Digital Omnibus Package: How The EU Is Reshaping The Digital Landscape – Part I

On 19 November, the European Commission published the EU Digital Simplification Package (the "Digital Omnibus") which comprises two proposed laws. The first proposal introduces amendments to several core data, privacy and cybersecurity laws, while the second proposal focuses on updates to the AI Act.

This article focuses on the political background of the reform and key aspects of the proposed amendments to the GDPR, e-Privacy and cyber laws.

EU Commission Political Guidelines 2024-2029: "Europe Needs A Data Revolution"

Following the publication of Mario Draghi's Report¹ which underscores the urgent need to enhance EU's competitiveness, the European Commission has reaffirmed its commitment to drive digital innovation.

In its Political Guidelines for 2024–2029², the Commission identified "competitiveness" as one of its key strategic priorities³ and stressed the importance of becoming a global leader in artificial intelligence. The Guidelines further underline the need for a balanced and effective approach to data access, recognising that data is a key driver of societal innovation, including in areas such as personalised healthcare and energy efficiency.

The new strategy aims to create a clearer, more coherent and business-friendly data framework, while ensuring privacy and security standards. The Digital Omnibus Package marks the first legislative step into this broader initiative.

It is also important to note that the EU's digital regulatory framework has been the subject of ongoing debate, particularly among United States stakeholders and major technology companies, who argue that the EU's approach risks overregulation and may hinder innovation.

These criticisms have intensified following the recent sanction imposed on Elon Musk's platform X (formerly Twitter), which has further fuelled discussions on the balance between regulation and innovation in the EU digital ecosystem.

Definition of Personal Data

One of the fundamental changes proposed by the Omnibus Package is an amendment to the definition of Personal Data under Article 4 of the GDPR.

Under the proposal, information relating to a natural person would not automatically qualify as personal data for every controller or entity. Instead, information would not be considered personal data for a specific entity where that entity cannot identify the natural person to whom the information relates, taking into account the means that entity is likely to use. In other words, the decisive factor becomes whether that particular controller has the technical means, tools or reasonable likelihood of re-identifying an inpidual in the context of its processing activities.

This represents a departure from the current position reflected in the EDPB guidance on anonymisation and pseudonymisation, according to which pseudonymised data is always treated as personal data because re-identification is possible in principle. Under the proposed reform, this assumption would no longer apply as the classification of pseudonymised data becomes context-dependent: it may constitute personal data for one entity but not for another.

Special Category of Data

The proposal introduces new conditions that permit the processing of special category data under art. 9 GDPR, where:

1. the processing is necessary to confirm the identity of the data subject, and the relevant data and means of verification remain under the sole control of the data subject; and
2. the processing is necessary for the development and operation of an AI system or model, subject to appropriate safeguards.

The first proposed amendment aligns with the AI Act, eIDAS 2.0 and the emerging framework for the European Digital Identity Wallet, all of which emphasise user-controlled digital credentials and biometric keys.

It is important to note that the requirement for which the data subject must have "sole control" over the biometric verification means, is crucial.

Under this model, the biometric template must remain exclusively in the possession of the data subject and must not be accessible to any third party. As a result, where a third party, such as, a cloud service provider or a software integrator, is involved in the storage, processing or verification of the biometric data, it becomes arguable that the requirement of sole control is no longer satisfied.

The second amendment allows the processing of special categories of data when necessary for developing or operating an AI system or model, provided that appropriate technical and organisational measures are implemented.

Data Subject Access Request: Refusal on "Reasonable Ground"

The proposal would limit the right of inpiduals to submit data subject access requests (DSARs) in certain circumstances. Where the right of access is abused, the controller may either refuse to comply with the request or charge a reasonable fee for doing so.

This amendment would undoubtedly expand the circumstances in which controllers may refuse to act on a DSAR, based on "reasonable ground", provided that the controller bears the burden of demonstrating that the request is manifestly unfounded. However, this increased flexibility also creates a risk that the right of access could be restricted, potentially undermining its function as a cornerstone of data protection rights.

Incidents and Data Breaches: Key Provisions

One of the most important parts of the proposal is the reform of cyber incident reporting.

1. (i) The proposal aims to establish a common portal for reporting all incidents under the GDPR, the Critical Entities Resilience Directive (CER), the Network and Information Security Directive (NIS2), the Digital Operations Resilience Act (DORA) and other instruments, reducing duplications and overlapping obligations.
2. The reporting threshold is higher. Only personal data breaches likely to result in a "high risk" to inpiduals would need to be notified to competent authorities.
   
   This is a notable change from the current threshold for notification to regulators, which must be done unless the breach is unlikely to result in a risk to the rights and freedoms of inpiduals.
   
   
3. The period for notifying authorities is extended from "without undue delay and where feasible not later than 72 hours" to "without undue delay and where feasible not later than 96 hours", in each case from becoming aware of a reportable breach.
4. According to the Proposal, the EDPB is tasked with the development of a common EU template for GDPR breach notifications, for consideration and formal adoption by the Commission. Also, the ENISA together with the Commission must align templates and data fields across NIS2, DORA, CRA and other instruments to the extent possible.

Cookies Consent

The proposal restructures the framework for cookies, whereby the ePrivacy Directive shall no longer govern the processing of personal data. Such processing will fall entirely under the GDPR.

The proposal confirms consent as the general rule. However, the reform introduces a new art. 88a GDPR, which sets out when storing or accessing information in terminal equipment (including cookies) is lawful without consent.

These scenarios are limited to: (i) transmission of electronic communications, (ii) the provision of services explicitly requested by the data subject, (iii) the creation of aggregated audience measurements for the provider's own online service, and (iv) maintaining or restoring the security of a service provided by the controller or the terminal equipment used for that service.

Users are to be given the ability to refuse non-essential cookies with a single click (or equivalent means). Importantly, if a request for consent is declined, a new request for consent for the same purpose may only be made after at least 6 months.

What is next?

The Digital Omnibus draft will now be examined and approved by the European Parliament and the Council. No formal timeline for adoption has been indicated. While some commentators suggest that a realistic timeline could extend to around mid-2027, this remains uncertain and dependent on the outcome of the ongoing process.

Conclusion

Overall, the Digital Omnibus Package represents more than a simple update. It marks a shift in the EU's approach to strengthen competitiveness while still protecting fundamental rights.

This reflects a long-standing challenge in EU digital policy: maintaining high regulatory standards without falling behind the rapid technological developments.

Reactions to the proposal show how pided stakeholders are. Privacy-rights organisations warn that introducing more flexibility could weaken the protection of fundamental right to privacy. On the other hand, AI companies, start-ups and other digital-sector businesses generally welcome the reforms, arguing that they reduce unnecessary burdens and better reflect how technology actually works. Some industry groups also note that clearer and more streamlined processes, such as unified incident-reporting, could improve compliance and support responsible innovation.

Undoubtedly, some of the proposed changes may reduce legal certainty and create new grey areas for organisations, issues that data protection officers, AI specialists and privacy professionals will need to address in the near future.

As negotiations continue, organisations, inside and outside the EU, should monitor the legislative process, assess how the changes may affect their data-governance practices and prepare for a regulatory environment that may be more flexible but will also require stronger internal governance and risk-management systems.

Footnotes

1. https://commission.europa.eu/topics/competitiveness/draghi-report_en

2. https://commission.europa.eu/document/download/e6cd4328-673c-4e7a-8683-f63ffb2cf648_en?filename=Political%20Guidelines%202024-2029_EN.pdf

3. https://commission.europa.eu/priorities-2024-2029_en#_blank

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.