The European Union’s digital rulebook is increasingly criticized for its complexity, prompting calls for simplification. However, recent proposals like the draft Digital Omnibus regulation are strong on limiting rights but weak on providing clarity. For instance, proposed changes to the GDPR’s definition of “personal data” introduce diverse subjective criteria and deepen the layering approach by conferring rule-making powers on the Commission to adopt further exceptions and qualifications. This post argues that in order to achieve simplification, we must comprehend and address the root causes of complexity by clarifying rights and obligations, reducing regulatory overlaps, and prioritising long-term coherence over short-term fixes. An analysis of the system must be grounded in foundational legal principles and a commitment to transparency and accountability, allowing the EU to achieve a digital acquis that is both effective and rights-preserving.

Why Simplification?

The need for simplification of the European Union’s (EU) digital acquis – the body of law now including well over 120 EU legislative acts that regulate digital matters – is frequently invoked as a question of geo-strategic relevance to the Union. Various reports have called for its simplification to strengthen European resilience, economic powers and the democratic decision-making systems. The Council joined this chorus calling for no less than ‘a simplification revolution’ to ensure a ‘clear, simple and smart regulatory framework’.

In view of this chorus, it is necessary to understand the origins of the complexity of this body of law. It is a result of the EU’s own regulatory choices baked into legislation: it developed a system with detailed rules for specific AI and data use cases in a system layering legislative with non-legislative acts and supplementing these binding provisions by diverse types of standards; it designed an ever more complicated system of new bodies and agencies, multi-jurisdictional procedures and self-assessments complemented by private certifications. The resulting maze of regulatory content is difficult to comprehend for individuals and businesses alike, and even more challenging for public bodies to supervise – a structure that has become so complex and lacking in transparency, it risks undermining the Union’s capacity to shape reality in the face of global challenges.

As one of the so-called “omnibus” regulations that contain amendments to several legislative acts, the European Commission published a draft Digital Omnibus regulation on November 19th. This includes, in the words of the Commission, ‘a set of technical amendments to a large corpus of digital legislation, selected to bring immediate relief to businesses, public administrations, and citizens alike, and to stimulate competitiveness.’ The measure of success: reduced administrative burden. Nonetheless, a thorough analysis is lacking, which burdens are to be removed from whose shoulders and where some of that regulatory weight is being transferred. Questions abound about whether the approach taken by the draft Digital Omnibus is compatible with EU law and capable of advancing policy objectives.

Well-Considered Proposals?

Is the Digital Omnibus capable of contributing to simplification, or does it lean towards identifying individual rights as barriers to freedoms to conduct a business? Legislation limiting or balancing fundamental rights is lawful only if it complies with the principle of proportionality (Article 52(1) of the Charter), which requires that where alternative options exist to achieve policy objectives, a balancing exercise must have been undertaken showing how the solution that least limits rights and freedoms was assessed and chosen. This requires evaluating different alternative legislative options. Adopting acts without understanding possible alternative, possibly less limiting options, amounts to the EU legislature’s breach of the principle of proportionality.

The EU’s tool for assessing alternative regulatory approaches is codified in points 12 and 13 of the 2016 Interinstitutional Agreement on Better Law-Making. Under this, the Commission will conduct impact assessments of all legislative acts, as well as of ‘non-legislative initiatives, delegated acts and implementing measures which are expected to have significant economic, environmental or social impacts.’ Instead of containing an in-depth impact assessment as to inter alia the implications of the proposals on fundamental rights positions and the economic and social impact of the measures, the draft Digital Omnibus regulation simply contains a lapidary sentence (page 12) stating that the changes to the various EU legislative acts proposed were not assessed for their impact since they  ’are not prone to multiple policy options that could meaningfully be tested and compared.’ However, in legislation proposing significant changes to existing norms, one obvious alternative is to compare the proposed change with the status quo.

Is This Simplification?

To pick just one example of the profound impact the draft Digital Omnibus will have on the balancing and content of fundamental rights positions, consider the changes to the scope of the definition of personal data under Article 4(1) GDPR (Regulation 2016/679). The draft Digital Omnibus regulation proposes considerably narrowing the scope of application of the GDPR relative to the law in force, thereby also limiting the protection afforded under Article 8 of the Charter. Despite promises of simplification, it limits rights by adding layers of complexity.

