AI in elite sport — key legal considerations around ‘performance enhancing technology’
AI is enhancing performance and even scouting future talent in elite sport. Sports technology and data are key to success, but come with legal risks.
The Digital Omnibus — proposed key changes to EU data protection obligations
AuthorsEleanore BeardEsme Steiger
7 min read
On 19 November 2025, the European Commission officially published the Digital Omnibus Package. This initiative seeks to simplify and harmonise EU digital laws, including the General Data Protection Regulation (GDPR), Privacy and Electronic Communications Regulations (PECR) and various cybersecurity and privacy frameworks.
With potential changes spanning everything from cookie consent to artificial intelligence (AI) governance and data‑sharing rules, the Digital Omnibus signals the start of a major shift in how businesses will be expected to manage data, technology and compliance across the EU.
Here, data protection specialist Eleanore Beard and Esme Steiger break down the key proposed reforms and what businesses should do to prepare.
What is the Digital Omnibus?
The stated aim of the Digital Omnibus is to harmonise compliance, reduce costs and foster innovation, ultimately strengthening EU business competitiveness by reducing regulatory burdens. However, the proposals have already sparked debate, with critics warning that the proposals could erode privacy, lower data protection standards and weaken AI accountability.
The European Commission is intending to pursue an agenda to simplify and improve regulation at all levels and the Digital Omnibus represents the first step in optimising the digital rulebook. A public consultation will follow to examine the rules in more detail and assess their impact on competitiveness.
Key proposed changes to GDPR
While the exact details of the changes are still under discussion, these are some of the key changes likely to emerge:
1. A narrower definition of personal data
Information will only be considered personal if an individual can be identified with ‘reasonable likelihood’. This reflects a recent CJEU ruling (EDPS v SRB) which confirmed that data isn’t personal where the holder lacks the means to reasonably identify the individual, meaning that such data would fall outside GDPR’s scope. To support this change, the Commission plans to provide guidance for controllers on assessing whether pseudonymised data qualifies as personal data, including specified criteria and methods for evaluating the risk of re-identification.
2. Exemptions for the processing of special category data
Two new exemptions are proposed. Biometric data may be processed to confirm a data subject’s identity where the means for verification is under the sole control of that person. Limited processing of special category personal data would also be allowed for the residual processing of special category data for the development and operation of an AI system or AI model, subject to certain conditions.
3. Data subject access requests (DSARs)
The proposal seeks to clarify when a business can refuse DSARs. Specifically, controllers may reject requests that are clearly abused, such as those made for purposes unrelated to data protection (for example, litigation or other non-privacy objectives). This change aims to prevent misuse of DSAR rights while maintaining transparency for genuine privacy concerns.
4. Transparency & privacy policies
Certain obligations to provide privacy information would be removed where the individual already has that information, except in specific circumstances where additional disclosure is necessary.
5. Data protection impact assessments (DPIAs)
The European Data Protection Board (EDPB) plans to compile a harmonised EU-wide list of processing activities that do or don’t require a DPIA, along with standard templates. This is intended to eliminate fragmented national approaches and provide clarity for businesses.
Key proposed changes to PECR
One of the most notable changes under the Digital Omnibus relates to cookie consent with the proposal aiming to significantly reduce the complexity and regulatory burden associated with cookie compliance.
Currently, businesses must display multiple consent banners and pop-ups that often frustrate users and create unnecessary online friction. Under the new approach, the rules would streamline consent requirements, cutting down on excessive prompts and simplifying how organisations obtain valid consent.
The goal is to make compliance easier while improving the user experience. This change reflects a broader effort to modernise ePrivacy rules and align them with the practical realities of digital engagement.
Proposed changes across EU digital legislation
The Digital Omnibus introduces several significant updates aimed at simplifying compliance and harmonising rules across the EU’s digital framework. One major proposal is the creation of a single reporting mechanism for both cybersecurity and personal data breaches, supported by standardised templates to help businesses to meet their obligations more consistently and efficiently.
1. Integration of digital laws
The Commission plans to consolidate and align multiple regulations — including the Data Governance Act and the Open Data Directive — into a more streamlined and coherent legislative framework within the EU AI Act and the EU Data Act. This integration is intended to reduce complexity and eliminate overlapping requirements.
It also intends to introduce a ‘European Business Wallets Regulation’, providing a secure digital tool that acts as a single platform for business to exchange verified digital data seamlessly across borders.
2. Proposed changes to the EU AI Act
The proposed changes focus on easing compliance while maintaining strong safeguards for fundamental rights. Key updates include extended compliance timelines for high-risk AI systems, reduced mandatory registration requirements for certain systems and simplified conformity assessments and reporting obligations — particularly for SMEs and newly included mid-cap companies.
Additionally, the Omnibus intends to introduce a new legal basis for processing special category data to detect and correct bias in AI systems, subject to strict controls and safeguards.
