The Monopoly Report

Episode 57: The EU Digital Omnibus with Dr. Gabriela Zanfir-Fortuna
Host: Alan Chapell
Guest: Dr. Gabriela Zanfir-Fortuna, Vice President for Global Privacy, Future of Privacy Forum
Date: December 3, 2025

Episode Overview

This episode delves into the European Union’s proposed "Digital Omnibus"—a sweeping regulatory package intended to simplify and harmonize the EU’s digital legal landscape, including GDPR and the EU AI Act. Host Alan Chapell is joined by Dr. Gabriela Zanfir-Fortuna, a leading international privacy expert, to unpack what these changes mean for technology companies, advertisers, regulators, and ordinary citizens. The conversation scrutinizes the goals, controversial provisions, and potential ripple effects of the Digital Omnibus, especially as they relate to privacy, AI, data protection, and regulatory enforcement.

Key Discussion Points

1. Dr. Zanfir-Fortuna’s Privacy Origin Story

Personal motivations:
- Deep familial experiences with surveillance and a lack of privacy during Romanian communism shaped her passion for privacy as a fundamental right.
  
  "[Privacy] had a direct impact on just their dignity, their well being, almost equal to just being deprived of some fundamental goods and other fundamental rights." (04:54 — Gabriela)
- Academic beginnings, including early exposure to data protection law through moot court competitions before the GDPR era.

2. Understanding Privacy Harms — From Targeted Ads to Democracy

The challenge of articulating privacy harms:
- In EU legal philosophy, compliance is paramount over evident harms; in contrast, U.S. common law requires proving harm.
  
  "From the legal theory I come from...harms themselves don't matter that much...what matters...is that you simply respect those rules..." (08:28 — Gabriela)
- Examples of data-driven harms:
  - National security: DOJ restricting foreign transfer of Americans’ sensitive data (11:18)
  - Political manipulation: Romania’s annulled presidential elections partially attributed to years-long targeted ad campaigns spreading misinformation (12:19)

3. The Digital Omnibus: Purpose and European Motivation

Stated goals: Simplification for SMEs, boosting EU digital competitiveness (especially in AI), reducing regulatory burdens.
- Policy partly inspired by the "Draghi Report" identifying excessive regulation as an impediment to competitiveness (16:36 - 17:09).
Skepticism and reality check:
- Alan and Gabriela voice doubts that the reforms will truly achieve simplification, citing overlapping legislation and inevitable trade-offs (17:57 - 18:37).

4. Major Provisions and Industry Implications

a. Redefining Personal Data

The Omnibus proposes a narrower, context-based definition; pseudonymous data may fall outside scope for some entities.
- Raises uncertainties for ad tech companies reliant on non-identifiable data, potentially lessening compliance requirements for those handling only pseudonymous data (19:22).
- Ambiguity may create more confusion, not less:
  
  "...they might find themselves in a matter of months, let's say with an investigation. Because who knows how those means reasonably likely to re identify will actually be assessed." (21:00 — Gabriela)

b. Browser-Based 'Do Not Track' (DNT) Signals

The EU proposes a standard privacy control at the browser or OS level for consent/refusal.
- Implementation details are deferred; the timeline shifted from 6 to 24 months—still seen as ambitious given past failures like the original DNT standardization (23:25 - 26:05).
- Complications around platform self-preferencing and "media company" exemptions surfaced, with little clarity on what constitutes a media company (26:20 - 29:49).

c. Persistent Consent Fatigue

Despite claims to tackle consent fatigue, Omnibus maintains (even complicates) consent requirements, notably for media organizations:

"...it doesn't sound like we've moved away from that at all. Because if you're going to require...consent to serve...then why are we here?" (29:17 — Alan)

d. Omnibus Timeline and Implementation Fears

Although the EU Commission wants rapid adoption (by mid-2026), realists expect at least a year, plus additional grace and compliance periods (30:15).

e. AI, Legitimate Interest, and Sensitive Data

A new legal basis in GDPR tailored specifically for AI’s data processing (training and operation) via "legitimate interest," an extraordinary break from GDPR’s traditional tech-neutral stance.
- Sensitive data processing: A specific exception for AI, counterbalanced by as-yet-undefined protective measures (32:52 - 35:29).
- Practical problems: Difficulties with withdrawal of permission from trained models; unclear how individuals exercise their rights as required by law.
  
