchet.
Experience with current DPA practice suggests two likely outcomes. First, negative signals—such as a ‘no tracking’ browser setting—will be interpreted broadly as a global refusal of consent-based processing and direct marketing under legitimate interest. Second, positive signals will be deemed insufficient for valid consent in most cases. Supervisory authorities will argue that consent must remain ‘specific’ and ‘informed’ at the individual-service level.[120]
If that interpretation prevails, browser signals will enable universal opt-out without a corresponding mechanism for universal opt-in. Consent will cease to function as a bilateral interaction between controller and user and instead become a unilateral browser-level refusal mechanism.
The failure of the ‘Do Not Track’ standard provides a cautionary precedent. Industry participants eventually abandoned the initiative after regulators refused to recognise browser-level consent signals as valid expressions of user choice.
D. Lessons from the United Kingdom
The United Kingdom’s recent reforms illustrate that a more proportionate framework is possible.
The Data (Use and Access) Act 2025 replaced the single ‘strictly necessary’ exemption with five consent exemptions covering communication, strictly necessary processing, statistical purposes, appearance preferences, and emergency assistance.[121]
The statistical-purposes exemption is particularly instructive. It allows analytics about how an organisation’s own service is used and explicitly permits third-party analytics providers acting as data processors.[122]
The UK is also developing a broader risk-based enforcement model. In July 2025, the ICO announced a new approach to online advertising enforcement. The ICO identified six advertising capability categories—ad delivery and billing, fraud prevention, brand safety, frequency capping, measurement and attribution, and targeting methods—where low-risk activities may proceed without consent.[123]
The ICO’s position is that ‘online advertising doesn’t have to come at the expense of privacy’ and that regulators should ‘remove unnecessary regulatory barriers and open the door to responsible innovation’.[124]
The UK framework maintains consent requirements for high-risk activities, particularly extensive cross-service behavioural profiling. At the same time, it allows targeted exemptions for low-risk activities essential to digital services.[125]
The UK system also incorporates institutional flexibility. The Secretary of State may add, remove, or modify consent exemptions through secondary legislation following consultation with the ICO.[126] The EU’s Article 88a, by contrast, contains a closed list of exemptions that can be changed only through full legislative amendment.
This flexibility offers a clear advantage. Privacy-preserving technologies—such as on-device processing and privacy sandbox architectures—are evolving rapidly. Regulatory frameworks must be capable of adapting without requiring multi-year legislative reform.
The UK is no longer bound by CJEU precedent, and its experience is not directly transferable to EU law. Nonetheless, it provides empirical evidence that a differentiated, risk-based approach to terminal-equipment data access can function in practice.
The EU’s current binary model—consent or prohibition for most advertising-related activities—is therefore a policy choice rather than a constitutional requirement.
E. The EDPB/EDPS Joint Opinion
The Joint Opinion takes a more constructive tone on the ePrivacy reforms than on the personal-data definition. The EDPB and EDPS ‘support the aim’ of Article 88a, strongly welcome Article 88b, and even suggest expanding the exemption list to include contextual advertising.[127]
The co-legislators should go further. If contextual advertising qualifies for exemption because it is ‘more privacy friendly than behavioural advertising’, similar reasoning applies to other low-risk activities such as fraud detection, frequency capping, advertising delivery, and basic measurement.
More importantly, regulatory analysis should focus on risk characteristics and safeguards, rather than labels attached to advertising models. Data types used, retention periods, combination practices, and processing scale determine privacy risk—not whether advertising is described as contextual or behavioural.
The Joint Opinion also correctly identifies the structural problem created by the two-regime architecture.[128] Its recommendation that recording a consent refusal should be exempt from consent requirements—provided it relies on a generic flag rather than a unique identifier—is a sensible technical improvement.[129]
F. The Enforcement Constraint
The ePrivacy provisions illustrate the central thesis of this submission: textual reform alone cannot succeed without enforcement reform.
Authorities that interpret the current ePrivacy Directive as requiring consent for generic URL parameters are likely to interpret Article 88a’s exemptions just as narrowly. The analytics exemption will not apply to the third-party tools most websites use. The security exemption will exclude advertising-fraud detection. Legislative language that appears workable in theory may become ineffective in practice once filtered through restrictive enforcement interpretation.
Recent enforcement history supports this concern. The EDPB’s guidelines on Article 5(3), adopted in 2023 and finalised in 2024, significantly expanded the range of activities requiring prior consent. Earlier interpretations by several national authorities—including the German Datenschutzkonferenz—had treated certain automatically transmitted data, such as URL parameters and IP addresses, differently.[130]
The shift occurred through guidelines, rather than legislation.
The Commission itself acknowledges that the current framework is failing. The Explanatory Memorandum recognises that consent banners ‘might not achieve their aim’ and that a ‘regulatory solution on the consent fatigue and proliferation of cookie banners is long-overdue’.[131]
If the Commission accepts that the existing regime fails, its replacement must deliver meaningful improvement. That requires exemptions broad enough to survive restrictive interpretation or an enforcement framework that creates incentives for proportionate interpretation.
G. Recommendations
1. Resolve the two-regime architecture
The co-legislators should bring non-personal data within the same risk-based framework as personal data. The current split between Article 88a GDPR and Article 5(3) of the ePrivacy Directive creates perverse incentives, increases legal uncertainty, and undermines the reform’s simplification objective. A controller should not need to resolve a contested personal-versus-non-personal threshold question before determining which consent regime applies.
2. Broaden the exemption list
The exemption list should cover additional low-risk activities that are essential to the functioning of digital services and do not, on a proportionate assessment, justify prior-consent requirements. At a minimum, the list should include advertising-fraud detection, basic advertising measurement, frequency capping, and contextual advertising.
The law should also avoid rigid category labels.[132] Exemptions should turn on actual risk characteristics and safeguards, including the types of data used, retention periods, combination practices, and scale. Low-risk forms of behavioural advertising should not be excluded solely because they are behavioural.
3. Fix the analytics exemption
The audience-measurement exemption should be broadened to permit third-party analytics providers acting as processors under a data-processing agreement, as in the UK model. The current formulation, limited to the controller’s own use, excludes standard market practice and risks rendering the exemption ineffective in practice.