The EU AI Office will take on a stronger supervisory role over general-purpose AI models and AI used by very large online platforms and search engines. The requirement for businesses to provide AI literacy training may be scaled back with initiatives coordinated by the Commission and Member States instead. Post-market monitoring obligations will also become more flexible, reducing administrative burdens
3. Proposed changes to the EU Data Act
The Digital Omnibus proposes to introduce important updates to the EU Data Act, designed to clarify its scope and strengthen protections for sensitive business information.
The proposals include amendments to the existing definitions and the introduction of new ones to ensure consistency across EU digital legislation, aiming to eliminate ambiguity and provide clearer guidance for businesses managing and sharing data.
To address a number of criticisms of the Act, the Omnibus suggests allowing data holders to refuse disclosure requests where there’s a high risk of unlawful acquisition of trade secrets. The proposals also include specific exemptions that allow businesses to decline data-sharing requests under certain circumstances, such as when disclosure could compromise security or confidentiality. These exceptions are intended to provide flexibility while maintaining trust and compliance.
What businesses should do now
Although the Digital Omnibus is still at the proposal stage and not yet law, it signals significant changes to GDPR, the EU AI Act and the Data Act that’ll impact UK businesses operating in or trading with the EU. This makes it an ideal time to take stock of your compliance position.
Here are some recommendations to help you to prepare:
- Monitor legislative developments — these proposals will undergo debate and amendments before adoption and the Commission has indicated that they’ll request input. Make sure to join the debate where possible.
- Review your GDPR compliance — check your record of processing activities and ensure that your data classifications are up to date.
- Identify any high risk AI systems and ensure that robust controls, safeguards and bias-detection measures are in place.
- Strengthen your cybersecurity & breach reporting — revisit your incident response plans and ensure that they remain effective.
- Review contracts and technical architecture to make sure that they’re compliant with the requirements of the EU Data Act.
Talk to us
If you need support with data protection, UK GDPR, EU GDPR compliance or understanding your obligations, our specialist data protection team is here to guide you through every step of the journey.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing the contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
The rise of sustainable tech — opportunities, challenges & the role of AI
We discuss the key opportunities and considerations shaping the future of sustainable AI and quantum‑powered technology.
Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
The UK’s path to 2030 — clean energy in an era of tech acceleration & infrastructure reform
We explore how the UK’s shift to clean power is reshaping industry, infrastructure and the future of energy security.
Am I a data controller? GDPR for social media users explained
We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.
3 potential ways generative AI could lead to defamation claims
We explain where generative AI has the potential to damage individuals’ reputations and examine relevant case law from other jurisdictions.
Deepfakes & AI-powered cybercrime in sport — how can athletes & clubs protect themselves?
We discuss the mounting dangers of AI-powered cybercrime across the world of sport with David Andrew — the Founder and Managing Partner of Tiaki.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
Supreme Court unlocks the door to UK patents for AI & computer-related inventions
We explain the importance of the Supreme Court decision and what it means for innovators looking to gain patent protection for computer-related inventions.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
AI, intellectual property & game development — key insights from Games Tech Connect
We outline the key takeaways from our Games Tech Connect session on how generative AI is being used in video game development.
UKIPO proposes significant fee rises — what rights holders need to know
We outline what you need to know about the UKIPO's proposed fee increases across patents, trade marks and designs.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Tech & IT contracts — how to future-proof for sustainability, AI & cybersecurity
Some tech businesses are exploring how their commercial frameworks could evolve through smarter, values-driven contracting.
Is your AI patentable? Lessons from the Court of Appeal’s landmark ruling
We explore the key issues from the case and consider the practical implications for those operating in the tech, creative and data-driven sectors.
AI Growth Zones — what the £31bn tech investment means for the North
We explore the potential of AI Growth Zones to transform the region through investment and job creation while also highlighting ongoing environmental concerns.
Getty Images v Stability AI — key intellectual property lessons for AI developers
We break down the key takeaways from the final ruling and consider what they mean for the evolving relationship between IP law and AI development.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
AI in football — innovation, risks & the role of human judgement
We explore how AI is influencing football on and off the pitch, highlighting the real-world examples of its impact and the risks that come with it.
Can ChatGPT and other AI chatbots give legal advice?
We explore the confusion surrounding OpenAI’s recent policy update on legal, medical and financial advice.
Capita’s £14m data breach fine — a wake-up call for UK organisations
We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.
Key takeaways from the Future of Retail: Risk & Resilience Conference 2025
At the Future of Retail: Risk & Resilience Conference 2025, leading voices explored the challenges and opportunities shaping the sector.
Getty Images v Stability AI — what it means for the future of AI & intellectual property
We explore the potential impact of AI on existing copyright laws and delve into the other IP and cross-border issues that arise from the use of global AI tools.
UK AI regulation in 2025 — why a ‘light touch’ is likely
We explore the UK's evolving stance on AI regulation, spotlighting a proposed bill for a central AI authority.