[FR] Note de position | [EN] Position paper
GDPR: revising to simplify
The protection of personal data must remain a source of trust and competitiveness, not a barrier to innovation
The Digital Omnibus bill is an opportunity worth seizing, provided that it fully realizes its stated goal of simplification.
Ten years after its adoption and eight years after it came into effect, the General Data Protection Regulation (GDPR) is undergoing a necessary review. The European Commission has launched this initiative through its Digital Omnibus proposal, published in November 2025, which aims to simplify several obligations, clarify certain gray areas, and reduce the administrative burden on businesses.
La villa numeris, which has been conducting research on the evolution of the GDPR since the summer of 2025, has published this position paper based on interviews with business leaders, legal experts, data protection officers, and representatives of public authorities, conducted under the direction of Jeanne Bossi Malafosse, a member of the Paris Bar.
We welcome this. The Omnibus Bill introduces concrete advances that La villa numeris applauds, such as the clarification of the status of pseudonymized data, in line with the Court of Justice of the European Union (CJEU) SRB ruling of September 4, 2025; the presumption of compatibility for the reuse of data for scientific research purposes; the explicit recognition of legitimate interest as a legal basis for training AI models; the extension of the breach notification deadline to 96 hours; and the effort to streamline information obligations to data subjects.
What we are calling for to be corrected. Several provisions remain inadequate or poorly calibrated. The definition of “scientific research” must be explicitly expanded to include privately funded research in order to ensure legal certainty for investors. The balancing test for legitimate interests must take into account the interests of third parties. The processing of sensitive data for AI purposes requires a more operational risk-based framework.
Missed opportunities. The Omnibus Directive fails to capitalize on all the opportunities it creates. The governance of the European Data Protection Board (EDPB) remains insufficiently reformed. The e-Privacy Directive is not truly integrated into the GDPR: the duplication of cookie rules creates new asymmetries rather than eliminating them. The centralized consent mechanism at the browser level, as proposed, is both technically unworkable and economically dangerous for the press, publishers, and SMEs. Harmonization of dispute resolution procedures among the 27 Member States is still lacking.
>> Download >> Télécharger
:: For further reading
- Digital Omnibus Regulation Proposal. «(...) to provide immediate relief to businesses, government agencies, and citizens, in order to boost competitiveness» >> Download
- «GDPR: simplifying without compromising». David Lacombled's column in l’Opinion >> Read
- «GDPR: is 5 years something to celebrate?» Our report published in 2023 >> Read
- «Toward a stable legal framework for international data transfers». Our position paper published in 2022 >> Read