The conversation starter in Brussels this month has been: "What is the plural of omnibus?" Omnibi, omnibuses and simply "two omnibus" have all been used. Linguistics aside, November has been a big policy month. Two omnibuses were presented. A GDPR simplification of record-keeping obligations is proceeding through the parliament. Lastly, the long awaited “Democracy Shield” was unveiled.
=== Two New Omnibuses === Last week the European Commission published two new omnibuses: One on the AI Act <https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal>, and a general one <https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal>, tacking a slate of digital rules. The stated intention is to simplify the sometimes very complex EU rules. However, one major criticism is that the proposals go further and fundamentally change the EU’s digital rulebook by weakening long held principles like data protection. — The “general” omnibus is packed with amendments to the GDPR and to the rules on re-use of open government data. The latter is currently spread across various pieces of legislation (Data Governance Act, Data Act, Open Data Directive). One suggested change is to move all relevant articles to the Data Act.. Another change is to allow public sector bodies to charge specifically very large enterprises to charge for data re-use. This is politically not very surprising. The challenge is that, if implemented, such specific licensing provisions would be incompatible with the open definition and free licenses used by Wikimedia projects. The details will be important here. — More consequential are the various changes proposed to the GDPR and the ePrivacy Directive. The draft tries to tackle so-called “cookie banner fatigue” by introducing several broad exceptions that will allow services to gather and use device data without asking. It also prohibits services from asking for consent a second time within six months, if they were already denied by the user. — A seemingly positive idea is to introduce a so-called “privacy signal” to browsers. Users would set privacy preferences in their browsers once and these would then be communicated automatically when opening a web site, signalling consent or denial. Another provision would require data breaches to be notified only to the authority in the place of establishment. Currently such breaches must be reported to several, sometimes even all, authorities. — The most contentious parts of the GDPR proposals are about redefining the definitions of personal and pseudonymised data. The changes would also make the re-use of personal data for AI training easier by categorising it as “legitimate interest”. Weirdly, this would lower the threshold for AI training much lower than other everyday uses. — At Wikimedia Europe we are still analysing the texts and have the ambition to share this analysis and a potential position in the coming weeks. === Democracy Shield === On November 12, the Commission published the European Democracy Shield <https://commission.europa.eu/document/2539eb53-9485-4199-bfdc-97166893ff45_en>. It is a non binding communication, identifying a whole range of measures that should protect EU democracy, focusing on three main areas: 1) the safeguard of information space; 2) the strengthening of democratic institutions, free and fair elections and free and independent media; 3) boosting societal resilience and citizens’ engagement. — Among the most relevant measures are the setting up of the European Centre for Democratic resilience, the full implementation of the current legislation (DSA, EMFA) as well as a revision of the anti-SLAPP recommendation <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022H0758> from 2022. There is also an explicit mention of the review of the Copyright Directive to address the challenges posed by generative AI. === AVMSD Review Consultation === The Audiovisual Media Services Directive regulates media services. However the differences between traditional media services and online video-sharing services are melting away and the EU is likely to update this piece of legislation. — The Commission opened a call for evidence <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/15752-Audiovisual-media-services-evaluation-and-update-of-EU-rules_en> to kick off its revision process. The next step will be the launch of an open consultation and the publication of the report by December 2026. — Relevant issues for us to monitor are which platforms get defined as video sharing or streaming services. Currently Wikimedia Commons is not in scope. Video sharing or streaming services have certain obligations , such as carrying European content and age verification. All these will be re-discussed. === GDPR Simplification === Since May a legislative proposal <https://oeil.europarl.europa.eu/oeil/en/procedure-file?reference=2025/0130(COD)> to reduce the record-keeping obligations on SMEs has been making its way through the process. It includes changes to the GDPR. Most notably, the European Commission suggests that organisations with fewer than 750 employees should have fewer obligations, as long as the processing is not high risk. This would benefit the Wikimedia Foundation, which is currently around 700. — The European Parliament committees now further voted to increase the threshold to 1500 (see Amendment 3 <https://www.europarl.europa.eu/doceo/document/CJ58-PR-775772_EN.pdf>). Another amendment (AM 4), specifies that the derogation is for a given processing activity. Meaning that if an organisation performs both high-risk processing and non-high-risk processing activities, the derogation will still apply to the latter. === CSA === This week the Council finally agreed <https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/child-sexual-abuse-council-reaches-position-on-law-protecting-children-from-online-abuse/> on a negotiating mandate <https://data.consilium.europa.eu/doc/document/ST-15318-2025-INIT/en/pdf> on the CSAM Regulation, three years after the original proposal. — The deadlock was broken by Denmark and other hawkish countries giving up on forcing messaging services to scan for CSA material. A measure that would break end-to-end encryption. The mandate, however, still allows services to voluntarily scan messages. It also includes a review clause that mandates the Commission to check in three years if the state of hash scanning technology has developed and further changes are needed. — The Council must now negotiate with the European Parliament, whose own position <https://oeil.europarl.europa.eu/oeil/en/procedure-file?reference=2022/0155(COD)> has also removed the mandatory chat scanning provision. They are expected to reach a decision by April this year. Else the currently permitted voluntary scanning will become illegal. It is now ensured by a stopgap law, which expires in 2026. == Franco-German Digital Summit === On 18 November Germany and France organised <https://www.elysee.fr/en/emmanuel-macron/2025/11/18/summit-on-european-digital-sovereignty-in-berlin> a Summit on European Digital Sovereignty in Berlin. Politically it was an effort for the two EU heavyweights to align on several ideas and drive the continent forward. Germany is traditionally very cautious on “sovereignty” issues, but that is shifting. France is currently in an extremely weak position not being able to form stable governments. — Ahead of the summit an open letter <https://wikimedia.brussels/open-letter-harnessing-open-source-ai-to-advance-digital-sovereignty/> with concrete demands regarding open source and public interested AI was circulated. It was co-signed, among others, by WMFR, WMDE and WMEU. Wikimedia Deutschland was also represented at the event. — The authors of this newsletter struggle to point to concrete and palpable outputs. == DSA Reports === Last week the European Commission released two interesting reports regarding the Digital Services Act, Europe’s content moderation rulebook. — The first one looks at the overlaps <https://digital-strategy.ec.europa.eu/en/library/report-application-article-33-regulation-eu-20222065-dsa-and-interaction-regulation-other-legal> between the DSA and other legislation. Elements of it will likely find their way into a DSA evaluation that the Commission needs to finalise before November 2027. It might also influence potential future legislative (simplification) proposals. — The second report looks at the risk assessments, mitigation measures and audits performed by Very Large Online Platforms <https://digital-strategy.ec.europa.eu/en/news/digital-services-act-report-lays-out-landscape-systemic-risks-online> (including Wikipedia’s) and tries to provide something like a meta-analysis for systemic risks in the EU. == Child Protection INI === The European Parliament adopted a de facto resolution <https://www.europarl.europa.eu/news/en/press-room/20251120IPR31496/children-should-be-at-least-16-to-access-social-media-say-meps> (a non-binding own-initiative report) that calls for an age limit of 16 years for social media use. It also asks for the possibility for children to access social media if parental consent is given. If this turns into an actual legislative proposal by the Commission it would be crucial that Wikimedia projects are not defined as social media. -- Wikimedia Europe ivzw
_______________________________________________ Publicpolicy mailing list -- [email protected] To unsubscribe send an email to [email protected]
