EU DIGITAL OMNIBUS: What do the proposed changes mean for GDPR and AI compliance?

On 19 November, the European Commission announced its Digital Omnibus Regulation Proposal. This is a significant proposal to reform several major EU data protection and digital laws. The aim is to modernise and streamline the EU’s core regulations for personal data, AI, cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., cybersecurity, and digital identity tools. 

Key proposed changes in the EU Digital Omnibus: 

• Rewrite selected parts of the General Data Protection Regulation (GDPR) 
• Adjust the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. timeline and rules 
• Ease the burden of cookie consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., messaging, and supervision
• Simplify cybersecurity incident reporting 
• Harmonise overlapping digital laws 

Why is the EU proposing changes to the GDPR and AI Act?

Complying with the GDPR involves both costs and benefits. However, many businesses, especially SMEs, have raised ongoing concerns about high compliance costs and repeated obligations across the GDPR, the Network and Information Security Directive 2 (NIS2), the Data Act, the EU AI Act, and other digital laws. The Commission believes that aligning and simplifying these frameworks could reduce costs and make innovation easier. 

Another driver is technology. The GDPR was drafted before the rapid rise in the use of AI models and data intensive services. The Commission believes this is the right time to refine rules, so they work effectively with current and emerging technologies. 

Why is it causing a stir?

The announcement has sparked much debate across industries and the privacy community. 

Critics of the Digital Omnibus include Max Schrems, Austrian privacy lawyer known for the cases that struck down the EU-US data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. frameworks Safe Harbour (2015) and Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. (2020). He argues that the reforms risk watering down key GDPR protections and shifts the balance away from individuals’ rights. 

Schrems says: ‘This is the biggest attack on European digital rights in years. When the Commission states that it “maintains the highest standards”, it clearly is incorrect. It proposes to undermine these standards.’ 

His organisation, noyb, has also warned that changing the GDPR could reduce legal certainty and weaken the EU’s position as the global benchmark for data protection. Read noyb’s first reaction to the Digital Omnibus. 

Supporters of the proposed reforms say the changes help toward clearer and more workable rules. GSMA and Connect Europe, the industry associations representing Europe’s telecoms operators, have welcomed the package. CCIA Europe (Communications & Technology Industry Association) also supports the direction of the reforms and believe that ‘further and bolder action is still needed’. 

Overview of the proposed updates across current laws

The GDPR – The suggested reforms introduce updates and clearer criteria in several key areas. These include the definition of personal dataInformation which relates to an identified or identifiable natural person.; rules on anonymisation and pseudonymisation techniques; the processing of personal data for scientific research purposes; the use of personal data to develop and operate AI; the individual’s right of access; requirements for automated decision-making; data breach notifications; and the notion of ‘high-risk’, including which activities do or do not require a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA). 

The EU AI Act – Targeted amendments aim to make compliance less burdensome, especially for smaller businesses. Another proposed change is the move toward more central oversight of AI systems built on general-purpose models. The Commission also proposes delaying full implementation of the Act until further guidance and template documentation are available.

Cookie consent changes – The proposed updates focus on improving the user experience. The amendments would ‘reduce the number of cookie banner pop-ups and allow users to indicate their consent with one-click and save their cookie preferences through central settings in browsers and operating systems.’ 

The Data Act – The Omnibus suggests merging four existing data-access laws into a single, clearer framework. This would remove duplication issues and seeks to create a more straightforward set of requirements for organisations that access, share, or re-use data. 

Potential impact on sectors

The proposed reforms would influence how organisations collect, use, and share personal data, as well as how they build and deploy AI.  

For now, the priority is to stay informed. Organisations should keep a close eye on the legislative processA series of actions or steps taken in order to achieve a particular end. and consider how potential amendments could affect sensitive data processing, consent mechanisms, AI development, and cross-border data governance. 

Life Sciences

Teams may see changes to rules for collecting and processing health related data, especially in research and clinical settings. The proposed redefinition of ‘scientific research’ is likely to apply to clinical research and could also cover the training and development of AI models.

Technology and AI

Developers and Deployers of AI models could gain clearer expectations for transparency, accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance., and documentation. Proposed revisions to the EU AI Act timeline may also influence product planning and risk management strategies.

Financial Services

Banks, insurers, and FinTechs may benefit from more aligned requirements across frameworks. The potential updated cookie rules would likely affect customer journeys, authentication flows, and digital analysis. It would permit cookie and similar technology deployment without consent for a closed list of (‘limitative’) purposes such as service transmission, user-requested services, creating aggregated statistical information, and security measures.  

DPO perspective

Pascal Bodang, DPO and EU Pod Leader at the DPO Centre, shares his initial thoughts: 

‘The Commission’s goal is clear: streamline obligations, cut red tape, and bring the GDPR in line with an AI-driven data ecosystem. On paper, this is a pragmatic response to ‘modernise and simplify’ and reduce administrative burdens. But the bigger question is whether this shift could dilute the GDPR’s position as the global benchmark for data protection. 

‘If the amendments ease compliance at the expense of strict safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., the regulation may drift from its original mission of ensuring transparency, accountability, and meaningful control over personal data. That could open the door to legal uncertainty and uneven standards across the EU. More importantly, it risks eroding the trust that both individuals and businesses rely on when operating in the European market. 

‘So, the debate becomes unavoidable: is the GDPR evolving, or is it edging away from the ‘gold standard’ status that once set the tone for global privacy regulation?’ 

Shane Gohill, DPO and Tech & Security Sector Lead at The DPO Centre, adds, 

‘The Digital Omnibus marks the Commission’s position, not the finish line. With 12-18 months of legislative procedureAn approved and established way of completing a certain task. ahead, involving committee reviews, amendments, and trialogues, followed by implementation periods, any substantive changes to compliance obligations remain well over the horizon. Organisations should track progress but avoid premature restructuring of existing programmes based on draft text alone.’ 

What next?

Sign up to watch our Privacy Puzzle webinar: TERMINUS OR TURNING POINT? The Digital Omnibus and the future of GDPR and AI 

Our expert panel will take you inside the debate. Find out what the Omnibus could change, what it leaves unclear, and how organisations should interpret the proposals as it moves through review. 

Register now