Proposed Revisions to GDPR and Other Digital Rules Under the 'Digital Omnibus' Package

Date: November 26, 2025 Subject: EU Digital Regulatory Reform

Executive Summary

In a significant move to streamline the European Union's complex digital regulatory landscape, the European Commission released the "Digital Omnibus" package in late November 2025. Prompted by the findings of the 2024 Draghi Report on European competitiveness, this legislative package aims to reduce administrative burdens, clarify overlapping rules, and boost innovation without dismantling fundamental rights.

The package proposes targeted amendments to several key pieces of legislation, most notably the General Data Protection Regulation (GDPR), the AI Act, and the Data Act.

1. Major Revisions to the GDPR

The Digital Omnibus proposes the most substantial changes to the GDPR since its implementation in 2018. The goal is to shift from a "compliance-heavy" approach to a more "risk-based" and innovation-friendly framework.

A. Redefining "Personal Data"

Current Rule: The definition is broad and objective; if data can be linked to a person by anyone, it is often treated as personal data.

  • Proposed Change: The Commission proposes a subjective approach. Information would only be considered "personal data" for a specific entity if that entity has the means "reasonably likely to be used" to identify the individual.
  • Impact: This would make it easier to work with anonymized or pseudonymized data, as data that is "anonymous" to the company holding it (but perhaps identifiable by a third party with different data) might fall outside GDPR scope for that specific company.

B. AI and "Legitimate Interest"

The Bottleneck: Companies have struggled to find a legal basis for training AI models on personal data, often relying on "consent" which is hard to scale.

  • Proposed Change: The proposal explicitly recognizes the training of AI models as a "legitimate interest" under the GDPR.
  • Safeguard: This is not a free pass; companies must still conduct balancing tests and allow users to opt out, but it removes the need for explicit consent for every piece of data used in training.

C. Solving the "Cookie Banner Fatigue"

  • Proposed Change: The package aims to harmonize cookie rules by moving elements of the ePrivacy Directive into the GDPR.
  • Exemption: Cookies used solely for aggregated audience measurement (analytics) and security would no longer require user consent.
  • Long-term Goal: The Commission advocates for a transition to universal browser-based signals (like a "reject all" setting in your browser) that websites must legally respect, eventually phasing out individual pop-ups.

D. Unified Data Breach Reporting

Current Issue: Companies currently face different reporting deadlines and forms for GDPR, NIS2, and other cyber laws.

  • Proposed Change: A "Submit Once, Share Widely" mechanism.
  • Single Portal: A unified EU portal for all digital incident reporting.
  • Threshold: The reporting threshold for GDPR breaches would be raised to incidents that pose a "high risk" to individuals.
  • Deadline: The deadline for reporting would be extended from 72 hours to 96 hours.

2. Amendments to the AI Act

  • Recognizing the rapid pace of AI development and the compliance fears of EU businesses, the Omnibus package addresses the timeline of the recently passed AI Act.
  • Delay of Implementation: The proposal suggests a delay (up to 16 months) for the application of obligations regarding high-risk AI systems.
  • Reasoning: This allows standards bodies more time to develop the technical standards required for compliance, ensuring companies aren't forced to follow rules that haven't been technically defined yet.

3. Streamlining the Data Economy

The package seeks to clean up the "spaghetti bowl" of data regulations that have emerged over the last decade.

  • Consolidation: The Data Governance Act and regulations on the Free Flow of Non-Personal Data will be repealed and their relevant provisions merged into a revised Data Act.
  • Goal: To create a single, coherent rulebook for industrial data sharing, rather than having businesses navigate three or four different overlapping laws.

Q&A: Understanding the Implications

Q: Will this package weaken my privacy rights?

A: Privacy advocates argue that the change to the "personal data" definition and the "legitimate interest" basis for AI training lowers protections. However, the Commission argues that the core rights (right to object, right to erasure) remain intact, and the changes are focused on removing bureaucratic friction for low-risk activities.

Q: Does this mean cookie banners will finally disappear?

A: Not immediately, but they should become less frequent. If the proposal passes, you will stop seeing banners for simple analytics cookies. The eventual shift to browser-based consent settings would essentially eliminate them, but that technology integration will take time.

Q: Why is the AI Act being delayed?

A: The delay is practical rather than ideological. The detailed technical standards (the "how-to" guides for compliance) are not ready. Implementing the law without them would create legal uncertainty and potentially stifle European AI startups.

Q: When will these rules become law?

A: This is currently a legislative proposal. It must be debated and approved by the European Parliament and the Council of Member States. A realistic timeline for adoption would be late 2026 or early 2027, though some "simplification" measures might be fast-tracked.

Conclusion: A Strategic Pivot for Europe

The introduction of the Digital Omnibus package marks a distinct shift in the European Union's regulatory philosophy. For years, the EU has positioned itself as the global "standard-setter" for digital rights, prioritizing consumer protection and fundamental rights above all else. However, the influence of the Draghi Report is evident in this new proposal: the Commission is acknowledging that regulatory complexity has become a barrier to competitiveness.

By proposing to streamline the GDPR, delay the AI Act, and consolidate data rules, the Commission is attempting to thread a very difficult needle:

For Businesses: It offers a promise of reduced administrative friction, clearer definitions, and a more welcoming environment for AI development.

For Citizens: It maintains that the essence of privacy and safety remains untouched, even if the bureaucratic mechanisms change.

As these proposals move to the European Parliament and Council, fierce debate is inevitable. Privacy advocates will likely challenge the loosening of the "purpose limitation" principle for AI, while industry lobbyists may push for even faster implementation of the simplification measures.

Ultimately, the Digital Omnibus signals that Europe is no longer content to just be the world's digital referee; it wants to get back in the game as a player. Whether these reforms will be enough to close the innovation gap with the US and China remains the defining question of the next legislative term. Contact the Formiti Team  today for a free one hour consultation to plan for the changes