A workable exemption should recognise that meaningful analytics often requires temporary processing of individual-level data before aggregation.
4. Ensure browser signals work in both directions
The legislation should clarify that an affirmative browser-level or operating-system-level opt-in signal can, where the relevant conditions are met, constitute valid consent under Article 4(11) GDPR. Without that clarification, Article 88b is likely to become a one-way opt-out mechanism.
If negative signals are given broad legal effect while positive signals are dismissed as insufficiently specific or informed, the automated-consent framework will operate asymmetrically and will entrench refusal without enabling meaningful user choice.
5. Introduce a flexibility mechanism
The Commission should be empowered to add or modify consent exemptions through delegated acts. The closed list in Article 88a is unlikely to remain fit for purpose as privacy-preserving technologies evolve.
The UK model provides a useful precedent. A more adaptable EU framework would allow regulators and legislators to respond to technological change without waiting for full primary-legislation reform each time a new low-risk use case emerges.
6. Recognise the enforcement constraint
The co-legislators should recognise that exemptions are only as broad as the authorities that interpret them. Even well-drafted provisions will be narrowed if enforcement incentives remain unchanged.
For that reason, the ePrivacy provisions provide the clearest illustration of why substantive reform and enforcement reform must proceed together. As Section v argues, the effectiveness of any exemption will depend not only on the text adopted, but also on the institutional incentives shaping its interpretation.
IV. Enforcement Reform — The Missing Piece
A. The Central Point
The preceding sections have set out the substantive case for the Digital Omnibus’s main reforms: an entity-relative definition of personal data, a legitimate-interest framework for AI training, and a more rational ePrivacy regime. Each faces the same structural obstacle. The authorities that will interpret and apply these provisions have institutional incentives to read exemptions narrowly, expand the scope of the rules they enforce, and resist reforms that reduce their regulatory reach.
Textual reform without enforcement reform is therefore insufficient.
This is the submission’s central institutional point. Most responses to the Digital Omnibus focus on the text. ICLE’s position is different. The text matters, but text alone cannot deliver the Commission’s stated objectives of simplification, legal certainty, and proportionate regulation. The Commission itself appears to recognise this. It notes that ‘more consistent and harmonised interpretation and enforcement across Member States’ is needed.[133] It proposes no mechanism to achieve that result.
B. The Diagnosis
1. Privacy myopia
Across the EU, data protection authorities often operate less like balanced public-interest regulators than like single-issue institutions. Their design helps explain why. DPAs wield enormous enforcement power, including the ability to impose fines running into the hundreds of millions of euros. Yet no equally robust obligation requires them to account for the effects of their decisions on interests other than privacy and data protection.[134]
The result is a form of privacy myopia. Regulatory culture treats maximising data protection as the overriding objective, while innovation, economic security, freedom of expression, and public health enter the analysis, if at all, as concerns for regulated parties to raise defensively.[135]
This is a structural problem, not a personal one. DPAs are staffed by serious professionals who understandably view data protection as important. The problem is that no countervailing institutional voice represents the other interests that data protection enforcement affects. Competition authorities sometimes intervene, but their remit is narrower than the full set of interests at stake.[136] Political institutions, whose responsibilities span economic welfare and public security, are largely excluded because their involvement is seen as inconsistent with Article 52 GDPR’s independence requirement.[137]
The consequences are concrete. EDPB Opinion 28/2024 on AI models is a good example. It sets out a lengthy list of compliance measures while offering no assurance that compliance with those measures will satisfy enforcement authorities.[138] It preserves near-limitless regulatory discretion while providing little practical guidance to firms trying to innovate responsibly.[139] A controller can invest heavily in AI-related compliance and still have no confidence that its efforts will be judged adequate one or two years later.
That uncertainty chills activity almost as effectively as an outright prohibition. For firms choosing where to invest or launch new products, the rational response is often to avoid the EU altogether.[140]
2. Quasi-legislation without accountability
The EDPB amplifies this problem by functioning as an unaccountable quasi-legislator. Formally, it issues non-binding opinions and guidelines. In practice, those instruments operate as law in action. They shape national enforcement priorities, influence market behaviour, and are often treated by courts and regulators as authoritative statements of the law.
Controllers that depart from EDPB guidance face a real prospect of enforcement action, regardless of whether that guidance reflects the GDPR’s text or the CJEU’s case law.
The EDPB’s guidelines on Article 5(3) of the ePrivacy Directive illustrate the point. Adopted in 2023 and finalised in 2024, the guidelines significantly expanded the scope of activities requiring prior consent. They treated generic URL parameters and standard browser transmissions as ‘access to information stored on the terminal equipment’ and displaced narrower interpretations previously adopted by several national authorities.[141]
That shift occurred through guidelines, not legislation. It was not accompanied by an impact assessment, parliamentary oversight, or the kind of structured stakeholder consultation expected of delegated or implementing acts. Yet it reshaped the compliance landscape for website operators across the EU.
The Joint Opinion on the Digital Omnibus reflects the same institutional logic. On pseudonymisation, the EDPB and EDPS argue that forthcoming EDPB guidance is a better vehicle than the Commission’s proposed Article 41a implementing acts. [142] On ePrivacy, they resist transferring cookie rules into the GDPR in part because that move would subject enforcement to the GDPR’s consistency mechanism, which—although imperfect—provides more structure than the current fragmented ePrivacy regime.[143]
The pattern is consistent. Where the Commission proposes legislative clarification or implementing powers subject to oversight, the EDPB argues that it should retain primary or exclusive control.
3. The accountability gap in the courts
Recent litigation involving Meta and WhatsApp exposes a parallel accountability problem in the courts.
In WhatsApp Ireland v EDPB, the Grand Chamber held that EDPB binding decisions under Article 65 GDPR are ‘acts open to challenge’ under Article 263 TFEU.[144] The Court relied on Recital 143 GDPR, which recognises that EDPB decisions ‘may be of direct and individual concern to, inter alia, a controller’.[145] This was an important development. It confirmed that the EDPB cannot materially alter a controller’s legal position—in that case, by directing the Irish DPC to increase a proposed fine from EUR 30 million to EUR 225 million[146] —without the possibility of judicial review.