  "...we will have to find that right object in the haystack." (36:32 — Gabriela)

Notable Quotes & Memorable Moments

On the difference between EU and US privacy regimes:

"The US favors innovation, but doesn't always talk about quality of life. And the EU...has all these regulations, but a lot of those regulations are directly tied towards the quality of life..." (17:09 — Alan)
On unresolved ambiguities and change management:

"You're re-upping the whole apple cart here and perhaps trading one set of ambiguities for a slightly different set of ambiguities. And so it's hard for me to define that as progress." (18:37 — Alan)
On media company exemptions and further confusion:

"Oh my goodness. And I'm on a roll here. You're on a roll. And there's generally no simple answer to that." (27:32 — Gabriela)
On regulator reaction to potential loss of autonomy:

"I see something closer to a regulatory revolt." (43:45 — Gabriela)
On anticipated pro-privacy enforcement despite new rules:

"My gut tells me that enforcement around this new rule set is going to be rather stubborn and is going to lean towards the old interpretations over something new." (45:51 — Alan)

Key Segments & Timestamps

Dr. Zanfir-Fortuna’s origin story and privacy motivations: (04:41–07:37)
What constitutes privacy harm? (07:37–13:56)
Why the EU calls for new rules: (15:29–17:09)
Changing the definition of personal data: (19:22–22:08)
Browser-based DNT and implementation puzzle: (23:25–26:18)
Consent fatigue and media company exemption debate: (26:20–29:49)
Timeline/complexity of implementation: (30:15–31:41)
AI and new 'legitimate interest' provisions: (32:09–36:21)
Global alignment and divergence on AI regulation: (37:13–41:09)
Regulatory pushback and ‘revolt’ expected: (43:45–47:12)
Long-term consequences and litigation lag: (47:12–48:02)

Insights for Advertisers, Ad Tech, and Regulators

Short-term uncertainty: Companies handling pseudonymous data may find regulatory obligations loosened, but with new ambiguities that expose them to risk.
AI development: EU proposes tech-specific rules, recognizing AI’s transformative power, but practical and legal challenges abound—especially regarding opt-outs and sensitive data.
Global influence: GDPR’s exportation of standards is now in question; changes might echo in India, South Korea, Brazil, and elsewhere.
Consent fatigue unresolved: Despite the rhetoric, complex signals and definitions likely mean banners and pop-ups persist.
Regulatory enforcement: Supervisory authorities are likely to interpret new rules tightly and pro-privacy, potentially leading to enforcement collisions and delays in clarity.

Conclusion

This episode presents a sober, nuanced take on the EU Digital Omnibus, celebrating regulatory ambition while laying bare its many contradictions and practical challenges. Dr. Zanfir-Fortuna, drawing on a uniquely personal and professional vantage, and Host Alan Chapell agree that the current proposal may miss its goals of simplification and could entrench ambiguities, keeping privacy practitioners, technologists, and regulators on their toes for years to come.

Connect with Dr. Gabriela Zanfir-Fortuna and Future of Privacy Forum:

Website: fpf.org
LinkedIn: Gabriela Zanfir-Fortuna

Closing Thoughts:

"...if you judge this particular proposal as it stands today...[it] fails to meet its stated goal of simplification of the rule set. It doesn't address the issues around consent fatigue. It turns legitimate interest as a legal basis completely on its head, and it creates all kind of complexities and enforcement frontiers that will only serve to make Europe less competitive. In other words, it fails on almost every level." (50:06 — Alan)

The Monopoly Report

Episode Overview

Key Discussion Points

1. Dr. Zanfir-Fortuna’s Privacy Origin Story

Personal motivations:
- Deep familial experiences with surveillance and a lack of privacy during Romanian communism shaped her passion for privacy as a fundamental right.
  
