The EU’s Digital Omnibus offers relief for ad tech, but hands more power to Big Tech and AI agents

“The Commission set a course to simplify EU rules to make the EU economy more competitive and more prosperous by making business in the EU simpler, less costly and more efficient,” reads a statement from the executive body. “The Commission has a clear target to deliver an unprecedented simplification effort by achieving at least 25% reduction in administrative burdens, and at least 35% for SMEs until the end of 2029.”

At 153 pages long, there is a lot to digest, but here’s a rundown of what it does, who it affects, and what happens now.  

What it aims to fix

EU digital regulation has grown chaotic. There are overlapping rules for privacy (GDPR and ePrivacy), data sharing (Data Act and Data Governance Act), cybersecurity (NIS2, DORA, CRA), platform governance (DSA and DMA), and new legislation such as the AI Act. Different laws use different definitions, trigger different reporting requirements, and sometimes contradict each other.

The Commission says the Omnibus will reduce “administrative burden,” “enhanced legal clarity,” and make it easier for businesses — especially small ones — to comply. It also aims to make the EU more attractive for AI development and data-driven products, which the Commission sees as important for Europe’s competitiveness.

Key Omnibus proposals

A more precise and narrower definition of “personal data”

• The proposal writes existing court guidance into law and clarifies when pseudonymized data should be considered personal. For example, identifiers that cannot be linked back to an individual without additional information — such as some hashed IDs or modelling signals — may no longer be treated as full personal data in all contexts. In effect, per the ad industry’s “optimists,” some types of identifiers could no longer fall under the strictest GDPR requirements.

Who it will impact:

Legal personnel at advertisers, agencies, demand-side platforms, supply-side platforms, customer data platforms, etc., will likely read this and breathe a sigh of relief. This is because they can use certain types of data with lower legal risk. It could also revive some audience modeling techniques that became too complicated after 2018.

Permission to use some personal data for AI training

• The Omnibus adds a legal basis that allows AI systems to be trained on personal or pseudonymized data when safeguards are in place. This effectively legitimizes large-scale dataset collection for model training, provided developers can demonstrate appropriate risk mitigation.

Some observers note that this creates practical and competitive tensions, i.e., large-scale crawlers cannot reliably distinguish personal data from general web content at the point of collection, meaning any separation occurs only later — often imperfectly.

Others argue that while these updates reduce unnecessary friction in areas like consent pop-ups, policymakers must ensure the reforms don’t inadvertently advantage dominant platforms. U.K. regulators have previously warned that overly narrow interpretations of data protection law can entrench large, vertically integrated players while making it harder for smaller ad tech outfits and startups to compete.

Who it will impact:

Big AI developers (Google, Meta, Microsoft, Amazon, OpenAI) benefit most. Some ad tech vendors will also gain new opportunities to build or improve machine-learning models.

Alignment of ePrivacy and GDPR

• Consent will still be needed for invasive tracking, but some types of device access — such as security checks and basic measurements — will be easier.

Who it will impact:

Analytics, verification, and measurement partners may regain certainty and functionality.

Consolidating data sharing laws

• The Data Act becomes the main framework for cloud switching, interoperability, and access to public-sector datasets. Several older laws are folded into it.

Who it will impact:

Cloud providers and data exchange services will need to update contracts and processes, but will operate under a clearer rulebook.

Singular reporting for cybersecurity breaches

• Instead of notifying multiple regulators under different frameworks, companies will report cyber incidents once through a unified system.

Who it will impact:

Large platforms and intermediaries reduce compliance overhead.

Winners and losers?

Large platforms and AI companies

They are the biggest winners. They already have the data scale and internal compliance teams to use these changes immediately. Clarified rules on data and AI training further strengthen Google, Meta, Amazon, Microsoft, and Apple.

Advertisers

Marketers regain some data tools and measurement options that became difficult under GDPR. Programmatic campaigns should run more consistently across EU markets.

Media agencies

Less fragmentation and fewer consent-related disruptions will make planning and reporting simpler.

Ad tech intermediaries

All the acronym companies — CDPs, DSPs, SSPs, etc. — will benefit from clearer rules, but will still face an uneven playing field. However, Big Tech platforms remain advantaged because they own the largest first-party data sets and have the strongest AI capabilities.

Publishers

Results are mixed. They may see less traffic loss from consent banners, but they could lose power if browser and operating-system settings become the main way users control privacy. This could repeat the dynamic seen with Apple’s ATT and Google’s Privacy Sandbox (R.I.P.).

SMEs

The Omnibus formally expands exemptions for small and “small mid-cap” businesses, but critics say this won’t fully offset Big Tech’s structural advantages.

The end of GDPR?

Civil liberties activists have expressed concern that the Digital Omnibus represents the erosion of GDPR, and it’s here where opinions are split.

Civil-liberties activists

They believe the Omnibus weakens GDPR by narrowing the definition of personal data and allowing more data to be used without consent, including for AI training. They argue this shifts power away from individuals and towards processors.

Industry privacy professionals

They describe the Omnibus as a long-overdue update that fixes confusing rules and removes unnecessary burdens. They argue that GDPR’s core principles remain in place, but its more rigid and impractical interpretations are being corrected.

Regulators

The Commission insists this is not a rollback. It says the reforms “preserve the highest standards of fundamental rights” while improving clarity.

The truth is somewhere in between: this is not a repeal of GDPR, but it is a loosening of the strict compliance culture that dominated EU data protection since 2018.

What it means for the ad industry

• Advertisers will find it easier to run consistent multi-market campaigns and use pseudonymized signals.
• Agencies may see fewer consent-related disruptions and smoother measurement.
• DSPs and SSPs will recover some scale but face tougher competition from platforms controlling identity, AI, and device-level controls.
• Platforms gain more certainty, especially around AI and first-party ecosystems.
• Publishers may get traffic gains but lose leverage if privacy controls shift to browsers and operating systems.

The timeline

When does the law apply, and when is it enforceable? This is where confusion is highest.

Similar to after GDPR was first passed in 2016, the Omnibus is to become law shortly after publication, but different parts apply at various times because they amend multiple laws. 

However, different sources anticipate that in practice, the real-world impact will be in the range of 12 to 36 months. Regulators must update guidance, DPAs must harmonize interpretations, technical standards must be revised, and businesses need time to adjust systems.

In other words, the Omnibus becomes law fast, but becomes reality slowly.