At FOSDEM 2026, Denise R. S. Almeida (Head of Policy & Compliance at Element and Data Protection Officer for the Matrix.org Foundation) presented a practitioner perspective on the recently proposed Digital Omnibus. This ambitious legislative package proposed by the European Commission seeks to harmonise key concepts and simplify requirements across a range of digital regulations, including the General Data Protection Regulation (GDPR), the Data Act, and the ePrivacy Directive, with the goal of reducing administrative burdens and boosting innovation. However, as many have pointed out, simplification cannot be used as a justification for deregulation - especially when it comes to core definitions associated with our human rights.
She shared her perspective on what the proposal could mean for open source projects and communities using Matrix as a case study, highlighting both the opportunities and the risks it introduces.
Watch the whole presentation
Understanding the Digital Omnibus
The Digital Omnibus is a complex effort to harmonise overlapping European regulations. Its explicit goal, as defined by the European Commission, is to make compliance simpler, reduce bureaucracy, and ultimately free organisations to focus more on innovation. For open source projects, which often operate on limited budgets and volunteer-driven resources, these changes could be particularly meaningful.
Key proposals include simplified cookie rules to address consent fatigue, improved access to data, alignment of terminology across different regulations, and the creation of a unified reporting system for incidents and breaches. While nearly 200 pages in length, these proposals collectively aim to reduce friction in the regulatory environment and provide a clearer path forward for developers, organisations, and communities alike.
Opportunities for open source communities
There are a few ways the Omnibus could benefit open source projects. One of the most significant is streamlined reporting of breaches and incidents. Today, organisations must navigate multiple frameworks and timelines across different authorities. A single reporting system would allow teams to dedicate more time to understanding root causes and preventing incidents, rather than juggling administrative obligations. This poses to be the most impactful operational shift introduced by the Omnibus.
Another key opportunity is standardisation of Data Protection Impact Assessments (DPIAs). Many open source projects face the same privacy and security challenges but often tackle them independently, reinventing the wheel each time. Standardised DPIAs could provide templates and shared best practices, giving projects a head start on compliance while maintaining user trust.
Overall, reducing legal complexity and creating clearer guidance could allow open source teams to focus on development, community engagement, and innovation, rather than legal paperwork. For a sector where every contributor hour counts, these changes could have a tangible impact on productivity and creativity.
Risks and concerns
While the Omnibus focuses on the idea of “simplification”, there are also key risks, particularly around changes to the definition of personal data under the GDPR. This is effectively a risk of deregulation, the consequences of which must not be taken lightly. Currently, personal data is defined as any information that can directly or indirectly identify an individual. The Omnibus adds new nuance, expanding on the definition which could introduce ambiguity:
Ambiguity in such a foundational definition carries serious implications and would essentially amount to a form of deregulation and, as many others argue, could represent a constitutional shift to the European approach to personal data protection. It could increase complexity, confuse compliance efforts, and even create loopholes for excessive processing of personal data without any protection obligations. For open source projects, clarity and transparency are essential: contributors need confidence that sharing data and collaborating openly won’t expose them to legal uncertainty. Any dilution of core protections risks undermining the trust and transparency that open source communities rely on.
While harmonisation and simplification are welcome, they must not come disguised as deregulation or be pushed forward at the expense of personal data protections or the principles underpinning European digital sovereignty. Open source relies on predictability and clarity in law; introducing complexity into a core definition threatens both.
Why participation matters
The Omnibus is still open for consultation until March 11, 2026, in the form of the Digital Fitness Check call for evidence. This provides a critical window for the open source community to contribute. Everyone is encouraged to review the proposals, identify potential risks, and provide feedback. This is an opportunity to ensure that regulatory harmonisation supports innovation without compromising fundamental human rights, such as privacy.
Open source communities bring a unique perspective, balancing practical development constraints with strong commitments to user rights. By engaging with the consultation, developers, project maintainers, and contributors can help shape a framework that protects users, reduces administrative overhead, and allows open source projects to thrive.
Striking a balance
The Digital Omnibus represents a dual challenge: it promises simplification, clarity, and reduced bureaucracy, but it also introduces a serious risk of deregulation as well as complexity in areas that benefit from clarity, such as the core concept of personal data in the GDPR. Open source projects could benefit from the Omnibus if these proposals are implemented thoughtfully, but only if the foundational protections for personal data remain strong and unambiguous.
Therefore communities must actively participate, share insights, and highlight overlooked risks. Only by engaging can open source projects ensure that Europe’s regulatory framework remains strong whilst supporting innovation, safeguarding users, and strengthening trust across digital ecosystems.
Note: since her talk the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion which highlights similar concerns to those raised at FOSDEM:
“The EDPB and the EDPS strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a targeted or technical amendment of the GDPR. In addition, they do not accurately reflect and clearly go beyond the CJEU jurisprudence, and they would result in significantly narrowing the concept of personal data. The European Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law.”