But the limits of that safeguard are obvious. The action was filed in 2021. The admissibility ruling arrived only in February 2026. The merits remain pending on remand. Even where review is available, meaningful judicial scrutiny may take five years or more.[147]
Meanwhile, non-binding outputs remain effectively insulated. In Meta v EDPB, the General Court held that the EDPB’s Opinion 8/2024 on ‘consent or pay’ models did not produce binding legal effects vis-à-vis third parties and therefore could not be challenged directly.[148] The Court acknowledged that the opinion used mandatory language such as ‘should’ and ‘should not’, but nonetheless characterised it as merely ‘calling for an in-depth consideration’.[149] Meta’s appeal remains pending.[150] Even if Meta succeeds, the case would address only one category of opinion. It would not solve the broader problem posed by guidelines and recommendations, which make up most of the EDPB’s quasi-legislative output.
At the same time, the EDPB’s influence over investigations is expanding. In DPC v EDPB, the General Court upheld the EDPB’s power to require national authorities to broaden investigations beyond the issues originally examined.[151] The Court did not engage seriously with whether the EDPB’s substantive positions were balanced or proportionate. It treated the EDPB as a neutral coordinator of consistent enforcement—the very assumption that is in dispute.[152]
Taken together, these cases expose the gap. The EDPB’s most influential outputs—its guidelines, opinions, and recommendations—remain the least reviewable. Its binding decisions are reviewable in principle, but only after years of litigation and without any clear indication of the intensity of substantive review. Courts have largely treated the EDPB as a neutral public-interest body. That characterisation is, at minimum, contestable.
4. What the Joint Opinion does not say
The EDPB/EDPS Joint Opinion 2/2026 is the enforcement authorities’ most comprehensive response to the Digital Omnibus. At 47 pages, it says nothing about whether the present enforcement architecture is fit for purpose.[153]
The Joint Opinion mentions DPA resource constraints only to request more resources.[154] It does not acknowledge the structural causes of inconsistent enforcement. It does not discuss the EDPB’s own accountability, the quasi-legislative function of guidelines and opinions, or the possibility that separating investigation from adjudication could improve the quality and legitimacy of enforcement outcomes.
That silence is revealing. When a regulatory body invited to comment on a major reform of its legal framework devotes no attention to whether its own institutional design contributes to the problem, the more plausible explanation is institutional incentive, not bad faith.
C. Existing Counterexamples Show a Different Model Is Possible
The French data protection authority, the CNIL, has shown that proportionate and pragmatic enforcement is possible within the current legal framework. Its AI guidance recognises that GDPR compliance for AI training is achievable and sets out workable compliance pathways. That approach contrasts sharply with the EDPB’s strategically ambiguous Opinion 28/2024.[155]
The CNIL’s example matters because it shows that a national authority willing to balance data protection against other public interests can produce guidance that is both protective and practical.
One national authority, however, cannot reshape EU-wide practice. The CNIL’s approach faces opposition from more absolutist privacy officials and activists, and there is no realistic prospect that EU privacy enforcers will converge voluntarily around its model. The institutional incentives point the other way. DPAs that interpret the law broadly expand their regulatory reach and receive reinforcement through the EDPB’s consistency mechanism. A DPA that takes a more proportionate view risks being overridden, as the Irish DPC’s experience illustrates.[156]
The UK Information Commissioner’s Office provides a complementary example. Its July 2025 call for views on a risk-based enforcement approach to online advertising identified six categories of advertising capabilities for which low-risk activities might proceed without consent. That approach reflects a markedly different regulatory philosophy.[157] The ICO distinguishes between extensive behavioural profiling, which may require consent, and lower-risk activities such as frequency capping and ad delivery, which may not.
The UK example is stronger still because it is not limited to one enforcement initiative. Section 91 of the Data (Use and Access) Act 2025 rewrites the Information Commissioner’s statutory duties. It introduces a principal objective requiring the Commissioner to secure an appropriate level of protection for personal data ‘having regard to the interests of data subjects, controllers and others and matters of general public interest’, while also promoting public trust and confidence in data processing.
The accompanying duties require the Commissioner, where relevant, to consider innovation and competition, crime prevention and detection, public security and national security, and child protection.[158] Section 120C then requires a strategy consistent with those duties and with the earlier economic-growth duty in section 108 of the Deregulation Act 2015. Section 120D adds consultation obligations with other regulators on effects relating to economic growth, innovation, and competition, backed by annual reporting to Parliament.[159]
This matters because it shows that data-protection enforcement need not be organised around a one-dimensional privacy mandate. A legislature can preserve regulatory independence while imposing express duties of balance, consultation, strategy, and public accountability.
At the same time, the UK example also supports an important limit. A bare duty to consider innovation or growth is not enough on its own. The earlier section 108 duty was plainly insufficient. The lesson is therefore twofold: broader statutory duties are both feasible and valuable, but deeper structural reform remains necessary. The EU should go further by changing who makes consequential cross-border decisions and by subjecting EDPB quasi-legislation to meaningful review.
D. A Structural Solution
The solution should address the problem at its source.[160] It should preserve the importance of data protection while reforming the institutional design that turns competent professionals into single-issue enforcers.
First, investigation should be separated from adjudication. DPAs should retain their investigative powers, technical expertise, and local knowledge. But in consequential cross-border cases, they should present their findings and recommendations to an independent decision-making body, rather than acting as investigator, prosecutor, and judge.[161]
Second, the EU should establish an independent multidisciplinary tribunal. This body should issue binding decisions, including fines, in consequential cross-border cases. Its membership should not be limited to data-protection specialists. It should include economists, generalist judges, and experts from relevant regulated sectors so that decisions reflect the wider public interest, rather than a single regulatory perspective.[162]
Third, the governing legal framework should require explicit balancing. In every decision, the tribunal should explain how it has weighed data protection against other fundamental rights and against the economic realities of the activity at issue. The GDPR already requires such balancing in provisions such as Article 6(1)(f) and Recital 4. The current enforcement architecture provides no institutional guarantee that it will actually occur.[163]
Fourth, the tribunal should include advocates general or an equivalent function for non-data-protection interests. Drawing on the Court of Justice model, those officers would be tasked with articulating the interests that lack any institutional champion under the current system, including innovation, freedom of expression, economic security, and public health.[164]
Fifth, EDPB quasi-legislation should be reviewed before taking effect. The tribunal should review EDPB guidelines, opinions, and recommendations before they become final. If the EDPB adopts guidance that fails a proportionality standard—as with its Article 5(3) ePrivacy guidance, which would require website operators to obtain consent from would-be fraudsters and attackers before deploying anti-fraud tools[165]—the tribunal should be able to refuse approval.