The draft Digital Omnibus does this by adding three new subparagraphs to the definition of the concept of personal data in Article 4(1) GDPR, providing that data may ‘not necessarily’ or not ‘merely’ be regarded as personal data because another person may be ‘reasonably likely’ to identify it. The proposal thereby transforms Article 4(1) GDPR from containing a predominantly objective definition of personal data (see especially paragraphs 68-90 of C-413/23P EDPS v SRB) to a definition that depends on numerous additional subjective assessments. A party holding data must, under the new concepts of reasonable likelihood, assess multiple future holders of that data’s potential technical capabilities, their ethics or their potential trustworthiness. The draft also introduces temporary uncertainty because, at any given moment, what was reasonably likely may become unlikely, and vice versa, depending, for example, on expressions of intent. Adding to this definitional uncertainty in the legislative act, the Digital Omnibus introduces further uncertainty through yet another move toward a layered approach. A new Article 41a of the GDPR is intended to confer on the Commission powers to exclude certain other fields from the definition of personal data by an implementing act (Article 291 TFEU).

This one example concerning the definition of personal data is only one of the draft Digital Omnibus’s many, which cut into the very nature of fundamental rights in the digital sphere. Cutting rights and making their enforcement increasingly difficult belies the concept of a human-centred digital regulatory approach. This draft wording also illustrates how the Digital Omnibus belies its stated goal of simplification. It is actually difficult to imagine a better example of how additional complexity will lead to profound legal uncertainty about the existence and extent of the scope of protection of a fundamental right for all parties involved: industry, facing potential fines for violation of data protection rules increasingly difficult to handle; individuals’ enforcement and correction rights now complicated by confusion about what falls under Article 15 GDPR access rights to personal data; data protection authorities facing uncertainty about rights and obligations of all parties.

This example also shows that, well beyond the Commission’s claim of ‘administrative burden reduction’, the draft Digital Omnibus regulation will make it more burdensome to ensure a human-centred approach. Qui bono? The increasing uncertainty introduced by the Digital Omnibus regulation, at least that is clear, will benefit those big companies that are currently violating EU law by transferring large-scale EU data to foreign jurisdictions without the necessary safeguards, exploiting European weaknesses and manipulating its citizens. It will help them escape being held to account for a very long time.

There Are No Alternatives?

This example reveals a greater problem in today’s EU simplification efforts. Although attempts to simplify the Union’s legislation and regulatory system have been a systemic challenge on the EU’s policy agenda for many decades, neither the origins and elements of complexity nor the pathways of simplification within the EU’s multi-level legal system have been decoded. Without such understanding, attempts to fix the problem risk dragging the Union ever further into a quagmire of complexification, each more confusing than the next, as the example of the annulment of Article 4(1) GDPR in the Digital Omnibus shows.

The route should therefore be to find means to comprehensively reduce incoherent regulatory approaches, increase transparency of rights and obligations across policies and sectors, clarify responsibilities, enable accountability and fundamental rights protection, and decrease the number of composite procedures involving a host of new bodies and structures. This is no easy task. It requires oversight, understanding of the legal system and the capability to design pathways to simplification that can be conceptualised, assessed, and adapted to enhance both the EU’s policy performance and its foundational values.

That process would require recognising that the complexity is deeply endemic and arises from the regulatory design put into place in the past decade. It requires careful thought and comparison of the regulatory models used for risk regulation with the experiences from past policies. If this means going back to the basic purposes and commonalities of the regulatory content, undertaking basic legislative legwork and developing conceptual clarity of the means to address the considerable geostrategic impact for the Union, the price is worth paying. After all, if a concept is too complex to be explained properly, it might not be sufficiently well understood in the first place.

However, this is an undertaking one might have wished for before the current digital acquis was created over the past decade, when, for example, being the first to regulate AI was declared a goal in and of itself. Now there seems to be the same incentive to de-regulate and re-regulate matters with an even greater haste, but judging from the example shown above, no better outcome.