Europe's Privacy Flip-Flop

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition, advertising, and music for decades, and I’m now a regulatory analyst writing for The Monopoly Report.

The latest Monopoly Report podcast!

 This week, I welcome Vermont State Representative Monique Priestley. Monique and I talk about her multi-year crusade to bring a comprehensive privacy law to the State of Vermont.

Europe’s Privacy About-Face

As you may know, the EU has been contemplating a rethink of the GDPR and ePrivacy Directive. Max Schrems recently shared a leaked set of draft amendments crafted by the EU Commission — dubbed the "Digital Omnibus."

The Digital Omnibus draft contains changes aimed at simplifying compliance with EU data protection law. In many ways, the draft has lowered the compliance bar significantly. Unsurprisingly, privacy advocates and many others are completely up in arms over the proposed changes.

I’ll admit to a teeny bit of schadenfreude when it comes to certain European colleagues who may have to come to grips with the notion that the U.S. could end up setting a higher privacy bar than Europe pretty soon.

I want to caution that this is merely a leaked draft, and I can’t speak to its accuracy. Also, some of the ideas in here come off as a bit half-baked. I’d imagine that subsequent drafts will clean up some (and perhaps even all) of the ambiguities.

So, reader beware!

Marketecture Live is going BIG with our new partners: ADWEEK and TVREV.

Marketecture Live III: Consumers in Control takes place on March 10-11, 2026, at the Glasshouse in NYC.

• 2 Full Days

• 3 Tracks

• 1,000+ Attendees

Early Bird tickets now available

What changes are under consideration?

Regular readers of TMR know that I’ve been fairly critical of what I’ve characterized as Europe’s over-reliance on consent. And we’ve covered this on the podcast with Peter Craddock, Tobias Judin, and Robert Bateman. Anyway, here are a few of the Digital Omnibus changes to the GDPR that are likely to be important to those of us working in the ads space:

• Narrowing the definition of “personal data”: Under current GDPR rules, data is personal if anyone could reasonably identify someone from that data set. The proposed amendment adopts a more subjective test: Information only becomes personal data for controllers who can "reasonably likely" identify individuals using their specific capabilities.

  Alan’s Take: This “change” seems roughly in line with the recent CJEU ruling in the SRB case. But it does raise the question: Are pseudonymous advertising IDs still personal data under this proposal? And if not, does that pull a good deal of adtech data flows outside of the ruleset under EU data protection laws? (Note: The change to the definition of personal data is mitigated by some odd changes to the ePrivacy Directive.)

• ePrivacy / cookie rule changes: Under current law, the mere placement of a cookie or similar tracking technology on a browser or device requires a consent in most ad-related use cases under the ePrivacy Directive. The proposed Article 88a GDPR would erase the cookie provisions of ePrivacy and move the rules governing personal data processing on devices from ePrivacy's strict consent framework into GDPR's more flexible legal basis system.

  Alan’s Take: This approach would allow the placement of cookies under legitimate interest and could potentially render the IAB EU TCF to be partly, if not completely, obsolete. One of the weird outcomes of this is that non-personal data remains covered under ePrivacy, and therefore remains covered under the ePrivacy consent regime. It’s not really clear how this would work out in practice for the adtech and digital media world. But if advertising IDs were to fall outside the definition of personal data, then they’d still be covered under the ePrivacy’s consent requirements.

• Do Not Track is back!: The draft contemplates use of browser and mobile o/s-imposed consent preference signals. This is an idea that has repeatedly been discussed and then shouted down in Europe over the past 15 years, but which seems to have been resurrected perhaps due to the apparent “success” of Global Privacy Control signals in the U.S.

  Alan’s Take: Browser and mobile o/s controls are fine provided that there are provisions in place to ensure that the browsers aren’t able to use those controls to preference their own ad products.

  An odd loophole: There is an interesting exception / loophole the enables a "media organization" to effectively ignore the signal. As a result, data subjects would not have the right to refuse their online activity being processed for behavioral advertising purposes. It’s an intriguing idea and is perhaps designed to address one of the biggest issues with all these EU consent requirements: that they disproportionately impact the publisher community. But there are so many open questions that it’s almost impossible to ascertain the value of the idea.

  For example:

  (1) How is a “media organization” defined?

  (2) Is the exemption solely for media organizations, or is it applicable to companies supporting the media organizations?

  (3) Is the exemption designed solely to allow publishers to serve contextual ads (i.e., so as not to allow data subjects to opt-out from advertising)?

  (4) Can the opt-out signal be enacted without the user expressing a specific choice? Is it on by default?

There are other interesting and impactful provisions in the Digital Omnibus draft. For example, there are new rules for DSARs and sensitive data and AI. Subscribers to the full Chapell Report receive analysis of all that and more every month.

Why none of this matters…

But the big question is: Will EU Data Protection regulators “play ball” when it comes to these changes? Of course they won’t. So long as enforcement continues to be the domain of each EU data protection regulator, there will be headwinds to such changes. And let’s face it: None of EU member state regulators will be happy about these changes.

My guess is that most of them find creative ways to advocate for the concept of privacy as a fundamental human right regardless of what the text of the GDPR says. That’s not meant as a criticism of EU data protection regulators; they view themselves as protectors of the realm.

Look no further than Denmark’s recent response to the CJEU’s ruling on the definition of personal data. Say what you want about stubbornness or keeping true to the dogma of privacy or whatever. The regulators in Europe will almost certainly use their enforcement powers to complicate these new rules if they feel that such rules degrade EU privacy standards.

And that is a recipe for conflict, lack of consistency, and very little clarity.

Wanna take a guess regarding who benefits from the uncertainty?

_________________________________________________________________________

If there’s an area that you want to see covered on these pages, if you agree or disagree with something I’ve written, if you want to tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.