That reform would convert the EDPB’s quasi-legislative role from an opaque administrative process into one subject to transparent judicial oversight.[166]
This proposal does not require Treaty change. Article 257 TFEU already permits the European Parliament and Council to establish ‘specialised courts attached to the General Court to hear and determine at first instance certain classes of action or proceeding brought in specific areas’. The legal basis already exists. What is missing is political will.
Garicano, Holmström, and Petit’s Constitution of Innovation proposes using that same Treaty basis to create specialised commercial courts for internal-market enforcement, with fast-track procedures, English-language proceedings, and EU-wide injunctive powers, subject to appeal to the General Court on points of law only.[167] Their proposal targets trade and mutual-recognition disputes, but the institutional model is directly transferable.
A specialised EU regulatory tribunal established under Article 257 TFEU could house both the commercial jurisdiction that Garicano, Holmström, and Petit envisage and the data-protection adjudicatory function proposed here. That would be more efficient, and probably more politically feasible, than creating a stand-alone privacy tribunal. It would also embed data-protection enforcement within a broader framework of EU regulatory adjudication, ensuring that privacy is weighed alongside the other interests EU regulation affects.
The Unified Patent Court offers a practical precedent for specialised European judicial bodies dealing with technically and economically complex issues. The real question is not legal feasibility. It is whether the political system is willing to apply the same institutional logic to data protection, where existing arrangements serve the interests of the bodies that would have to yield authority.
E. Other Commentators Have Identified the Same Problem
ICLE is not alone in identifying enforcement design as the missing element.
Bolognini and Capparelli argue that supervisory authorities should be required to conduct a prior analytical assessment of the effects of their decisions on innovation, competitiveness, and other fundamental rights and freedoms. They also propose that this assessment should accompany the provisional decision so that the addressee can respond meaningfully.[168] In addition, they argue that the EDPB should be required to activate participatory prior-consultation procedures for its guidelines, with public access to the consultation results.[169]
Craddock makes a similar institutional point about the definition of personal data. When data cease to be treated as personal data, they fall outside DPA jurisdiction. For that reason, he argues, ‘one must be careful not to see their position as neutral’.[170]
Leiser describes the Joint Opinion as ‘a regulatory counteroffensive’ that ‘deploys the language of rights not primarily to protect individuals, but to reassert institutional centrality, supervisory reach, and interpretive authority’.[171] That is a sharp formulation, but it does not require alleging bad faith. Incentive structures can produce predictable institutional behaviour without any need for conspiracy or improper motive.
F. Recommendations
The Commission has not proposed enforcement reform in the Digital Omnibus. We recognise the political difficulty. Enforcement reform touches supervisory-authority independence, a principle embedded in Article 52 GDPR and Article 8(3) of the Charter. The EDPB and EDPS will predictably resist any reform that narrows their interpretive discretion.
Still, the implications should be stated plainly. If the enforcement architecture remains unchanged, the substantive reforms in the Digital Omnibus will be interpreted by the same authorities, using the same maximalist lens, that created the underlying problems. The entity-relative definition of personal data will be narrowed through EDPB guidance. The legitimate-interest framework for AI training will be hedged with conditions that recreate the uncertainty it was meant to resolve. The ePrivacy exemptions will be read as narrowly as the exemptions they replace.
The Commission appears to understand this problem. Its own Explanatory Memorandum acknowledges the need for more consistent enforcement. It does not act on that diagnosis.
ICLE therefore recommends the following.
1. Include enforcement reform in the legislative process
The Commission should publish a complementary enforcement-reform proposal. Regulation (EU) 2025/2518, the adopted GDPR Procedural Regulation, is not the right vehicle for structural reform. It standardises aspects of cross-border procedure without addressing the underlying problem of single-interest enforcement.[172]
2. Require proportionality assessments for EDPB outputs
At a minimum, Article 70 GDPR should be amended to require the EDPB to conduct and publish a proportionality assessment before adopting guidelines, opinions, or recommendations. That assessment should address effects on innovation, competition, crime prevention, public security, economic growth, and other fundamental rights. The absence of any such requirement is a gap the co-legislators can close.[173] Even so, this measure alone would not be enough. Impact assessments can easily become window dressing.
3. Require formal stakeholder and cross-regulator consultation
The GDPR should require the EDPB to conduct participatory prior-consultation procedures for all guidelines and opinions, publish submissions, and respond to substantive objections. At present, the EDPB may solicit comments and then disregard them without explanation. That falls below the standard expected of any body exercising quasi-legislative power.[174] The co-legislators should also consider a statutory duty to consult other public authorities where data-protection enforcement materially affects innovation, competition, economic growth, or security, as the UK now requires of the Information Commissioner.[175]
4. Establish an independent review mechanism for consequential cross-border decisions
The EU should create an independent tribunal, or a specialised chamber within the General Court, with multidisciplinary composition and a clear mandate to balance all affected interests. This is the structural reform that addresses the problem at its root.
5. Clarify the standard of judicial review for EDPB acts
WhatsApp opened the door to judicial review of binding decisions, but it said nothing about the intensity of review.[176] The co-legislators should specify that courts reviewing EDPB decisions must apply a proportionality standard that accounts for effects on all fundamental rights and legitimate interests, not merely formal competence.
6. Act on the Commission’s own diagnosis
The Commission already recognises that current enforcement mechanisms are inadequate. If enforcement reform is omitted from the Digital Omnibus, the Commission should explain what alternative mechanism will achieve the objectives it has identified, and on what timetable.
