Pöördumine

_________________________________________

The EU Digital Omnibus: Ensuring the Digital Omnibus Delivers on Its Simplification Promise June 11, 2026

The American Chamber of Commerce in Estonia (AmCham Estonia) and the Estonian Association of Information Technology and Telecommunications (ITL) support the European Union's ambition to simplify its digital regulatory framework through the Digital Omnibus.

Reducing regulatory overlap, providing legal certainty, and strengthening European competitiveness are goals our members share. We welcome the political will behind this initiative. However, we believe that the current text, and the timeline under which it is being negotiated, risk falling short of these objectives.

1. The Simplification Opportunity Has Not Yet Been Fully Realised The Draghi Report on European Competitiveness and the EU Competitiveness Compass both identified the complexity of Europe's data regulation as a barrier to growth. The Digital Omnibus was designed to address this.

We note, however, that in its current form the proposal introduces additional requirements rather than reducing them:

● The dual governance challenge remains. Cookie deployment still requires navigating two overlapping frameworks (ePrivacy + GDPR). Rather than unifying them, the proposal adds a new classification layer requiring businesses to determine whether cookie data is personal or non-personal before applying diverging consent rules.

● Compliance burden may increase for SMEs. Operators would need to conduct preliminary data classification exercises before reaching the consent question. For smaller businesses without dedicated legal teams, this represents an additional cost.

● The GDPR's built-in flexibility is not fully leveraged. The GDPR offers six legal bases calibrated to purpose and risk, but the retention of blanket consent requirements under the ePrivacy framework limits their applicability.

● National enforcement fragmentation continues. Retaining cookie rules within the ePrivacy Directive preserves separate national enforcement, limiting the benefits of the one-stop-shop mechanism for cross-border services.

We encourage policymakers to consider consolidating cookie and terminal equipment rules under the GDPR, creating a single coherent framework where the legal basis for processing depends on the purpose and risk of the data use.

2. The Timeline Does Not Match the Scope of the Changes The Cypriot Presidency has set an ambitious goal of concluding negotiations by the June 24 COREPER meeting. We respect the Presidency's drive for progress. At the same time, we note that:

● Twelve Member States have called for an impact assessment of the cookie provisions. We believe this reflects a legitimate concern about proportionality.

● The scope of the proposed changes is significant. The ePrivacy Regulation was debated for over eight years without conclusion, in large part because cookie reform touches every website, every digital business, and every user in Europe. The Digital Omnibus covers comparable ground.

● No comprehensive impact assessment has been published for the cookie regime as proposed, including the browser/OS-level consent mechanism or the expansion to OS providers.

● Independent economic analysis by Implement Consulting Group ("Gone in One Click", March 2026) estimates significant revenue impacts for European businesses from the browser/OS consent mechanism.

On 26 May 2026, the founders of Bolt, Kry/Livi, Silo AI, Sana Labs, and Voi published an open letter expressing concern about the pace and direction of the reform, noting that "if this reform ends in marginal technical adjustments while the structural problems remain, we may not get another serious opportunity for years."

We respectfully suggest that allowing additional time for evidence-gathering would strengthen rather than weaken the final text. A well-prepared Digital Omnibus concluded under the Irish Presidency would still deliver results in 2026, with the benefit of a proper evidence base.

3. Article 8a Raises Serious Concerns That Warrant Further Analysis The provision generating the most concern among our members is Article 8a (originally Article 88b in the Commission's proposal, subsequently renumbered). It would mandate browsers and operating systems to present users with a centralised consent prompt whose outcome applies to all websites visited across the EEA.

We raise the following concerns for policymakers' consideration: • Legal coherence with the GDPR. Under GDPR Article 4(11), valid consent must be specific

and informed. There is a legitimate question as to whether a universal browser/OS prompt covering all websites and purposes can satisfy these requirements. We encourage further legal analysis of this point before the provision is finalised.

• Projected impact on consent rates. Evidence from comparable mechanisms suggests significant declines. Site-level consent rates in Europe currently average approximately 70%. Apple's App Tracking Transparency (ATT), an OS-level prompt introduced in 2021, resulted in a 78% refusal rate. A comparable shift in the web environment would have substantial economic consequences.

