EU Privacy Reforms Falter Amid Member State Opposition
The European Commission's effort to overhaul digital privacy rules has stumbled after facing resistance from member states. Countries including Cyprus have rejected key aspects of the reform, which targeted cookie banners and online tracking. The opposition highlights ongoing fragmentation in the EU's approach to digital rights and creates continued complexity for designing compliant user consent flows.
- The currently stalled reform is part of a broader "Digital Omnibus" proposal, which aims to streamline various EU digital regulations, including the GDPR, into a more unified framework to reduce complexity for businesses. - With the formal withdrawal of the separate ePrivacy Regulation proposal in February 2025, key provisions concerning cookies and user tracking are now intended to be integrated directly into the GDPR. This withdrawal came after years of deadlock among member states, with the original proposal being seen as outdated in light of new regulations like the Digital Services Act (DSA). - A central element of the proposed reform is to allow "legitimate interest" as a legal basis for using certain cookies, which could reduce the number of consent banners for non-intrusive analytics and security cookies. However, marketing and tracking cookies would still require explicit user consent. - Germany has been a significant force in shaping the reform proposals, advocating for a shift in responsibility towards "Privacy by Design." This would make manufacturers of software and IT products more accountable for ensuring their products are data-protection compliant from the outset, easing the burden on public sector organizations that use them. - To combat "consent fatigue," the proposal includes measures for users to set their privacy preferences through automated, machine-readable signals in browsers or operating systems, which websites would be required to honor for at least six months. - While the goal is simplification, the proposal has faced opposition. Countries like Estonia, France, Austria, and Slovenia have resisted rewriting the GDPR, and the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have raised significant concerns about proposals that could narrow the definition of personal data. - The timeline for these changes remains extended; the Digital Omnibus package is still a proposal and will undergo further negotiations between the European Parliament and the Council, with final adoption not expected before mid-2027. - Proposed changes also include harmonizing requirements for Data Protection Impact Assessments (DPIAs) across the EU with templates provided by the EDPB and extending the deadline for reporting personal data breaches from 72 to 96 hours.