7. Learn from the CNIL and the ICO
The CNIL’s AI guidance and the UK ICO’s risk-based approach to advertising show that proportionate enforcement is possible. The real question is whether that approach can be institutionalised rather than left to the preferences of individual authorities. That requires structural reform.
[1] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679 and (EU) 2018/1725 and repealing Directive 2002/58/EC (‘Digital Omnibus’) COM(2025) 837 final, art 1(1)(a), amending art 4(1) of Regulation (EU) 2016/679 (General Data Protection Regulation). The proposal states: ‘Information is not personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to identify the natural person to whom the information relates.’
[2] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679 and (EU) 2018/1725 and repealing Directive 2002/58/EC (‘Digital Omnibus’) COM(2025) 837 final, art 1(7), inserting new art 41a into Regulation (EU) 2016/679 (General Data Protection Regulation).
[3] The phrase adapts Nadezhda Purtova, ‘The Law of Everything: Broad Concept of Personal Data and the Future of EU Data Protection Law’ (2018) 10 Law Innov Technol 40.
[4] See, e.g., European Data Protection Board, Guidelines 01/2025 on Pseudonymisation (adopted 16 January 2025); European Data Protection Board and European Data Protection Supervisor, Joint Opinion 2/2026 on the Proposal for a Regulation (‘Digital Omnibus’) (11 February 2026) paras 14–17.
[5] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679 and (EU) 2018/1725 and repealing Directive 2002/58/EC (‘Digital Omnibus’) COM(2025) 837 final, Explanatory Memorandum 7 (estimating EUR 5.1 billion in annual savings from the simplification exercise).
[6] Case C-413/23 P European Data Protection Supervisor v Single Resolution Board [2025] ECLI:EU:C:2025:645, para 82.
[7] Ibid para 100.
[8] Ibid para 86. The EDPS argued that pseudonymised data ‘must be regarded as constituting, in all cases and for every person, personal data’. The EDPB intervened in support of that view. The Court rejected the argument.
[9] International Center for Law & Economics (ICLE), Comments on the European Commission Digital Omnibus (13 October 2025) 3 https://laweconcenter.org/resources/icle-comments-on-the-european-commission-digital-omnibus.
[10] Charter of Fundamental Rights of the European Union [2012] OJ C 326/391, art 8.
[11] noyb, Digital Omnibus Report (version 3.0, 2026) 7.
[12] Explanations Relating to the Charter of Fundamental Rights [2007] OJ C 303/17, art 8 commentary (stating that art 8 is ‘based on’ Directive 95/46 and Regulation 45/2001).
[13] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31, recital 26.
[14] Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland [2016] ECLI:EU:C:2016:779, paras 45–46.
[15] Opinion of AG Spielmann in Case C-413/23 P European Data Protection Supervisor v Single Resolution Board [2025] ECLI:EU:C:2025:59, para 58.
[16] European Data Protection Board and European Data Protection Supervisor (n 4) para 13.
[17] European Data Protection Board and European Data Protection Supervisor (n 4) para 15.
[18] noyb (n 11) 8.
[19] Breyer (n 14) paras 45–46.
[20] Ibid para 47.
[21] noyb (n 11) 8, citing para 48 for the proposition that ‘it was irrelevant if this is likely to be used, the possibility was sufficient’. This reading omits the qualifications in paras 45–46 that identification must rely on means ‘reasonably likely’ to be used and excludes cases where identification would require ‘disproportionate effort’.
[22] Case C-434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2017:994, paras 34–39.
[23] Case C-683/21 Nacionalinis visuomen?s sveikatos centras prie Sveikatos apsaugos ministerijos v Valstybin? duomen? apsaugos inspekcija [2023] ECLI:EU:C:2023:949, para 58.
[24] Case C-579/21 Pankki S [2023] ECLI:EU:C:2023:501, para 42.
[25] Ibid para 44.
[26] Case C-604/22 IAB Europe v Gegevensbeschermingsautoriteit [2024] ECLI:EU:C:2024:214, paras 40–46.
[27] Case C-479/22 P OC v European Commission [2024] ECLI:EU:C:2024:215, paras 51, 57–58.
[28] European Data Protection Supervisor v Single Resolution Board (n 6) para 81.
[29] Proposal (n 1) proposed art 4(1) GDPR, third sentence.
[30] European Data Protection Board and European Data Protection Supervisor (n 4) para 16, citing European Data Protection Supervisor v Single Resolution Board (n 6) paras 84–85.
[31] See, e.g., Case C-319/22 Gesamtverband Autoteile-Handel eV v Scania CV AB [2023] ECLI:EU:C:2023:837, para 49 (holding that data become personal for the manufacturer ‘indirectly’ when made available to independent operators with the means to identify the data subject).
[32] noyb (n 11) 9.
[33] Opinion of AG Spielmann (n 15) paras 94–96.
[34] Ibid.
[35] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L 119/1, recital 26 (distinguishing ‘identified’ and ‘identifiable’ natural persons and listing ‘singling out’ among several possible means of identification, alongside name, identification number, location data, and factors specific to identity).
[36] noyb (n 11) 6.
[37] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 11(1): ‘If the purposes for which a controller processes personal data do not or no longer require the identification of a data subject, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.’
[38] Sophie Stalla-Bourdillon, ‘Déjà Vu in Data Protection: The Risks of Rewriting What Counts as Personal Data’ (2026) 26 Priv Data Prot 2.
[39] noyb (n 11) 12.
[40] European Data Protection Board and European Data Protection Supervisor (n 4) para 6.
[41] Ibid paras 21, 25.
[42] Ibid para 19.
[43] See ICLE (n 9) 3–4.
[44] Case C-97/23 P WhatsApp Ireland Ltd v European Data Protection Board [2026] ECLI:EU:C:2026:81 (admissibility ruling holding that binding decisions of the EDPB under art 65 GDPR are challengeable under art 263 TFEU; the merits remain pending on remand).
[45] European Data Protection Board and European Data Protection Supervisor (n 4) para 24.
