The European Commission’s Digital Omnibus proposal to impose additional limits on the right of access to personal data is not a technical clean-up of EU digital law, but a near verbatim reproduction of industry lobbying demands. The proposal restricts the very tool used by citizens, NGOs, journalists, workers, researchers, and civil society (most famously Max Schrems) to uncover systemic unlawful practices. Instead of strengthening EU digital competitiveness, the proposal threatens to dismantle a tool of counter-power and a cornerstone of data protection.

In November 2025, the EU Commission published the Digital Omnibus Regulation Proposal to “simplify” the digital acquis, including changes to the GDPR. Presented as a boost to EU competitiveness and innovation—echoing the 2024 Draghi report’s call to close the technological gap with the US and China—the proposal instead risks weakening fundamental rights without making Europe more competitive. The proposal has drawn strong criticism from DPAs, NGOs and multiple academics who argue that with this the Commission would retroactively legitimise unlawful data-intensive business models and uses omnibus legislation to push through substantial changes to fundamental rights without sufficient justification or democratic scrutiny.

This contribution focuses on the proposed change to the right of access to personal data – an essential tool for citizens (NGOs, investigative journalists, unionized workers, researchers, individuals) to understand, assess and contest unlawful practices. For example, Privacy International used the right to uncover grave abuse of personal data by data brokers, leading regulators to impose a hefty fine. The right is enshrined in Article 8(2) of the Charter of Fundamental Rights of the EU, and is generally considered a cornerstone of data protection law. Still, as my research and the experience of many citizens attest to, the right currently already does “not fully meet its emancipatory potential”, because of non-compliance and lack of enforcement. Now, the Commission proposes (p35-36 and 80) that controllers should be allowed to reject requests that are made for purposes other than data protection, and unspecified requests (for all data). A seemingly technical adjustment that would have dire consequences if adopted.

This change would hollow out an essential tool for citizens to assess and contest unlawful practices. While the Commission suggests it is merely “clarifying” the existing law, it in fact radically departs and is directly opposed to current doctrine and ECJ rulings and will create rather than resolve legal uncertainty. All the while, EU competitiveness in digital industries is unlikely to be improved by these changes, because it dismantles a right that is used to contest unfair business practices and thereby contributes to fair competition. The root cause seems to be that the proposal is based more on listening to industry associations representing the interests of US tech companies and German landlords, rather than on sound independent problem analysis.

The Council and the European Parliament should reject or significantly amend this restriction. The flaws in this specific provision should give everyone reason to seriously scrutinize other elements of the proposal, and ask whether they are reasonable steps to help Europe thrive.

An unclear amendment to Article 12(5)

Under the GDPR, individuals may ask controllers whether they process their personal data, and receive access to those data and information about the processing. Article 12(5) permits controllers to refuse requests, or request a fee, when they are ‘manifestly unfounded or excessive’, in particular because of their repetitive character. According to the ECJ Österreichische Datenschutzbehörde – Excessive requests, as well as the EDPB this clause is an expression of a general principle of EU law, which means that rejecting abusive requests is allowed. As the EDPB explains that it can be invoked for instance for requests that are used as a means of blackmail or requests made with the mere intention and effect of causing disruption at the controller.

To this existing provision, the Commission proposes to add that access requests can also be deemed excessive when a data subject “abuses the rights conferred by this regulation for purposes other than the protection of their data.” The application of this clause is ambiguous. It could either just mean that abusive requests are not allowed, or that any use for purposes other than data protection should be seen as abusive, and therefore rejected by the controller.

In the proposed Recital to the provision, the Commission makes things even more confusing. First, it adds that exactly the type of situations that the EDPB considers abusive should be seen as abusive – which is unnecessary because this was already established, and also does not help clarify the unclarity of the main provision. Second, the Recital adds that controllers can reject overly broad and unspecified requests. However, since Recitals cannot restrict rights, this also adds additional ambiguity as long as it is not made explicit in the actual provision.

Restricting the purpose of the right of access

The main proposed change, of allowing access requests only when they are intended for the protection of personal data, may look reasonable at first sight. But, in fact, it will lead to immense legal uncertainty, is diametrically opposed to recent case law of the ECJ while suggesting to merely clarify the status quo, and is likely to go against the essence of the fundamental right to data protection.

The crucial problem is that the right of access to personal data is best defined as “intent agnostic”, or “motive-blind”. After a long and messy history of controllers sometimes successfully refusing access on grounds that requests made for reasons that allegedly fell outside the scope of data protection [e.g. Nowak and YS and others], the ECJ has ruled in Copies of medical records that controllers have to provide access to personal data independent of the reason for which the data subject has made the request.

This ruling fits with the historical roots of the right, which show the purpose as allowing people to defend their rights and interests on the basis of information about themselves, and to force those in power to be accountable to those who are subject to their authority.

In practice, Uber drivers, for instance, have collectively used their right of access to prove and contest unlawful labour practices by the company. Similarly, patients request access to their medical files to prove alleged wrongdoing, such as in a case of women in Slovakia claiming to have been sterilized against their will by medical personnel during their stay in hospital.

