The Monopoly Report – Episode 58
Title: The EU Digital Omnibus, Part 2: With Peter Craddock
Date: December 10, 2025
Host: Alan Chapell
Guest: Peter Craddock, Partner in Data Protection, Keller and Heckman
Episode Overview
This episode of The Monopoly Report dives deep into the EU's proposed Digital Omnibus, focusing on its potential to reshape digital privacy, data protection, and AI governance across Europe. Alan Chapell is joined by Peter Craddock, a renowned privacy lawyer, to clarify the implications for ad tech and digital media, and to discuss the evolving role of pragmatism versus dogmatism in EU regulation.
Main Themes and Purpose
- Understanding the EU Digital Omnibus: Why is the EU proposing this regulatory overhaul, and what does it hope to simplify or achieve?
- Impact on Ad Tech and GDPR: How do the changes (especially the redefinition of 'personal data') affect digital media and ad companies?
- Legal Complexity and Operational Impact: Navigating uncertainty between GDPR, E Privacy Directive, and overlapping authorities.
- Industry and Regulatory Tensions: The push and pull between consumer privacy, effective data governance, and sustainable business models.
Key Discussion Points and Insights
1. The Motivation Behind the Digital Omnibus
- The EU is aiming to improve competitiveness through 'better regulation'—consolidating and simplifying the jungle of digital laws (GDPR, AI act, Data Act, and E Privacy) ([04:53]).
- Peter Craddock:
"This is really an attempt to rethink this approach and try to see how can different pieces of legislation maybe be combined, how can existing legislation be adapted?" ([05:14])
2. New Definition of Personal Data
- The Omnibus seeks to clarify what counts as personal data, emphasizing 'identifiability'—following the Breyer, Scania, and SRB EU court rulings.
- Peter explains:
- If a business can’t reasonably identify an individual from the data (without external help), it’s not personal data for them ([08:16]).
- If the data is transferred to someone who can re-identify, only that party is bound by GDPR—not the original holder ([10:45]).
- "What the Commission did is ... trying to tackle ... does our regulatory framework enable us to reach our goals?" ([04:53])
3. Implications for Ad Tech Companies
- Many ad tech companies operate with pseudonymous data, but the lines remain blurry if they interact with partners like Google who merge pseudonymous and identifiable data ([15:05]).
- Peter:
"You could then have an indirect impact … but it doesn't mean that what you're doing is within the scope of the GDPR. So very important to figure out ... what are [your partners] capable of doing with the data." ([15:37])
4. GDPR vs. E Privacy Directive – Dual Compliance Headaches
- Even if an activity is outside GDPR, E Privacy Directive may still require consent, especially for ad cookies and tracking ([18:10]).
- Peter:
"It just applies no matter what, whether it's personal data or not ... So you think, ah, great, we can actually not apply the GDPR ... but then you're still dealing with the existing E Privacy rules." ([18:10]) - Confusion is amplified by differing enforcement authorities and mechanisms between GDPR and E Privacy ([21:14]).
5. Browser-Based Consent: Do Not Track 2.0
- New Omnibus proposals suggest browser or device-level 'global privacy controls' could replace or supplement cookie consent banners ([22:51]).
- Both host and guest are skeptical, noting potential for 'easy no' (refusal) but not 'easy yes' (consent), and the risk of browsers (especially those with ad businesses) favoring their own ecosystems ([25:23]).
- Peter:
"Based on my discussions … I haven't actually seen one business player who is pleased with this proposal ... it just skews the entire debate." ([23:39])
6. Regulatory Attitudes and Civil Society Tension
- While civil society and some regulators maintain strict stances, Peter argues for growing internal pragmatism—recognizing multiple fundamental rights (beyond just privacy), including business freedoms and free expression ([28:18]).
- Alan counters: Certain regulators have shown a pattern of strict, privacy-absolutist enforcement, particularly on cookies and tracking, which produces practical and legal uncertainty ([30:32]).
7. AI Model Building and Legitimate Interest
- Shift in thinking: legitimate interest may now cover certain AI model training even on large public data sets, which could deprioritize minor issues (like treating every IP address as personal data) ([33:34], [34:30]).