  "[Privacy] had a direct impact on just their dignity, their well being, almost equal to just being deprived of some fundamental goods and other fundamental rights." (04:54 — Gabriela)
- Academic beginnings, including early exposure to data protection law through moot court competitions before the GDPR era.

2. Understanding Privacy Harms — From Targeted Ads to Democracy

The challenge of articulating privacy harms:
- In EU legal philosophy, compliance is paramount over evident harms; in contrast, U.S. common law requires proving harm.
  
  "From the legal theory I come from...harms themselves don't matter that much...what matters...is that you simply respect those rules..." (08:28 — Gabriela)
- Examples of data-driven harms:
  - National security: DOJ restricting foreign transfer of Americans’ sensitive data (11:18)
  - Political manipulation: Romania’s annulled presidential elections partially attributed to years-long targeted ad campaigns spreading misinformation (12:19)

3. The Digital Omnibus: Purpose and European Motivation

Stated goals: Simplification for SMEs, boosting EU digital competitiveness (especially in AI), reducing regulatory burdens.
- Policy partly inspired by the "Draghi Report" identifying excessive regulation as an impediment to competitiveness (16:36 - 17:09).
Skepticism and reality check:
- Alan and Gabriela voice doubts that the reforms will truly achieve simplification, citing overlapping legislation and inevitable trade-offs (17:57 - 18:37).

4. Major Provisions and Industry Implications

a. Redefining Personal Data

The Omnibus proposes a narrower, context-based definition; pseudonymous data may fall outside scope for some entities.
- Raises uncertainties for ad tech companies reliant on non-identifiable data, potentially lessening compliance requirements for those handling only pseudonymous data (19:22).
- Ambiguity may create more confusion, not less:
  
  "...they might find themselves in a matter of months, let's say with an investigation. Because who knows how those means reasonably likely to re identify will actually be assessed." (21:00 — Gabriela)

b. Browser-Based 'Do Not Track' (DNT) Signals

The EU proposes a standard privacy control at the browser or OS level for consent/refusal.
- Implementation details are deferred; the timeline shifted from 6 to 24 months—still seen as ambitious given past failures like the original DNT standardization (23:25 - 26:05).
- Complications around platform self-preferencing and "media company" exemptions surfaced, with little clarity on what constitutes a media company (26:20 - 29:49).

c. Persistent Consent Fatigue

Despite claims to tackle consent fatigue, Omnibus maintains (even complicates) consent requirements, notably for media organizations:

"...it doesn't sound like we've moved away from that at all. Because if you're going to require...consent to serve...then why are we here?" (29:17 — Alan)

d. Omnibus Timeline and Implementation Fears

Although the EU Commission wants rapid adoption (by mid-2026), realists expect at least a year, plus additional grace and compliance periods (30:15).

e. AI, Legitimate Interest, and Sensitive Data

A new legal basis in GDPR tailored specifically for AI’s data processing (training and operation) via "legitimate interest," an extraordinary break from GDPR’s traditional tech-neutral stance.
- Sensitive data processing: A specific exception for AI, counterbalanced by as-yet-undefined protective measures (32:52 - 35:29).
- Practical problems: Difficulties with withdrawal of permission from trained models; unclear how individuals exercise their rights as required by law.
  
  "...we will have to find that right object in the haystack." (36:32 — Gabriela)

Notable Quotes & Memorable Moments

On the difference between EU and US privacy regimes:

"The US favors innovation, but doesn't always talk about quality of life. And the EU...has all these regulations, but a lot of those regulations are directly tied towards the quality of life..." (17:09 — Alan)
On unresolved ambiguities and change management:

"You're re-upping the whole apple cart here and perhaps trading one set of ambiguities for a slightly different set of ambiguities. And so it's hard for me to define that as progress." (18:37 — Alan)
On media company exemptions and further confusion:

"Oh my goodness. And I'm on a roll here. You're on a roll. And there's generally no simple answer to that." (27:32 — Gabriela)
On regulator reaction to potential loss of autonomy:

"I see something closer to a regulatory revolt." (43:45 — Gabriela)
On anticipated pro-privacy enforcement despite new rules:

"My gut tells me that enforcement around this new rule set is going to be rather stubborn and is going to lean towards the old interpretations over something new." (45:51 — Alan)

Key Segments & Timestamps

Dr. Zanfir-Fortuna’s origin story and privacy motivations: (04:41–07:37)
What constitutes privacy harm? (07:37–13:56)
Why the EU calls for new rules: (15:29–17:09)
Changing the definition of personal data: (19:22–22:08)
Browser-based DNT and implementation puzzle: (23:25–26:18)
Consent fatigue and media company exemption debate: (26:20–29:49)
Timeline/complexity of implementation: (30:15–31:41)
AI and new 'legitimate interest' provisions: (32:09–36:21)
Global alignment and divergence on AI regulation: (37:13–41:09)
Regulatory pushback and ‘revolt’ expected: (43:45–47:12)
Long-term consequences and litigation lag: (47:12–48:02)

Insights for Advertisers, Ad Tech, and Regulators

Short-term uncertainty: Companies handling pseudonymous data may find regulatory obligations loosened, but with new ambiguities that expose them to risk.
AI development: EU proposes tech-specific rules, recognizing AI’s transformative power, but practical and legal challenges abound—especially regarding opt-outs and sensitive data.
Global influence: GDPR’s exportation of standards is now in question; changes might echo in India, South Korea, Brazil, and elsewhere.
Consent fatigue unresolved: Despite the rhetoric, complex signals and definitions likely mean banners and pop-ups persist.
Regulatory enforcement: Supervisory authorities are likely to interpret new rules tightly and pro-privacy, potentially leading to enforcement collisions and delays in clarity.

Conclusion

Connect with Dr. Gabriela Zanfir-Fortuna and Future of Privacy Forum:

Website: fpf.org
LinkedIn: Gabriela Zanfir-Fortuna

Closing Thoughts:

"...if you judge this particular proposal as it stands today...[it] fails to meet its stated goal of simplification of the rule set. It doesn't address the issues around consent fatigue. It turns legitimate interest as a legal basis completely on its head, and it creates all kind of complexities and enforcement frontiers that will only serve to make Europe less competitive. In other words, it fails on almost every level." (50:06 — Alan)

wavePod

Episode 57: The EU Digital Omnibus with Dr. Gabriela Zanfir-Fortuna

Powered by Wave AI

Summary

The Monopoly Report

Episode Overview

Key Discussion Points

1. Dr. Zanfir-Fortuna’s Privacy Origin Story

2. Understanding Privacy Harms — From Targeted Ads to Democracy

3. The Digital Omnibus: Purpose and European Motivation

4. Major Provisions and Industry Implications

a. Redefining Personal Data

b. Browser-Based 'Do Not Track' (DNT) Signals

c. Persistent Consent Fatigue

d. Omnibus Timeline and Implementation Fears

e. AI, Legitimate Interest, and Sensitive Data

Notable Quotes & Memorable Moments

Key Segments & Timestamps

Insights for Advertisers, Ad Tech, and Regulators

Conclusion

Summary

The Monopoly Report

Episode Overview

Key Discussion Points

1. Dr. Zanfir-Fortuna’s Privacy Origin Story

2. Understanding Privacy Harms — From Targeted Ads to Democracy

3. The Digital Omnibus: Purpose and European Motivation

4. Major Provisions and Industry Implications

a. Redefining Personal Data

b. Browser-Based 'Do Not Track' (DNT) Signals

c. Persistent Consent Fatigue

d. Omnibus Timeline and Implementation Fears

e. AI, Legitimate Interest, and Sensitive Data

Notable Quotes & Memorable Moments

Key Segments & Timestamps

Insights for Advertisers, Ad Tech, and Regulators

Conclusion