[46] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679 and (EU) 2018/1725 and repealing Directive 2002/58/EC (‘Digital Omnibus’) COM(2025) 837 final (‘the Proposal’), art 1(12), inserting new art 88c into Regulation (EU) 2016/679 (General Data Protection Regulation).
[47] Ibid.
[48] Proposal (n 1) art 1(3)(a), inserting new art 9(2)(k) into Regulation (EU) 2016/679 (General Data Protection Regulation).
[49] Proposal (n 1) art 1(3)(b), inserting new art 9(5) into Regulation (EU) 2016/679 (General Data Protection Regulation).
[50] European Data Protection Board, Opinion 28/2024 on Certain Data Protection Aspects Related to the Processing of Personal Data in the Context of AI Models (adopted 17 December 2024) para 69.
[51] ICLE (n 9) 3–4.
[52] Commission nationale de l’informatique et des libertés (CNIL), ‘Base légale : l’intérêt légitime pour le développement des systèmes d’IA’ (19 June 2025) https://www.cnil.fr/fr/base-legale-interet-legitime-developpement-systeme. See also CNIL, ‘IA et RGPD : la CNIL publie ses nouvelles recommandations pour accompagner une innovation responsable’ (7 February 2025) https://www.cnil.fr/fr/ia-et-rgpd-la-cnil-publie-ses-nouvelles-recommandations-pour-accompagner-une-innovation-responsable.
[53] ICLE (n 9) 4.
[54] European Data Protection Board and European Data Protection Supervisor (n 4) para 39.
[55] See ICLE (n 9) 3 (arguing that the EDPB’s approach illustrates ‘the fox-guarding-henhouse problem’ in EU data protection governance).
[56] European Data Protection Board and European Data Protection Supervisor (n 4) para 19.
[57] Ibid para 90.
[58] Ibid para 82.
[59] European Data Protection Board, Guidelines 1/2024 on the Processing of Personal Data Based on Article 6(1)(f) GDPR (adopted February 2025) 4: ‘it should be recalled that the GDPR does not establish any hierarchy between the different legal bases laid down in Article 6(1)’.
[60] noyb (n 11) 77 (framing the debate as one where ‘the Commission proposal goes towards shifting the burden … to 450 million Europeans — instead of a handful of AI training companies’). This framing implicitly treats consent as the preferred legal basis. The GDPR contains no such preference.
[61] noyb (n 11) 77.
[62] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 21(1) (requiring the data subject to demonstrate ‘grounds relating to his or her particular situation’). The proposed art 88c right to object is unconditional; no grounds must be shown.
[63] Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014] ECLI:EU:C:2014:317, paras 73–81.
[64] Case C-136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) [2019] ECLI:EU:C:2019:773, paras 36–39, 66.
[65] Opinion of AG Szpunar in Case C-136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) [2019] ECLI:EU:C:2019:14, paras 42–46.
[66] Peter Craddock, ‘About AI Training & Legitimate Interest as a GDPR Legal Ground’ (LinkedIn, 23 May 2025) https://www.linkedin.com/pulse/ai-training-legitimate-interest-gdpr-legal-ground-peter-craddock-2p5qe: ‘the objective of AI model training is not to provide responses to users that contain personal data but rather to help the AI model predict what a response through the user-facing AI system should look like’.
[67] Higher Regional Court of Cologne (OLG Köln), 23 May 2025, Case 15 UKl 2/25 https://nrwe.justiz.nrw.de/olgs/koeln/j2025/15_UKl_2_25_Urteil_20250523.html.
[68] noyb (n 11) 77, citing Google Spain (n 63) para 81.
[69] Google Spain (n 63) paras 73–74 (recognising the search engine operator’s ‘legitimate interest’ in processing personal data).
[70] Proposal (n 1) art 88c GDPR.
[71] European Data Protection Board and European Data Protection Supervisor (n 4) para 41.
[72] Proposal (n 1) recital 30: ‘This does not affect … its obligation to ensure that all other conditions of art 6(1)(f) of Regulation (EU) 2016/679, as well as all other requirements and principles of that Regulation, are met.’
[73] noyb (n 11) 80.
[74] Proposal (n 1) recitals 30–31.
[75] OLG Köln (n 67).
[76] Ibid.
[77] CNIL (n 52).
[78] noyb (n 11) 78, citing Case C-621/22 Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens [2024] ECLI:EU:C:2024:858, para 51.
[79] Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (n 78) para 49.
[80] Proposal (n 1) recital 30.
[81] Proposal (n 1) recital 31 (identifying bias detection, accurate and safe outputs, and improved accessibility as examples of beneficial uses of AI).
[82] Proposal (n 1) Explanatory Memorandum 1 (citing the Draghi and Letta reports and the European Council Conclusions of 20 March 2025).
[83] Proposal (n 1) recitals 30–31.
[84] OLG Köln (n 67).
[85] Proposal (n 1) art 88c GDPR; recital 31.
[86] Proposal (n 1) recital 31.
[87] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 9(1).
[88] See, e.g., Case C-184/20 OT v Vyriausioji tarnybin?s etikos komisija [2022] ECLI:EU:C:2022:601, paras 123–128 (holding that data revealing a spouse’s name in a public declaration of interests may constitute ‘data concerning health’ within art 9(1) where it permits inferences about sexual life or orientation); Case C-667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts [2023] ECLI:EU:C:2023:1022, paras 75–80.
[89] Proposal (n 1) recital 33.
[90] Proposal (n 1) art 9(5) GDPR, as inserted by art 1(3)(b).
[91] GC and Others (n 64) paras 66–67.
[92] OLG Köln (n 67).
[93] European Data Protection Board and European Data Protection Supervisor (n 4) paras 46–51 (suggesting the three refinements discussed in the text). The Joint Opinion ‘acknowledge[s]’ that ‘it is not always possible for controllers to avoid residual and incidental processing of special categories of data’ (para 46).
[94] Proposal (n 1) art 88c GDPR; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 21(1) (requiring ‘grounds relating to his or her particular situation’).
[95] European Data Protection Board and European Data Protection Supervisor (n 4) para 42.
[96] Proposal (n 1) recital 31.
