The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
Read more
The Digital Omnibus — proposed key changes to EU data protection obligations
AuthorsEleanore BeardEsme Steiger
7 min read
On 19 November 2025, the European Commission officially published the Digital Omnibus Package. This initiative seeks to simplify and harmonise EU digital laws, including the General Data Protection Regulation (GDPR), Privacy and Electronic Communications Regulations (PECR) and various cybersecurity and privacy frameworks.
With potential changes spanning everything from cookie consent to artificial intelligence (AI) governance and data‑sharing rules, the Digital Omnibus signals the start of a major shift in how businesses will be expected to manage data, technology and compliance across the EU.
Here, data protection specialist Eleanore Beard and Esme Steiger break down the key proposed reforms and what businesses should do to prepare.
What is the Digital Omnibus?
The stated aim of the Digital Omnibus is to harmonise compliance, reduce costs and foster innovation, ultimately strengthening EU business competitiveness by reducing regulatory burdens. However, the proposals have already sparked debate, with critics warning that the proposals could erode privacy, lower data protection standards and weaken AI accountability.
The European Commission is intending to pursue an agenda to simplify and improve regulation at all levels and the Digital Omnibus represents the first step in optimising the digital rulebook. A public consultation will follow to examine the rules in more detail and assess their impact on competitiveness.
Key proposed changes to GDPR
While the exact details of the changes are still under discussion, these are some of the key changes likely to emerge:
1. A narrower definition of personal data
Information will only be considered personal if an individual can be identified with ‘reasonable likelihood’. This reflects a recent CJEU ruling (EDPS v SRB) which confirmed that data isn’t personal where the holder lacks the means to reasonably identify the individual, meaning that such data would fall outside GDPR’s scope. To support this change, the Commission plans to provide guidance for controllers on assessing whether pseudonymised data qualifies as personal data, including specified criteria and methods for evaluating the risk of re-identification.
2. Exemptions for the processing of special category data
Two new exemptions are proposed. Biometric data may be processed to confirm a data subject’s identity where the means for verification is under the sole control of that person. Limited processing of special category personal data would also be allowed for the residual processing of special category data for the development and operation of an AI system or AI model, subject to certain conditions.
3. Data subject access requests (DSARs)
The proposal seeks to clarify when a business can refuse DSARs. Specifically, controllers may reject requests that are clearly abused, such as those made for purposes unrelated to data protection (for example, litigation or other non-privacy objectives). This change aims to prevent misuse of DSAR rights while maintaining transparency for genuine privacy concerns.
4. Transparency & privacy policies
Certain obligations to provide privacy information would be removed where the individual already has that information, except in specific circumstances where additional disclosure is necessary.
5. Data protection impact assessments (DPIAs)
The European Data Protection Board (EDPB) plans to compile a harmonised EU-wide list of processing activities that do or don’t require a DPIA, along with standard templates. This is intended to eliminate fragmented national approaches and provide clarity for businesses.
Key proposed changes to PECR
One of the most notable changes under the Digital Omnibus relates to cookie consent with the proposal aiming to significantly reduce the complexity and regulatory burden associated with cookie compliance.
Currently, businesses must display multiple consent banners and pop-ups that often frustrate users and create unnecessary online friction. Under the new approach, the rules would streamline consent requirements, cutting down on excessive prompts and simplifying how organisations obtain valid consent.
The goal is to make compliance easier while improving the user experience. This change reflects a broader effort to modernise ePrivacy rules and align them with the practical realities of digital engagement.
Proposed changes across EU digital legislation
The Digital Omnibus introduces several significant updates aimed at simplifying compliance and harmonising rules across the EU’s digital framework. One major proposal is the creation of a single reporting mechanism for both cybersecurity and personal data breaches, supported by standardised templates to help businesses to meet their obligations more consistently and efficiently.
1. Integration of digital laws
The Commission plans to consolidate and align multiple regulations — including the Data Governance Act and the Open Data Directive — into a more streamlined and coherent legislative framework within the EU AI Act and the EU Data Act. This integration is intended to reduce complexity and eliminate overlapping requirements.
It also intends to introduce a ‘European Business Wallets Regulation’, providing a secure digital tool that acts as a single platform for business to exchange verified digital data seamlessly across borders.
2. Proposed changes to the EU AI Act
The proposed changes focus on easing compliance while maintaining strong safeguards for fundamental rights. Key updates include extended compliance timelines for high-risk AI systems, reduced mandatory registration requirements for certain systems and simplified conformity assessments and reporting obligations — particularly for SMEs and newly included mid-cap companies.
Additionally, the Omnibus intends to introduce a new legal basis for processing special category data to detect and correct bias in AI systems, subject to strict controls and safeguards.
The EU AI Office will take on a stronger supervisory role over general-purpose AI models and AI used by very large online platforms and search engines. The requirement for businesses to provide AI literacy training may be scaled back with initiatives coordinated by the Commission and Member States instead. Post-market monitoring obligations will also become more flexible, reducing administrative burdens
3. Proposed changes to the EU Data Act
The Digital Omnibus proposes to introduce important updates to the EU Data Act, designed to clarify its scope and strengthen protections for sensitive business information.
The proposals include amendments to the existing definitions and the introduction of new ones to ensure consistency across EU digital legislation, aiming to eliminate ambiguity and provide clearer guidance for businesses managing and sharing data.
To address a number of criticisms of the Act, the Omnibus suggests allowing data holders to refuse disclosure requests where there’s a high risk of unlawful acquisition of trade secrets. The proposals also include specific exemptions that allow businesses to decline data-sharing requests under certain circumstances, such as when disclosure could compromise security or confidentiality. These exceptions are intended to provide flexibility while maintaining trust and compliance.
What businesses should do now
Although the Digital Omnibus is still at the proposal stage and not yet law, it signals significant changes to GDPR, the EU AI Act and the Data Act that’ll impact UK businesses operating in or trading with the EU. This makes it an ideal time to take stock of your compliance position.
Here are some recommendations to help you to prepare:
- Monitor legislative developments — these proposals will undergo debate and amendments before adoption and the Commission has indicated that they’ll request input. Make sure to join the debate where possible.
- Review your GDPR compliance — check your record of processing activities and ensure that your data classifications are up to date.
- Identify any high risk AI systems and ensure that robust controls, safeguards and bias-detection measures are in place.
- Strengthen your cybersecurity & breach reporting — revisit your incident response plans and ensure that they remain effective.
- Review contracts and technical architecture to make sure that they’re compliant with the requirements of the EU Data Act.
Talk to us
If you need support with data protection, UK GDPR, EU GDPR compliance or understanding your obligations, our specialist data protection team is here to guide you through every step of the journey.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing the contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
3 potential ways generative AI could lead to defamation claims
We explain where generative AI has the potential to damage individuals’ reputations and examine relevant case law from other jurisdictions.
Read more
Deepfakes & AI-powered cybercrime in sport — how can athletes & clubs protect themselves?
We discuss the mounting dangers of AI-powered cybercrime across the world of sport with David Andrew — the Founder and Managing Partner of Tiaki.
Read more