If you work with technology or information security, you have probably already noticed that European regulation is about to undergo a hard fork (to paraphrase the blockchain crowd). The European Union introduced the Digital Omnibus Package, a rewrite of the regulatory source code that promises simplification, but, in my humble opinion, hides architectural risks to privacy.

We are not just talking about more bureaucracy, but a paradigm shift born from the economic panic generated by the “Draghi Report.” The diagnosis clearly stated that Europe is losing the innovation race to the US and China due to excessive regulatory constraints, and the proposed solution is to try to simplify data processing to unlock the digital economy. I talked about this a few posts ago here on the blog.

👱‍♂️ Donald Trump and the privacy market

Marison Souza

·

August 11, 2025

Read full story

For us software and privacy engineers, the most critical and technically dangerous change is the redefinition of “personal data.” The proposal suggests codifying a subjective approach where the same dataset can be considered personal for a tech giant that holds the re-identification keys, but “non-personal” for a startup that accesses the same data without the original hash table. Hey WHAT?

This creates what I call “Schrödinger’s Data,” where the security classification depends on the declared capability of the data processor, completely ignoring that the evolution of computational power and AI-driven inference attacks can re-identify users in seconds. This could encourage “willful blindness” architectures, where we segregate systems purely to evade the scope of the GDPR, reducing the encryption and access safeguards we should apply by default. If so, why do we have privacy laws?

However, not all is bad. There is an interesting technical victory in the proposal to kill cookie banners. The Omnibus plans to abolish the ePrivacy directive and bring its rules into the GDPR, creating the concept of Privacy-Enhancing Analytics (PEA). If you configure your analytics stack to run locally or first-party, masking IPs at the source and ensuring no data leaks to third parties, you can get rid of consent banners. That is, it becomes a technical challenge only. I wonder what will happen to the other privacy laws around the world that were inspired by e-Privacy...

This validates investment in proprietary infrastructure and Server-Side Tagging but penalizes cookie management software solutions. Furthermore, the proposal to standardize signals via HTTP headers or browser APIs is brilliant in theory, moving the privacy decision from the user interface to the protocol, although the proposed exemption for media sites could create serious inconsistencies in the user experience - media sites today already use “legitimate interest” for marketing cookies even where consent should be the appropriate legal basis.

On the Artificial Intelligence front, the change is seismic for developers. The text proposes allowing the use of Legitimate Interest for model training, which practically authorizes us to use historical databases to train AIs without the impossible need to obtain retroactive consent from millions of users. However, this is not a free pass. It will require the implementation of data minimization safeguards in the ingestion pipelines (ETL) and opt-out mechanisms that challenge the current physics of neural networks. This will likely force the industry to abandon monolithic models in favor of modular architectures like RAG, which allow the selective “forgetting” of information without the need to re-train the entire model.

Despite the healthy skepticism we must maintain, I see an interesting future if these rules are well implemented. We are finally moving privacy from the interface layer to the invisible, structural protocol layer. We will stop being mere implementers of consent scripts and become real privacy architects, building systems that protect privacy by default. The engineering challenge will be to ensure that political “simplification” does not result in technically vulnerable systems. We shall see!