[97] noyb (n 11) 80.
[98] Proposal (n 1) art 9(5) GDPR.
[99] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679 and (EU) 2018/1725 and repealing Directive 2002/58/EC (‘Digital Omnibus’) COM(2025) 837 final (‘the Proposal’), art 1(12), inserting new art 88a into Regulation (EU) 2016/679 (General Data Protection Regulation).
[100] Proposal (n 1) art 88a(3)(a)–(d).
[101] Proposal (n 1) art 88a(4)(a)–(c).
[102] Proposal (n 1) art 1(12), inserting new art 88b into Regulation (EU) 2016/679 (General Data Protection Regulation).
[103] Proposal (n 1) art 88b(6)–(7).
[104] Proposal (n 1) art 88b(3).
[105] Proposal (n 1) art 2(1), amending art 5(3) of Directive 2002/58/EC.
[106] Proposal (n 1) Explanatory Memorandum 7–8.
[107] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) [2002] OJ L 201/37, art 5(3). The provision recognises two exemptions: (i) storage solely for the purpose of transmitting a communication, and (ii) storage strictly necessary to provide a service explicitly requested by the user.
[108] European Data Protection Board, Guidelines 2/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive (adopted 7 October 2024).
[109] Proposal (n 1) Explanatory Memorandum 7.
[110] European Data Protection Board and European Data Protection Supervisor (n 4) para 97(i).
[111] noyb (n 11) 84–85.
[112] noyb (n 11) 63–68.
[113] Proposal (n 1) art 88a(3)(c).
[114] See, e.g., Hendrik Schöttle and Claudio Calabro, ‘Digital Omnibus Reshapes EU Cookie Rules but Leaves Banner Fatigue Largely Intact’ (Osborne Clarke, 10 December 2025) https://www.osborneclarke.com/insights/digital-omnibus-reshapes-eu-cookie-rules-leaves-banner-fatigue-largely-intact; Taylor Wessing, ‘The Digital Omnibus: Cookies, Consent and Digital Advertising’ (Global Data Hub, 2 February 2026) https://www.taylorwessing.com/en/global-data-hub/2026/the-digital-omnibus-proposal/gdh—the-digital-omnibus—cookies.
[115] Data (Use and Access) Act 2025 (UK), s 112 and sch 12 (inserting a statistical-purposes exception into reg 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), covering third-party analytics providers acting as data processors under a data-processing agreement).
[116] European Data Protection Board and European Data Protection Supervisor (n 4) para 102.
[117] Proposal (n 1) art 88a(3). None of the four exemptions covers advertising delivery, measurement, or fraud prevention. The media-service-provider carve-out in art 88b(3) merely exempts media providers from respecting browser consent signals; it does not create a legal basis for consent-free advertising.
[118] European Data Protection Board (n 108) paras 31–33.
[119] European Data Protection Board and European Data Protection Supervisor (n 4) para 104.
[120] See also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 4(11) (defining consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes’).
[121] Data (Use and Access) Act 2025 (UK), s 112 and sch 12.
[122] Ibid (statistical-purposes exception). See also Data Protection Network, ‘DUA Act and the 5 Cookie Exceptions’ (2025) https://dpnetwork.org.uk/duaa-cookie-exceptions.
[123] Information Commissioner’s Office (ICO), ‘ICO Opens Door to Privacy-First Advertising Models with Proposed New Enforcement Approach’ (7 July 2025) https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/07/ico-opens-door-to-privacy-first-advertising-models-with-proposed-new-enforcement-approach.
[124] Ibid, quoting Stephen Almond, ICO Executive Director of Regulatory Risk.
[125] Ibid: ‘Where people have a clear understanding that services are funded by advertising, they may accept some storage and access’.
[126] Data (Use and Access) Act 2025 (UK), s 112 (empowering the Secretary of State to add, remove, or vary exceptions to the Privacy and Electronic Communications (EC Directive) Regulations 2003 after consulting the Information Commissioner’s Office).
[127] European Data Protection Board and European Data Protection Supervisor (n 4) paras 96, 104, 108.
[128] Ibid para 97.
[129] Ibid para 106.
[130] Datenschutzkonferenz, Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von Telemedien ab dem 1. Dezember 2021 (20 December 2021) https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf.
[131] Proposal (n 1) Explanatory Memorandum 7–8.
[132] Proposal (n 1) recital 44.
[133] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679 and (EU) 2018/1725 and repealing Directive 2002/58/EC (‘Digital Omnibus’) COM(2025) 837 final (‘the Proposal’), Explanatory Memorandum 3.
[134] Miko?aj Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (EUTechReg, 27 February 2025) https://eutechreg.com/p/a-serious-target-for-improving-eu.
[135] Ibid. See also Miko?aj Barczentewicz, ‘The EDPB’s AI Opinion Shows the Need for GDPR Enforcement Reform’ (EUTechReg, 17 January 2025) https://eutechreg.com/p/the-edpbs-ai-opinion-shows-the-need.
[136] Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (n 134).
[137] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 52(1)–(2).
[138] European Data Protection Board, Opinion 28/2024 on Certain Data Protection Aspects Related to the Processing of Personal Data in the Context of AI Models (adopted 17 December 2024).
[139] Barczentewicz, ‘The EDPB’s AI Opinion Shows the Need for GDPR Enforcement Reform’ (n 135).
[140] Ibid.
[141] European Data Protection Board, Guidelines 2/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive (adopted 7 October 2024). See also Peter Craddock, ‘EDPB Seeks to Redefine ePrivacy — Part II: Overbroad Notions and Regulator Activism?’ (LinkedIn, 20 November 2023) https://www.linkedin.com/pulse/edpb-seeks-redefine-eprivacy-part-ii-overbroad-notions-peter-craddock-ptg0e.
[142] European Data Protection Board and European Data Protection Supervisor (n 4) para 19.
[143] See ibid paras 96–97.
[144] Case C-97/23 P WhatsApp Ireland Ltd v European Data Protection Board [2026] ECLI:EU:C:2026:81.
[145] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, recital 143.
