EU Digital Omnibus Regulation

Proposed Changes for the GDPR

Digital Omnibus's proposed GDPR amendments are consequential and have attracted the greatest degree of commentary[2]. 

The principal proposed changes are as follows:

Redefinition of Personal Data: Digital Omnibus clarifies that whether data qualifies as personal data must be assessed from the perspective of the specific entity processing it, meaning the same dataset may be personal data for one organization but not for another that has no realistic means of re-identifying the individual concerned.

AI Development and Legitimate Interests: The proposal expressly recognizes legitimate interests as a lawful basis for processing personal data in the development and operation of AI systems, subject to enhanced safeguards including strict data minimization, protection against residual disclosure, strengthened transparency, and an unconditional right to object.

Pseudonymized Data Outside GDPR for Certain Entities: Under defined conditions, such as pseudonymized health data held by a public authority with no legal or technical means of re-identification, the proposal allows pseudonymized data to fall outside the GDPR's scope for the receiving entity, subject to Commission- or EDPB-established criteria and appropriate safeguards.

Raised Threshold and Extended Deadline for Data Breach Reporting: The notification threshold for reporting breaches to supervisory authorities is raised from "risk" to "high risk" (aligning it with the existing threshold for notifying data subjects), and the reporting deadline is extended from 72 to 96 hours, with future notifications anticipated to flow through a single NIS2 entry point.

Simplified Transparency Obligations: A narrow exemption from GDPR Article 13 information obligation is introduced for routine, low-risk transactions where the individual can reasonably be assumed to be aware of the processing, though the exemption does not apply where data is shared with third parties, transferred outside the EU, or where a data protection impact assessment ("DPIA") would be required.

Harmonized Enforcement Mechanism for DPIA: The EDPB would establish unified EU-level lists of processing activities triggering or not triggering DPIA obligation, along with a standard DPIA template, superseding the current patchwork of divergent national supervisory authority lists.

Data Subject Requests - New "Abuse of Rights" Ground: Controllers may refuse or charge a reasonable fee for data subject requests where the request is being used for purposes unrelated to data protection a provision particularly relevant in the context of disputes with former employees or strategically motivated litigation.

Proposed Changes in Relation to Cookies

Digital Omnibus proposes targeted but significant amendments to rules governing cookies and other tracking technologies. In the current legal framework, the ePrivacy Directive covering the rules of consent requirement operates alongside the GDPR for the rules on processing the personal data. The consolidation motivation is welcomed by the practitioners. 

Digital Omnibus proposes to revise the consent requirements for cookies and similar tracking technologies under Article 5(3) ePrivacy Directive[3]. It envisages a tiered approach under which first-party, non-intrusive cookies used for purely technical or analytical purposes would no longer require prior explicit consent. 

The proposal also imposes specific operational obligations on controllers, requiring them to offer a one-click option to refuse consent and barring them from re-prompting users for consent for the same purpose for a period of six months following a refusal or for the duration of any consent already given.

Conclusion

The EU Digital Omnibus Regulation Proposal represents a significant effort by the Commission to recalibrate the balance between regulatory rigor and operational practicality within the EU's digital framework. As outlined above, the proposed amendments to the GDPR and cookie consent rules seek to address longstanding concerns regarding compliance complexity while simultaneously creating regulatory space for emerging technologies such as AI.

Key proposals, including the redefinition of personal data, the raised threshold for data breach reporting, DPIA harmonization, the new abuse of rights ground for data subject requests, and the tiered approach to cookie consent would, if adopted, materially alter the compliance landscape for organizations operating within the EU. However, these measures have already attracted robust scrutiny from data protection authorities, civil society organizations, and the EDPB[4], who caution that certain simplification measures risk diluting the fundamental rights protections that underpin the existing framework.

The final form of the Digital Omnibus will be shaped by what are expected to be complex inter-institutional negotiations in the EU. In the interim, practitioners and businesses would be well advised to monitor the legislative process closely and to undertake early assessments of how the proposed changes may affect their existing data protection and privacy compliance frameworks.