• Economic impact estimates: • 40-50 billion euros per year in reduced revenue for European businesses (30-35%

decline), according to Implement Consulting Group

• SMEs (99% of European companies) would face disproportionate effects, as they rely most heavily on digital advertising for customer acquisition

• Ad-funded publishers and digital media would face significant revenue pressure, with potential consequences for media plurality

• Competition considerations. The browser and OS market is already highly concentrated. Extending consent intermediation to these providers, as the 21 May compromise text does, could raise questions about consistency with Digital Markets Act objectives.

• Privacy effectiveness. We note that the GDPR's core data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation) already apply regardless of cookie consent. It is worth considering whether Article 8a delivers proportionate privacy benefits relative to its economic and competitive costs.

Recommendations

AmCham Estonia and ITL respectfully call on Estonian policymakers and the EU Council to: 1. Request a comprehensive impact assessment before the cookie provisions are

finalised. Understanding the effects on SMEs, publishers, and the ad-funded internet should inform rather than follow the legislative decision.

2. Remove Article 8a in light of the concerns raised above. We believe the provision warrants further analysis of its legal, economic, and competitive implications before adoption.

3. Allow sufficient time for quality legislation. The Irish Presidency offers a credible path to conclude the Digital Omnibus in 2026 with the benefit of proper evidence and stakeholder input.

4. Pursue genuine simplification: align cookie rules with the GDPR's risk-based framework and expand Article 88a exemptions to cover low-risk, non-profiling activities including contextual advertising, frequency capping, fraud prevention, and essential analytics.

We believe the Digital Omnibus can still deliver meaningful reform that supports both privacy and competitiveness. We stand ready to contribute constructively to that process and offer our members' expertise to policymakers working on this file.

Sincerely,

Daria Sivovol CEO (on behalf of the AmCham Estonia Digital Society Committee)

Doris Põld Executive Director Estonian Association of Information Technology and Telecommunications (ITL)

_________________________________________

The EU Digital Omnibus: Ensuring the Digital Omnibus Delivers on Its Simplification Promise June 11, 2026

The American Chamber of Commerce in Estonia (AmCham Estonia) and the Estonian Association of Information Technology and Telecommunications (ITL) support the European Union's ambition to simplify its digital regulatory framework through the Digital Omnibus.

Reducing regulatory overlap, providing legal certainty, and strengthening European competitiveness are goals our members share. We welcome the political will behind this initiative. However, we believe that the current text, and the timeline under which it is being negotiated, risk falling short of these objectives.

1. The Simplification Opportunity Has Not Yet Been Fully Realised The Draghi Report on European Competitiveness and the EU Competitiveness Compass both identified the complexity of Europe's data regulation as a barrier to growth. The Digital Omnibus was designed to address this.

We note, however, that in its current form the proposal introduces additional requirements rather than reducing them:

● The dual governance challenge remains. Cookie deployment still requires navigating two overlapping frameworks (ePrivacy + GDPR). Rather than unifying them, the proposal adds a new classification layer requiring businesses to determine whether cookie data is personal or non-personal before applying diverging consent rules.

● Compliance burden may increase for SMEs. Operators would need to conduct preliminary data classification exercises before reaching the consent question. For smaller businesses without dedicated legal teams, this represents an additional cost.

● The GDPR's built-in flexibility is not fully leveraged. The GDPR offers six legal bases calibrated to purpose and risk, but the retention of blanket consent requirements under the ePrivacy framework limits their applicability.

● National enforcement fragmentation continues. Retaining cookie rules within the ePrivacy Directive preserves separate national enforcement, limiting the benefits of the one-stop-shop mechanism for cross-border services.

We encourage policymakers to consider consolidating cookie and terminal equipment rules under the GDPR, creating a single coherent framework where the legal basis for processing depends on the purpose and risk of the data use.

