“Europe is so back. No more cookie banners.” Not quite. Cookie banners are here to stay. They endure as an annoying but telling symbol of a deeper problem: Europe’s political class still lacks the appetite for the hard choices reform requires.
European Commission President Ursula von der Leyen was right in this year’s State of the Union to say that “Europe is in a fight.” With the publication of the Commission’s “omnibus” reform proposals, we can now see what Brussels plans to bring to that fight.
The intentions are good. There is at least some acknowledgment that Europe’s economic malaise reflects regulatory overreach and a failure to protect the integrity of the common market.
But European policymakers remain trapped in what might be called a “luxury” mindset—the belief that all policy goals can be pursued at once, without tradeoffs or losses. Reindustrialize, but eliminate emissions. Secure energy, but reject nuclear. Compete globally, but regulate relentlessly.
As Luis Garicano, Bengt Holmström, and Nicolas Petit argue in “The Constitution of Innovation,” Europe risks repeating 20th century Argentina’s slow decline—only under harsher conditions, with Russian aggression on its borders and a worsening demographic crunch at home. Their prescription is straightforward: strengthen the EU’s common market while curbing the its regulatory ambitions. Both steps face entrenched resistance. National governments resist deeper market integration; Brussels resists self-restraint. As Alexandre de Streel of the Centre on Regulation in Europe (CERRE) recently observed, civil servants are now being asked to streamline laws they designed, defended, and built careers around.
The proposed “digital omnibus” legislation illustrates just how hard meaningful reform has become. I commented recently on the leaked draft and the Commission subsequently released the official proposal. It closely tracks the leaked version, confirming both its modest improvements and its deeper limitations.
Why the Cookie Banner Isn’t Going Anywhere
I have bad news for anyone celebrating the proposal’s promise to kill cookie banners as a victory over regulatory overreach. To see why, start with why businesses must ask for consent in the first place.
The Commission is right that the cookie-consent regime, rooted in the ePrivacy Directive, is “outdated and inadequate for contemporary privacy and data needs.” But under the European Data Protection Board’s (EDPB) interpretation, the directive still requires prior user consent for routine technical exchanges between a website and a user’s device (see more here).
The EDPB reads the directive’s exceptions vanishingly narrowly. They do not cover basic, table-stakes practices—such as using parts of a URL to identify which advertising partner sent traffic or which campaign a link belongs to. Nor do they cover standard measures to detect advertising fraud, which would require asking fraudsters to consent to being detected. None of this turns on whether the data is personal, sensitive, or even meaningfully revealing. On the EDPB’s absolutist reading, prior consent is mandatory. Hence the banners.
The Commission’s proposal does little to fix this. It does not relax the consent requirement for most non-personal, non-sensitive data processing. Instead, it largely shifts personal-data processing out of ePrivacy and into the General Data Protection Regulation (GDPR), replicating the existing framework with only minor adjustments.
Those adjustments include two new consent exemptions: one for aggregated usage statistics and one for security measures. Despite the Commission’s optimism, these carveouts will likely prove toothless. The same authorities that required consent for processing generic URL fragments will interpret the new exemptions just as narrowly.
Under EDPB oversight, the analytics exemption will not apply to the third-party analytics tools that websites actually use, especially where they track individual users. The security exemption will almost certainly exclude anti-advertising-fraud measures. In short, the real-world data processing that keeps websites running will still trigger consent requirements. The cookie banner will live on.
One might object that this defeats the reform’s purpose and that the law should be read more flexibly. I agree. But that objection points to the deeper problem, and the reason many of the proposal’s other promising ideas risk the same fate.
The problem is enforcement.
Privacy Enforcement as Single-Issue Governance
The same officials who will enforce the revised rules are the ones who decided that nearly all internet communications require prior user consent. They see their mandate as maximizing data protection and privacy—full stop. Giving them a statutory duty to consider “economic growth” or “innovation” would change little. They already insist they do this. EDPB documents routinely gesture at “balancing,” though readers can judge for themselves how much weight that balance carries.
What privacy enforcers struggle most to internalize is the value of clarity. I made this point in criticizing the EDPB’s opinion on AI models, which failed to grapple with the costs of regulatory uncertainty:
Yes, the Opinion does not say that AI is illegal in the EU, but let’s be honest: even in the EU, explicitly making such a declaration is politically unpalatable. Instead, the EU privacy enforcers did what they usually do. They kept as much enforcement flexibility for themselves as possible, opening the doors for any EU national enforcers to impose billions-worth fines. Of course, the other side of that coin is that those who want to use AI in the EU have no idea if all their GDPR compliance efforts will be judged as not good enough in a year or two. …
Some privacy regulators may protest that this was not their intent; after all, they did provide the list of things to try. But such an answer would show the fundamental disconnect from economic reality. Consciously or not, regulators can thwart development not only by explicitly banning it but also by creating an environment of uncertainty. Even the threat of discretionary regulatory enforcement—combined with the risk of heavy fines—can significantly chill investment decisions (and thus innovation) at the margins.
The reason the EDPB framed its opinion in a way that invites claims that real-world AI systems violate the GDPR is simple: a powerful faction within Europe’s data-protection establishment believes exactly that.
That also explains why privacy activists have begun saying the quiet part out loud in opposing the Commission’s proposal. NOYB, for example, criticizes the draft reform precisely because it would legalize state-of-the-art AI—technology it claims is already unlawful under EU law.
To be sure, some national authorities have recently taken a more pragmatic turn. The French data-protection authority’s AI guidance stands out. But that pragmatism is no accident. France also happens to host Europe’s leading AI national champion, Mistral, a source of well-earned political pride.
