At the recent Avrio Advocati Bonn Conference, delegates heard a detailed and thought-provoking presentation on the evolution of GDPR, its growing interaction with AI regulation, and the political realities surrounding proposed EU “Omnibus” reforms. Keynote speaker Prof. Niko Härting, Partner, HÄRTING Rechtsanwälte (Berlin) & Chairman of the DAV Committee on IT Law, explored not only the legal framework itself, but also the wider regulatory tensions facing businesses, lawyers and policymakers across Europe.
Prof. Härting began by examining the increasing use of AI within legal practice. Regular online forums involving hundreds of lawyers are now being used to connect advanced AI users with beginners, allowing practitioners to discuss the practical uses, limitations and risks of AI tools. A paper published last year concluded that there are no fundamental legal or professional barriers preventing lawyers from using AI. Instead, the real challenge lies in the fact that most AI systems operate through cloud-based infrastructure, meaning many AI-related legal questions are actually extensions of existing cloud governance and confidentiality issues.
Providing historical context, Prof. Härting noted that professional rules governing cloud services for lawyers were already being modernised nearly a decade ago. Legal reforms introduced provisions permitting the use of cloud services provided appropriate secrecy agreements were in place, laying much of the groundwork for today’s AI discussions.
The presentation then traced the origins of privacy law far beyond modern European legislation. Contrary to the widespread assumption that data protection originated in Germany, Prof. Härting highlighted the influential 1890 Harvard Law Review article “The Right to Privacy” by Warren and Brandeis, written in response to the rise of portable cameras and sensationalist journalism. Germany’s first data protection laws only emerged decades later, during the 1960s and 1970s, initially focused almost entirely on protecting citizens from state surveillance.
Attention later shifted toward regulating private businesses, particularly with the rise of the internet in the 1990s. The EU Data Protection Directive of 1995, heavily influenced by German law, eventually evolved into the GDPR framework adopted in 2016 and fully implemented in 2018. Prof. Härting stressed that many of GDPR’s core substantive principles are not radically new, with several provisions effectively dating back nearly 30 years. What fundamentally changed under GDPR was enforcement. The introduction of significantly larger fines — increasing from a previous German maximum of €300,000 to penalties reaching €20 million or more — was described as “giving the tiger teeth.”
Several aspects of GDPR were critically examined during the session. Article 22, dealing with automated decision-making and requiring human oversight, was described as rooted in 1990s thinking and potentially outdated in the era of advanced AI systems. Similarly, Article 6’s broad requirement to justify every instance of personal data processing was questioned for applying a rigid “one-size-fits-all” approach regardless of the sensitivity or context of the data involved.
Prof. Härting also explored how GDPR has become embedded as a core European value. According to the presentation, both the European Commission and many NGOs increasingly regard GDPR as part of the EU’s constitutional identity, which helps explain why the European Court of Justice often adopts particularly strict interpretations of its provisions.
The discussion then turned to the increasingly crowded regulatory landscape that has emerged since 2019. New legislation including the AI Act, Data Act, Digital Services Act, Digital Markets Act and Data Governance Act all intersect with data processing rules while simultaneously preserving GDPR’s supremacy. This has created considerable legal uncertainty, particularly around obligations such as data sharing and AI bias testing.
A major focus of the session was the EU’s proposed “Omnibus” reforms. Following the formation of the new European Commission under Ursula von der Leyen after 2024, reducing regulatory burdens for businesses — especially SMEs — became a political priority. The Omnibus mechanism was introduced as a fast-moving legislative vehicle intended for relatively limited technical amendments rather than wholesale reform.
Two Omnibus initiatives were discussed. The AI Omnibus, which amended aspects of the AI Act, has already progressed without directly changing GDPR. More controversial is the proposed Data Omnibus, which seeks amendments to GDPR, the Data Act and the e-Privacy Directive, but currently faces delays within both the European Parliament and Council.
Among the proposed GDPR amendments are changes to Article 15 access requests, allowing controllers to reject requests deemed “excessive,” particularly where such requests are used tactically in employment or insurance disputes. Simplification of data breach notification obligations is also proposed, reflecting concerns that regulators already receive more notifications than they can realistically process. Cookie regulation reform was another major topic, with questions directed at the current overlap between GDPR and the ageing 2002 e-Privacy Directive.
Looking ahead, Prof. Härting painted a slow and uncertain legislative picture. Negotiations over the Data Omnibus are expected to continue well into 2027, with discussions in Parliament and Council progressing slowly. Given the complexity of the process and the approach of the 2029 European elections, he suggested there is little realistic prospect of major GDPR reform during the current political cycle. Instead, businesses and practitioners may need to rely on more pragmatic interpretations from regulators and courts while awaiting any future overhaul.
With thanks to Professor Härting for an excellent presentation. Views are speaker’s own and should not be taken as legal advice.