2. The Timeline Does Not Match the Scope of the Changes The Cypriot Presidency has set an ambitious goal of concluding negotiations by the June 24 COREPER meeting. We respect the Presidency's drive for progress. At the same time, we note that:

● Twelve Member States have called for an impact assessment of the cookie provisions. We believe this reflects a legitimate concern about proportionality.

● The scope of the proposed changes is significant. The ePrivacy Regulation was debated for over eight years without conclusion, in large part because cookie reform touches every website, every digital business, and every user in Europe. The Digital Omnibus covers comparable ground.

● No comprehensive impact assessment has been published for the cookie regime as proposed, including the browser/OS-level consent mechanism or the expansion to OS providers.

● Independent economic analysis by Implement Consulting Group ("Gone in One Click", March 2026) estimates significant revenue impacts for European businesses from the browser/OS consent mechanism.

On 26 May 2026, the founders of Bolt, Kry/Livi, Silo AI, Sana Labs, and Voi published an open letter expressing concern about the pace and direction of the reform, noting that "if this reform ends in marginal technical adjustments while the structural problems remain, we may not get another serious opportunity for years."

We respectfully suggest that allowing additional time for evidence-gathering would strengthen rather than weaken the final text. A well-prepared Digital Omnibus concluded under the Irish Presidency would still deliver results in 2026, with the benefit of a proper evidence base.

3. Article 8a Raises Serious Concerns That Warrant Further Analysis The provision generating the most concern among our members is Article 8a (originally Article 88b in the Commission's proposal, subsequently renumbered). It would mandate browsers and operating systems to present users with a centralised consent prompt whose outcome applies to all websites visited across the EEA.

We raise the following concerns for policymakers' consideration: • Legal coherence with the GDPR. Under GDPR Article 4(11), valid consent must be specific

and informed. There is a legitimate question as to whether a universal browser/OS prompt covering all websites and purposes can satisfy these requirements. We encourage further legal analysis of this point before the provision is finalised.

• Projected impact on consent rates. Evidence from comparable mechanisms suggests significant declines. Site-level consent rates in Europe currently average approximately 70%. Apple's App Tracking Transparency (ATT), an OS-level prompt introduced in 2021, resulted in a 78% refusal rate. A comparable shift in the web environment would have substantial economic consequences.

• Economic impact estimates: • 40-50 billion euros per year in reduced revenue for European businesses (30-35%

decline), according to Implement Consulting Group

• SMEs (99% of European companies) would face disproportionate effects, as they rely most heavily on digital advertising for customer acquisition

• Ad-funded publishers and digital media would face significant revenue pressure, with potential consequences for media plurality

• Competition considerations. The browser and OS market is already highly concentrated. Extending consent intermediation to these providers, as the 21 May compromise text does, could raise questions about consistency with Digital Markets Act objectives.

• Privacy effectiveness. We note that the GDPR's core data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation) already apply regardless of cookie consent. It is worth considering whether Article 8a delivers proportionate privacy benefits relative to its economic and competitive costs.

Recommendations

AmCham Estonia and ITL respectfully call on Estonian policymakers and the EU Council to: 1. Request a comprehensive impact assessment before the cookie provisions are

finalised. Understanding the effects on SMEs, publishers, and the ad-funded internet should inform rather than follow the legislative decision.

2. Remove Article 8a in light of the concerns raised above. We believe the provision warrants further analysis of its legal, economic, and competitive implications before adoption.

3. Allow sufficient time for quality legislation. The Irish Presidency offers a credible path to conclude the Digital Omnibus in 2026 with the benefit of proper evidence and stakeholder input.

4. Pursue genuine simplification: align cookie rules with the GDPR's risk-based framework and expand Article 88a exemptions to cover low-risk, non-profiling activities including contextual advertising, frequency capping, fraud prevention, and essential analytics.

We believe the Digital Omnibus can still deliver meaningful reform that supports both privacy and competitiveness. We stand ready to contribute constructively to that process and offer our members' expertise to policymakers working on this file.

Sincerely,

Daria Sivovol CEO (on behalf of the AmCham Estonia Digital Society Committee)

Doris Põld Executive Director Estonian Association of Information Technology and Telecommunications (ITL)