The right is and should continue to be used to scrutinize and challenge digital infrastructures or ecosystems, beyond mere questions of data protection. The Union legislator stated that the GDPR protects all fundamental rights (Article 1(2)). This is not a “problem” but an intentional choice, and not something the Omnibus should try to change.

Conditioning access on motive is unworkable; a controller cannot know a data subject’s “true intention.” Individuals could simply state their purpose is data protection, rendering the clause ineffective while encouraging protracted litigation and inconsistent interpretation.

Specificity requirements erode accountability

In the proposed recital on the change to the provision on excessive requests, the Commission proposes that data subjects would be obliged to specify which information they want to receive, and that ‘overly broad and undifferentiated requests’ should be regarded as excessive. Currently, Recital 63 GDPR allows controllers to ask data subjects to do so, but according to EDPB interpretation (paragraph 35), data subjects are allowed to refrain from reducing the scope of their request and demand access to all data.

When the data subject does not know yet which personal data the controller holds, and how the controller processes it, they are not in a position to specify the request to exactly what they need for assessing the lawfulness of the processing. Requiring data subjects to specify which data they want to access takes away the obligation for controllers to provide access to all personal data. This creates an enormous opportunity for abuse by the controller, allowing them additional room to withhold information that would have the potential to reveal unlawful behaviour.

This is not a merely theoretical concern. For example, Facebook repeatedly refused to provide Max Schrems with all of his personal data on the grounds that his request was allegedly excessive, arguing that their download tool provided everything that was ‘relevant’ for data subjects. The Austrian Supreme Court (152-155) rightfully rejected this claim by Facebook.

Questionable values, economics, and method

Contrary to the Commission’s claim that these amendments are “technical in their nature” and “preserve the same standard for protections of fundamental rights”, they represent a clear step back in citizen emancipation and protection of fundamental rights. Fundamental rights exist precisely to impose checks on power, even if this creates administrative burdens. Some requests may appear inefficient, but due process and the rule of law require tolerating this type of inefficiency to prevent abuse.

Evidence suggests the social benefits of access rights far outweigh the costs to controllers. There are many instances of supposedly excessive and/or non-data protection related access requests that have significant societal benefits. Access requests have been instrumental in safeguarding the right to privacy and protection of personal data, but other fundamental rights as well. Also, claims of abuse and inefficiency are often made by controllers in cases where citizens use the right of access to address illegitimate practices.

To the extent that the EU economy faces competitiveness challenges, it is reasonable to examine regulatory burdens. Yet it is unclear how restricting access rights could meaningfully enhance European innovation. US companies serving EU users must comply with the GDPR regardless of the Omnibus. No aspect of the proposed changes uniquely benefits European companies.

To the contrary, the proposed changes would take away a tool that is often effectively used by citizens to contest unlawful behaviour by big tech companies from the United States. If anything, citizens use the right of access as is to help create a level playing field, on which European companies should not have to compete with companies that consistently break the law.

Regulatory stability is vital for investment and innovation. By overturning clear guidance provided by the ECJ and EDPB, the proposal will cause new and greater legal uncertainty. It risks hurting competitiveness, especially of those businesses that abide by the current rules.

Fundamentally, the proposal seems to be ill-conceived because it was not based on a sound policy analysis. It would make sense to have independently minded experts – with input from all relevant stakeholders – make an impartial, holistic and coherent analysis, to determine what changes could be made to achieve the goal, and at what potential costs. Instead, the proposal lacks any clear substantiation on how the proposed change would help reach the policy goal.

What is worse, the language of the Commission’s proposal seems like a bricolage of an almost literal copy-paste of feedback and consultation provided by three trade organizations, Alliance Digitale, the German Property Federation and the European Games Developer Federation. For instance, Alliance Digital, which represents digital marketing professionals, including US big tech firms Meta and Uber, stated “the absence of clear guidance regarding the scope of data subject rights exposes companies to compliance risks while offering limited added value to individuals”. The landlords stated “the right of access is sometimes misused, for example to pursue unrelated claims (e.g. complaints, rent reductions)” and asked the Commission to change the law to ensure that “generic formulations should be rejectable.” The impression that the Commission added these changes to abide to request made by industry is strengthened by the fact that the original call for evidence for the Digital Omnibus did not contain any mention suggesting the Commission wanted to limit the right of access.

The perspective that should be taken into account, about the cost/benefit of deciding the extent to which a right is expanded or limited, is on the right’s societal value – not only the value for those who happen to have the loudest voice, the deepest pockets or the ear of the Commission. The proposal builds on uncritically accepting at face value statements by companies and public authorities that do not want the additional scrutiny afforded by the right of access to personal data, as opposed to improving the EU’s innovative potential.

The EU can do better. We should not aim for a Union where companies become competitive in producing goods and services by trampling fundamental rights in an unwinnable race to the bottom. We ought to create a socio-economic and legal environment in which industries can only thrive by making goods and services that protect those fundamental rights.