[146] European Data Protection Board, Binding Decision 1/2021 on the Dispute Arisen on the Draft Decision of the Irish Supervisory Authority Regarding WhatsApp Ireland Ltd (2021) (directing the Irish Data Protection Commission to increase its proposed fine from approximately EUR 30 million to EUR 225 million).
[147] Case T-709/21 WhatsApp Ireland Ltd v European Data Protection Board [2022] ECLI:EU:T:2022:783 (dismissing the action as inadmissible). The Court of Justice set aside that order in WhatsApp Ireland Ltd v European Data Protection Board (n 144) and remitted the case to the General Court. As of March 2026, no judgment on the merits has been delivered.
[148] Case T-319/24 Meta Platforms Ireland Ltd v European Data Protection Board [2025] ECLI:EU:T:2025:435, paras 30, 36.
[149] Ibid para 23.
[150] Case C-454/25 P Meta Platforms Ireland Ltd v European Data Protection Board (appeal brought 10 July 2025, pending).
[151] Joined Cases T-578/21, T-579/21 and T-580/21 Data Protection Commission v European Data Protection Board (General Court, 29 January 2025).
[152] See Miko?aj Barczentewicz, ‘Meta v EDPB and What Really Needs to Change in the GDPR’ (EUTechReg, 6 May 2025) https://eutechreg.com/p/meta-v-edpb-and-what-really-needs.
[153] European Data Protection Board and European Data Protection Supervisor (n 4).
[154] Ibid para 59, fn 65.
[155] Commission nationale de l’informatique et des libertés (CNIL), ‘IA et RGPD : la CNIL publie ses nouvelles recommandations pour accompagner une innovation responsable’ (7 February 2025) https://www.cnil.fr/fr/ia-et-rgpd-la-cnil-publie-ses-nouvelles-recommandations-pour-accompagner-une-innovation-responsable. See also Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (n 134).
[156] See nn 144–147 and accompanying text.
[157] Information Commissioner’s Office (ICO), ‘ICO Opens Door to Privacy-First Advertising Models with Proposed New Enforcement Approach’ (7 July 2025) https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/07/ico-opens-door-to-privacy-first-advertising-models-with-proposed-new-enforcement-approach. The six categories are ad delivery and billing, ad-fraud prevention and detection, brand safety and compliance, frequency capping, measurement and attribution, and targeting methods.
[158] Data (Use and Access) Act 2025 (UK), s 91 (inserting Data Protection Act 2018, ss 120A–120B).
[159] Ibid s 91 (inserting Data Protection Act 2018, ss 120C–120D); Deregulation Act 2015 (UK), s 108; Legislative and Regulatory Reform Act 2006 (UK), s 21.
[160] Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (n 134); Miko?aj Barczentewicz, ‘The EU’s GDPR “Fix” Misses the Point Entirely’ (Truth on the Market, 24 June 2025) https://truthonthemarket.com/2025/06/24/the-eus-gdpr-fix-misses-the-point-entirely; ICLE, Comments on the European Commission Digital Omnibus (13 October 2025) 3–4 https://laweconcenter.org/resources/icle-comments-on-the-european-commission-digital-omnibus.
[161] Barczentewicz, ‘The EU’s GDPR “Fix” Misses the Point Entirely’ (n 160).
[162] Ibid.
[163] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L 119/1, art 6(1)(f) (legitimate-interest balancing test); recital 4 (‘The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality’).
[164] Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (n 134); Barczentewicz, ‘The EU’s GDPR “Fix” Misses the Point Entirely’ (n 160).
[165] Miko?aj Barczentewicz, ‘Why Europe Can’t Kill the Cookie Banner’ (Truth on the Market, 26 January 2026) https://truthonthemarket.com/2026/01/26/why-europe-cant-kill-the-cookie-banner.
[166] Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (n 134).
[167] Luis Garicano, Bengt Holmström and Nicolas Petit, ‘The Constitution of Innovation’ (10 November 2025) https://constitutionofinnovation.eu (proposing specialised commercial courts established under art 257 TFEU, attached to the General Court, with fast-track procedures including decisions within 180 days, English-language proceedings, and EU-wide injunctive powers). See also Barczentewicz, ‘A Serious Target for Improving EU Regulation: GDPR Enforcement’ (n 134).
[168] Luca Bolognini and Enrico Capparelli, ‘Proposals for Improving the Digital Omnibus’ (February 2026) Section IV: ‘The supervisory authority should be required to carry out a prior analytical assessment of the impact that such decisions would have on innovation and competitiveness, including knowledge enhancement and technology transfer, as well as on other public interests or fundamental rights and freedoms’.
[169] Ibid (proposing either prescriptive regulation of consultation procedures or ‘greater functional autonomy’ for the EDPB, with a requirement to ‘activate prior consultation of the stakeholders’).
[170] Peter Craddock, ‘Making the GDPR Realistic? Authorities Only Want That in Part’ (LinkedIn, 20 February 2026) https://www.linkedin.com/pulse/making-gdpr-realistic-authorities-only-want-part-peter-craddock-pktxe: ‘when information ceases to be perceived as personal data, it falls outside of their remit. One must therefore be careful not to see their position as neutral’.
[171] Mark R Leiser, ‘The Entrenchment Move’ (Dr Mark R Leiser, 3 February 2026) https://digidata.substack.com/p/the-entrenchment-move: ‘The Opinion deploys the language of rights not primarily to protect individuals, but to reassert institutional centrality, supervisory reach, and interpretive authority within the emerging AI governance framework’.
[172] Regulation (EU) 2025/2518 of the European Parliament and of the Council of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679 [2025] OJ L 2025/2518 (enacted version of Proposal COM(2023) 348 final).
[173] Data (Use and Access) Act 2025 (UK), s 91 (inserting Data Protection Act 2018, ss 120A–120B).
[174] See Bolognini and Capparelli (n 168).
[175] Ibid s 91 (inserting Data Protection Act 2018, ss 120C–120D); Deregulation Act 2015 (UK), s 108; Legislative and Regulatory Reform Act 2006 (UK), s 21.
[176] WhatsApp Ireland Ltd v European Data Protection Board (n 144) (remanding the case for examination on the merits without specifying the intensity of judicial review).