Proposals for improving the Digital Omnibus, rebalancing Data Protection and E-Privacy disciplines with Innovation

In this brief positioning paper, we intend to share some critical ideas and a list of constructive proposals so that the GDPR and the e-privacy directive can improve their balance and proportionality, coherence with other European regulations, with a view to greater competitiveness and a regulatory framework enabling sustainable innovation. The ideas presented here are the result of original work by the authors and a selection of key points that emerged during a public discussion organised by the Italian Institute for Privacy and Data Valorisation on 10 September 2025 in Rome.

The authors of this positioning paper propose a pragmatic re-balancing and re-calibration of EU data protection and e-privacy rules to better align rights protection with competitiveness and sustainable innovation, introducing a set of proposals to be considered by the EU legislator, in addition to the already bold amendments envisaged in the Digital Omnibus. The authors advance a priority approach - which would entail essential general “horizontal” fixes and improvements on principles -  focused on amending key GDPR Recitals (4, 6, 10, 26) to (i) reaffirm proportionality and the need to balance data protection with other Charter rights and innovation, (ii) require DPAs to assess cross-rights impacts, and (iii) replace “high level” with “adequate level” of protection to enable reasoned calibration. In addition, this “horizontal” priority approach would include targeted updates to Article 5 principles, like the following ones: taking a pragmatic and practical approach to transparency (toward explainability for AI), recognising secondary use authorised by the EU Data Strategy, ensuring a more functional and proportionate notion of minimisation (i.e. properly balancing privacy with bias prevention), embracing a fair and equal approach to accuracy (i.e. in case of evaluative AI outputs), extending storage for lawful secondary purposes, and embedding proportional accountability.

A secondary “vertical” approach is proposed, with a list of surgical measures which would refine lawfulness conditions, in particular focusing on: Art. 6(1)(b) on contractual necessity of personal data processing; Art. 6(1)(f) on legitimate interest, to explicitly include the “exercise of other rights and freedoms”; Art. 7(4) on consent requirements, aligned with C-252/21 on paid alternatives; Art. 9(2) on prohibition exemptions for special categories of data processing, where intrinsic to a contractual obligation, and in case of legitimate or public interests subject to appropriate technical safeguards; clarifications for XR biometrics; alignment of Art. 9(4) with EU law on health-data secondary use (e.g. EHDS); and institutional safeguards and duties for Data Protection Authorities, with mandatory impact assessments in Art. 58(4) and revising Art. 70(4) for EDPB consultations. The authors of this paper also propose to modernise e-Privacy discipline, moving the online tracking to GDPR legal bases, and to better harmonise security measures (Art. 32 GDPR with references to ENISA and international standards, consistent with NIS2/CRA/DORA).