💥 Finally online: my take on the GDPR Omnibus leak: https://verfassungsblog.de/the-omnibus-package-of-the-eu-commission/
🗒️ Up front: I focused only on the definitions in Articles 4 and 9 GDPR.
📗 Yes, there are positive proposals in this draft.
📕 Yes, there are also more very negative changes.
❗ Overall, the proposals would significantly lower the GDPR’s level of protection. The much‑discussed risk‑based approach is largely absent.
🌀 Instead, the draft goes to the core of the GDPR’s foundational choices: the definition of personal data. It’s unclear how European SMEs—not Big Tech—would benefit. What changes, instead, is that an already uneven playing field shifts to a uniformly lower level of protection.
📇 Redefining “personal data” in Article 4 GDPR would create major legal uncertainty and is not an adequate response to CJEU (EDPS/SRB). There is far less that is genuinely new there than some interpretations suggest.
✂️ Narrowing the special categories of personal data, combined with the wholly unsuitable regulatory category “for the purpose of operating/ training AI models,” leaves data subjects in the digital economy basically unprotected.
🗑️ Bottom line: data protection disappears the moment an “AI” label is attached
🪪 💡 📢 Data protection is essential to free societies; eroding a long‑established level of protection will not create a single “EU AI champion”—it will erode fundamental rights, enforcement, and the rule of law