We cannot rely on this kind of clarity—rooted in national interest and whole-of-government coordination—to produce consistent, pragmatic enforcement across the EU. Such voices barely register in EDPB-adopted documents.
The EDPB wields this power because courts have so far shown excessive deference to data-protection authorities. Challenging EDPB interpretations before EU courts is procedurally arduous and can take years.
In deferring so readily, EU courts have overlooked a basic reality: data-protection authorities often do not even attempt to act in the general public interest, as one would expect of European public bodies. Instead, they function more like single-issue campaigners, advancing one narrow slice of the public interest above all others.
This also helps explain the fixation on American “Big Tech.” Activists crave David-versus-Goliath narratives. There is far less glory—and far fewer magazine covers—in cracking down on domestic data brokers, scammers, and other less photogenic offenders.
Enforcement, Courts, and Political Choice
Rebalancing Through Enforcement
Any serious improvement to EU data-protection law depends on fixing enforcement. If done well, enforcement reform could reduce the need for sweeping substantive changes to instruments like the GDPR.
That presupposes authorities that have both the incentives and the capacity to issue clear and usable guidance that genuinely balances privacy and data protection against other EU objectives and tells organizations how to comply. The French data-protection authority (the Commission Nationale de l’Informatique et des Libertés, or CNIL) has shown in its AI guidance that this is possible. The contrast with the EDPB’s vague and evasive opinion on AI models could not be starker.
I have attempted to outline one path forward: an EU tribunal with a clear mandate to balance privacy with other EU goals and to approve guidance documents and cross-border enforcement decisions. This idea could dovetail with the “specialized commercial courts” proposed in “The Constitution of Innovation.” I also floated the creation of a centralized EU-level data-protection authority—likely built from scratch—to ensure ideological neutrality and genuine interest-balancing.
The Limits of Judicial Fixes
Years of disproportionate and myopic enforcement have left the EU courts boxed in. At this point, undoing the damage likely requires explicit legislative guidance—perhaps even treaty-level intervention.
In its proposed GDPR reform, the Commission leans heavily on a recent judgment of the Court of Justice (CJEU) to argue that “personal data,” and thus the GDPR’s scope, should be construed more narrowly than many privacy authorities prefer. Critics now fault the proposal for not tracking the CJEU’s language closely enough. It is easy to see why the Commission sought judicial “cover” for these changes.
But the backlash exposes the deeper flaw in this strategy. Courts cannot substitute for legislation in a legal regime this confused. The law is a mess, and the courts need direction from the legislature—and possibly from the member states as the masters of the treaties.
The CJEU is unpredictable. It could just as easily issue a decision next month that pushes the definition of “personal data” in the opposite direction. That risk matters because the GDPR has become a de facto “law of everything” in the digital economy, enforced by authorities with sweeping powers to halt technological development but little democratic legitimacy to set industrial policy.
If the EU legislature wants a different path, it should say so openly. Framing reform as a mere codification of CJEU case law obscures the reality: this is not a technical clarification, but a political choice about Europe’s economic and technological future.
That approach is politically harder. But it is far more likely to endure than the Commission’s current attempt to change direction by stealth.
Reining In the ‘Law of Everything’
EU data-protection law is famously complex. Some of that complexity stems from drafting, but far more comes from enforcement. The burden falls hardest on smaller organizations and can even function as a competitive moat for larger ones. Critics of the proposed GDPR reform warn that changing the text will generate new interpretive problems. That risk is real—but also unavoidable. Law evolves through interpretation.
Still, the Commission’s proposal contains one genuinely simplifying move: it cuts back the GDPR’s claim to being the “law of everything.” The key lies in its revised approach to defining “personal data.”
I summarized the idea this way in an earlier comment:
In short, the idea is that whether something counts as personal data for you (and whether the GDPR applies to you) depends on whether you are capable of identifying the individuals to whom the data relates.
I also flagged a practical upside:
…this will prompt many organisations to separate the processing of data allowing the identification of individuals (e.g. let other entities specialised in GDPR compliance … handle that processing) and otherwise to only process pseudonymous data (without being able to identify individuals).
Limiting the GDPR’s reach to organizations that are reasonably likely to identify specific individuals would create strong incentives to design systems that avoid identification altogether. Many organizations—large and small—would likely embrace that tradeoff, even at the cost of technical investment or reduced customer insight. The payoff in regulatory simplicity would be substantial.
Such firms would still operate in the GDPR’s shadow. They would need to ensure they are not reasonably likely to identify individuals, and pragmatic guidance on security and organizational measures would remain relevant. Even so, this would mark a significant simplification of the current regime.
The reaction to this proposal has been strikingly reflexive. Any challenge to the GDPR’s status as the “law of everything” meets immediate resistance. A clear potential benefit—less processing of personal data—gets recast as a defect. The implicit premise seems to be that “true” data minimization can occur only under full GDPR control, with no reduction in enforcers’ reach. That critique reveals more about its proponents than about the proposal. It reflects a deep mistrust of business and an inability to engage in serious balancing of interests.
I remain skeptical, however, that this textual change—marketed as a mere codification of CJEU case law—will survive contact with enforcement. Whatever their formal position, data-protection authorities will likely narrow its effect through interpretation. Whether courts will rein that in years later remains uncertain.
The risk, then, is familiar: a rare opportunity for simplification dissolves into vague, case-by-case guidance. Lawyers will once again advise clients that they are almost always “reasonably likely” to identify individuals—at least in the eyes of the local authority.
The post Why Europe Can’t Kill the Cookie Banner appeared first on Truth on the Market.