Consumer champions do not buy the EC’s argument that simplification would strengthen levels of data protection

Consumer protection and fundamental rights must not be traded away in the pursuit of regulatory simplification

On 5 May 2026, Assembly attended an event held by BEUC – the European consumer body – on the potential impacts of the EC’s Digital Omnibus package. Cláudio Teixeira (Head of Digital Policy, BEUC) made his position clear at the outset, stating that anyone working in the digital space could not help but be concerned by the proposals, putting organisations such as BEUC on the defensive as they seek to justify the positive outcomes that existing regulation continues to deliver. Acknowledging that this is not exactly “where we want to be”, Teixeira stated that amid the EC’s push for simplification, current consumer protections must remain (particularly for the most vulnerable end users) and that fundamental rights must not be seen as being “up for grabs”.

Network effects and switching costs are among the factors preventing end users from leaving worsening digital services

Linn Hogasen (Senior Digital Policy Officer, Norwegian Consumer Council) exemplified Teixeira’s concerns through a presentation on “enshittification”, a process by which digital products and services become gradually worse as a result of, for example, excessive advertising and “AI slop”, or the degradation or removal of useful features. Hogasen stated that enshittification happens in three stages, with companies:

1. Using artificially low prices to attract consumers and lock them in (as is currently playing out with AI);

2. “Squeezing” consumers to provide better value for business customers; and

3. Exploiting both sides of the market to benefit themselves and their shareholders (something already witnessed in adtech).

She argued that tech firms deliver enshittification by leveraging network effects and the sunk cost fallacy (that makes consumers perceive a high bar to leaving a given platform), which are reinforced by the impacts of technical lock-in and deceptive design. Hogasen added that big tech is also able to achieve this situation via M&A, with 64% of the 300+ companies acquired since 2015 now discontinued, while many others have had their business models changed – typically relying on advertising revenue to a greater extent. Though tech companies are able to use their lobbying power to control legislation indirectly, Hogasen stated that all hope is not lost, calling for policy interventions to reset the balance of power between tech firms and consumers, drive market competition through public procurement and strengthen the enforcement of existing rules (rather than enable deregulation).

The integrity of the Draghi Report’s recommendations were called into question

The first of two panel sessions focused on the potential privacy-related effects of the Omnibus, with Karolina Mojzesowicz (Deputy Head of Unit, Data Protection, DG JUSTICE, EC) reiterating much of her previous defence of the EC’s proposals at the European Data Protection and Privacy Conference. She stated that the Omnibus would deliver simplification and legal certainty and address issues with fragmentation in the application of the GDPR, while keeping the key pillars of the regulation in place. Mojzesowicz sought to stress that “by no means” would this lower standards of data protection even in the case of training AI based on legitimate interest as there would be an absolute right for end users to object. Brendan Van Alsenoy (Acting Head of Unit, Policy & Legislative Consultation, EDPS) welcomed efforts to address cookie fatigue; however, with the GDPR the “horizontal foundation” on which Europe’s digital rulebook is built, stated that he would be concerned about the prospect of any change to the definition of personal data and of the EC’s reliance on implementing acts to realise its ambitions.

While seeing privacy signals as one of a small number of potentially beneficial aspects of the Omnibus, Itxaso Domínguez de Olazábal (Policy Advisor, EDRi) considered that greater harmonisation in the application of the GDPR could be brought about via enforcement by data protection authorities (DPAs) without reopening the law in its entirety. Domínguez de Olazábal also took exception to the Draghi Report as one of the driving forces behind the EC’s proposals, suggesting that it may not be “intellectually honest” and that, as an academic, she was “appalled” in reading it. With the debate becoming increasingly heated, a frustrated Mojzesowicz stated that she takes issue with suggestions that the EC is changing the definition of personal data (rather than just anchoring it in relevant case law) and cannot understand claims that the Omnibus would have negative effects on consumers, contending that it would more likely enhance both privacy protections and competition.

EU policymakers were under pressure to strike an agreement on the AI Omnibus

Ahead of the (now successfully completed) third trilogue on the AI Omnibus, speakers on the day’s second panel were aligned on the significant amount at stake. According to Laura Lazaro Cabrera (Counsel and Director, Equity and Data Programme, Centre for Democracy and Technology), the AI Act is thoughtfully crafted, (already) accounts for overlaps or conflicts between legislation and brings a fundamental rights dimension, which sectoral regulation does not do. While it would not carry the same extraterritoriality as the GDPR, Ana Bárbara Gomes Pereira (Director, Internet and Society Reference Institute) stated that the act is shaping discussions around digital rights in Brazil and has influenced the development of draft legislation soon to be voted on by the country’s Chamber of Deputies. However, following two unsuccessful rounds of institutional negotiations, Katinka Clausdatter Worsøe (Attache for Digitalisation, Denmark Permanent Representation to the EU) recognised that EU policymakers were running out of time to reach a deal on the Omnibus – particularly as obligations for high-risk AI systems were set to come into force on 2 August 2026. She stated that both the Parliament and the Council would need to show flexibility, but underlined that the latter’s guiding principle would be simplification and not deregulation. If no agreement could be reached, Clausdatter Worsøe stated that deleting all timelines within the AI Act would represent the “nuclear option” and while “no one wants to go there”, it was nevertheless closer to being on the table than it ever was before.