Simplification in digital policy:
less bureaucracy, more clarity?

EU digital legislation has also come into focus as part of the agenda to reduce bureaucracy in autumn 2025. In this context, the European Commission has presented two proposals: a Digital Omnibus addressing data, cybersecurity and electronic identification, as well as a Digital Omnibus on AI, which provides for targeted amendments to the AI Act.

The background is that Brussels is often confronted with the criticism that, in the digital domain, too many, unclear and overlapping rules tend to hinder rather than promote innovation. Even Members of the European Parliament who were involved in drafting the relevant legislation now acknowledge that not all provisions are fit for practical implementation. This is evident, for example, in the AI Act, which was adopted in 2024 and is not yet fully applicable. In particular, it has been criticised that time pressure towards the end of the negotiations was high and that some technical requirements were adopted without sufficiently developed implementation standards. This can lead to uncertainty in practical application. At the same time, technologies such as large language models (LLMs) have developed rapidly during the legislative process, meaning that not all conceivable use cases could be taken into account.

Many experts also see a need for adjustments in data law, for example with regard to the use of personal data for research in the health sector or for the training of AI systems. Existing rules are considered only partially suitable for digital innovation. Against this background, the European Commission’s proposed Digital Omnibus responds to the frequently expressed demand to modernise existing digital legislation, reduce overlaps and create greater legal certainty.

In practice – including in the field of social security – some of the proposed changes could indeed provide relief. Social security institutions are increasingly engaged in complex digitalisation processes, deploy AI systems, manage highly sensitive social data and are at the same time targets of cyberattacks. Harmonised reporting and documentation requirements, coordinated procedures for data protection impact assessments or for reporting data breaches as well as more realistic implementation timelines for the use of high-risk AI systems could facilitate practical implementation. At the same time, the proposed changes intervene in central definitions of data law and could have significant implications for the protection of social data.

It is precisely here that a fundamental tension becomes apparent, one that runs through all current simplification processes at European level: the European Commission seeks to simplify rules and reduce bureaucracy in order to promote innovation and thus strengthen Europe’s competitiveness. But how far can this go without weakening European values and undermining the EU’s social objectives – and thus the idea of a social Europe?

This becomes particularly clear in one central proposal within the Digital Omnibus to amend the concept of “personal data”. In order to improve access to data and facilitate data processing, especially with regard to research and innovation, the European Commission has proposed to broaden the existing definition of personal data under the General Data Protection Regulation (GDPR). Until now, the rule has been that if data can theoretically be attributed to a person, they fall under the strict rules of the GDPR. In future, greater emphasis is to be placed on whether the entity processing the data can actually identify a person. The decisive factor would therefore no longer be solely whether identification is theoretically possible, but whether it appears possible for the specific entity processing the data.

For practice, this would have notice­able consequences. In particular, pseudonymised data – that is, data without direct attribution to a name – could, under certain circumstances, no longer be considered personal data. This would facilitate their processing, as many strict requirements of the GDPR would then no longer apply. At the same time, however, warnings have been raised about the risks: data protection, and in particular the protection of sensitive personal data, is a highly valued good in the EU and is enshrined in the Charter of Fundamental Rights.

Data protection authorities, including the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), have therefore assessed the planned extension of the definition of personal data critically. According to a joint opinion from February 2026, the Commission’s proposal goes beyond a purely technical adjustment of the GDPR and beyond the existing case law of the Court of Justice of the European Union. Both authorities therefore see a risk that the proposed change could weaken the protection of personal data. In addition, this could lead to increased legal uncertainty for organisations, as it becomes less clear when data are still to be considered personal.

Thus, the central pattern of the current reforms is also evident in digital policy: simplification can help to make processes more workable. However, it becomes critical when it alters fundamental protection mechanisms. The real challenge lies in reconciling both objectives – reducing bureaucracy while maintaining a strong level of protection for rights and security.