- Peter:
"The IP address has been one of the ... poor ones at the front in basically facing the firing squad a lot of times. ... regulators themselves are becoming aware that an absolutist approach ... is going to create more problems down the road." ([34:30])
8. Consent, Monetization, and Media Sustainability
- Requiring consent for ad targeting, while possibly allowing legitimate interest for core AI use, could force digital businesses toward subscription models, which has accessibility implications ([37:18]).
- Omnibus' "pay-or-consent" approaches for access to services raise difficult user interface and rights issues ([38:19]).
- Peter:
"We have to have a way that actually helps monetization, because otherwise these services are basically going to disappear full stop." ([39:25])
9. Big Tech and the Level Playing Field
- Alan asks if the changes cement Big Tech's power. Peter strongly disagrees, saying clarification helps all companies, especially smaller players, avoid needing armies of high-end lawyers ([41:38], [42:08]).
- Peter:
"Making the law clearer to the public is really critical ... I don't think any of those are giving more power to large tech companies." ([42:08])
10. Looking Forward: Pragmatism vs. Pain of Transition
- Both agree that, though the future may be pragmatic, the transition will be tough, especially for under-resourced companies helpless before regulator-by-regulator variation ([45:16]).
- Peter:
"Data protection is not about absolutism. Pragmatism is back in town, and that is a really good message." ([46:39])
Notable Quotes & Memorable Moments
- On the real-world impact for ad tech:
- “If you, as an ad tech intermediary, are able to say, sorry, but I actually don't have anyone I can turn to to help me identify the individual … then basically the GDPR doesn't apply to me.” – Peter ([13:11])
- On the browser-level consent proposal:
- "Ultimately there's this fear that this will just go down in the direction of being a one click refusal for everything and not necessarily ... one click consent." – Peter ([23:39])
- On coexistence of multiple regulators:
- “If you’re sitting in, happily sitting in a data flow located in France, but you happen to be registered in, oh say Ireland, you may have two supervisory authorities who sometimes see the world very differently...” – Alan ([21:14])
- On the need for business sustainability:
- "If you can't have an approach to data protection implementation that allows for monetization, services just stop being offered." – Peter ([39:25])
- On pragmatic versus absolutist enforcement:
- “Data protection is not about absolutism. Pragmatism is back in town, and that is a really good message.” – Peter ([46:39])
- On the pain of regulatory transition:
- "I'm hopeful that you were right that they're eventually going to get there, but I do think there's going to be a fair amount of pain in the process to get there." – Alan ([45:16])
Timestamps for Key Segments
- 03:32 – Introduction of Peter and the topic
- 04:33 – Purpose and context of the Digital Omnibus
- 07:28 – Dissecting new GDPR definitions
- 12:43 – What this means for ad tech companies
- 15:05 – Interaction with major platforms and indirect data control
- 18:10 – Ongoing challenges with E Privacy and cookie consent
- 22:51 – Do Not Track 2.0 and browser-based controls
- 28:18 – Regulator attitudes and civil society tension
- 33:34 – AI, legitimate interest, and shifting regulatory lines
- 37:18 – Consent, paywalls, and monetization challenges
- 42:08 – Implications for Big Tech and smaller players
- 45:16 – Predicting the regulatory transition pains
- 46:39 – The return of pragmatic data governance
Conclusion and Takeaways
- The EU Digital Omnibus represents a significant potential shift in regulatory philosophy—from doctrinaire privacy-absolutism to something more pragmatic.
- For ad tech and digital media companies, the future is less about categorical compliance, more about proper risk assessment, documentation, and understanding the evolving landscape of what constitutes personal data.
- Browser-based controls, overlapping enforcement, and ambiguous exemptions promise short-term confusion before clarity.
- Both Alan and Peter express optimism—but caution that the road to simplification may be bumpy, especially for smaller companies.
- Alan’s advice: Don’t abandon established industry frameworks (like the IAB TCF) just yet, double down on data governance, and be cautious about new ventures into identifiable data processing.
Where to Find the Guest
- LinkedIn: Peter Craddock (main presence) ([47:42])
- Occasional speaking at conferences, rare Spotify singles
Final words
“Data protection is not about absolutism. Pragmatism is back in town, and that is a really good message.”
— Peter Craddock ([46:39])
Listen to future episodes and subscribe:
monopolyreportpod.com
Note: Timestamps refer to the provided transcript; exact times in the published episode may vary. All quotes are verbatim as per the transcript. Non-essential intro, ad, and outro content have been omitted for clarity.
