EU Digital Omnibus Proposals To Reform Data And AI Laws – The Official Version

On 19 November, the EU published its "Digital Omnibus", meaning its proposals to reform data and AI laws, which are made within a broader context of simplification and with the aim of enhancing the competitiveness of EU companies. The proposals have caused concern for some privacy activists, but more positive reactions from AI developers and SaaS providers. Read our overview of the key proposals.

This is an updated version of our previous article about the leaked version of the Digital Omnibus.

It has been rumoured for some time that the European Commission was proposing to amend the EU AI Act, either by "stopping the clock" on entry into force or enforcement, or by simplifying some of its provisions. In addition, the ePrivacy Directive was due to be replaced by a new regulation at the same time as the GDPR became law, but the EU institutions were unable to reach consensus on the changes.

Although transposition of some of the EU new laws is still underway in the Member States, the Commission now proposes to pass a "Digital Omnibus" to reform these laws, but also go further, reforming related EU legislation, including making significant changes to the GDPR. The two proposals, one to reform the data and cyber laws (the GDPR, ePrivacy Directive, Data Act, Data Governance Act and the NIS2 Directive) and the other to amend the EU AI Act, have beenwere published on 19 November.

Some of the more significant proposals are as follows:

GDPR

• Personal data: The definition of personal data will be amended to reflect recent case law of the EU Court of Justice. The relevant factor would be whether a specific entity can identify an individual, taking into account the means that entity is likely to use.
• Scientific research: The proposal adds a new definition of scientific research and relaxes some of the rules for processing data for this purpose, including in relation to transparency and responding to DSARs.
• Special category data: The most controversial proposal in the leaked version has been deleted – this limited the scope of special category data to data that directly reveals information about an individual's sensitive characteristics. This would have meant that data from which sensitive characteristics can be inferred would not be special category data.
• The published proposal adds new conditions that permit the processing of special category data:
  • development and operation of an AI system or model (subject to safeguards); and
  • use of biometric data to prove identity under the user's sole control.
• DSARs: The proposal extends the circumstances in which a controller may reject a data subject access request (DSAR) or charge a reasonable fee to where the data subject is abusing their GDPR rights for purposes other than protecting their data.
• Privacy notices: In certain limited situations where a controller collects data directly from a data subject, the controller will not be required to provide the individual with a privacy notice if there are reasonable grounds to believe that the individual already knows the controller's identity and the purpose of, and lawful basis for, the processing.
• Automated decision making: Solely automated decisions which have a legal or similarly significant effect on an individual can be taken when necessary for entering into or performing a contract with the data subject, regardless of whether the decision could be taken otherwise than by solely automated means.
• Breach reporting: Controllers will only be required to report to the Data Protection Authority (DPA) personal data breaches posing a high risk to data subjects. Reports must be made via a new platform (see the proposed NIS2 amendments below), and the reporting deadline is increased from 72 hours to 96 hours. The European Data Protection Board (EDPB) must prepare a reporting template.
• DPIAs: The EDPB must develop lists setting out the processing operations for which data protection impact assessments (DPIAs) are required and not required, plus a template and methodology for conducting DPIAs.
• Cookies: To avoid the so-called "consent fatigue", consent will not be required where cookies and similar technologies are used for aggregated audience measurement and security purposes. Note that the cookie rules are currently contained in the ePrivacy Directive, but the draft proposales insertsing this amendment into the GDPR.
• Controllers must ensure that their online interfaces allow users to give or refuse consent to cookies and exercise their right to object through automated and machine-readable means.
• Where consent is required for cookies and an individual refuses to give consent, the controller must not make a new request for consent for the same purpose for at least six months.
• Training AI models: Legitimate interest can be used as the lawful basis to process personal data to train AI models (subject to a right to opt out), unless other EU or national laws explicitly require consent.
• Anonymisation and pseudonymisation: The proposal gives the Commission the power to make new rules to specify the means and criteria to determine whether pseudonymised data no longer constitutes personal data for certain entities.
• Record-keeping: A separate proposal extends the exemption from the obligation to keep a record of processing activity to organisations employing fewer than 750 persons (the current threshold is 250) unless their processing is likely to result in a high risk to the rights and freedoms of data subjects.

NIS2

• There will be a single platform for reporting incidents under the GDPR, NIS2, DORA and the Critical Entities Resilience Directive.

Data Act

• Trade secrets: Data holders will not be required to disclose trade secrets if they can demonstrate that there is a high risk that such disclosure poses a high risk of unlawful transfer to third countries with weaker protection compared to that under EU law.
• Cloud switching requirements: There will be exemptions from the new cloud switching requirements (click here to read our article) for certain services and providers, which will be subject to lighter regimes:
  • data processing services that are custom-made to the customer's needs or ecosystem; and
  • SMEs and small mid-cap sized providers of data processing services other than IaaS,
  • in either case, where the contract was concluded on or before 12 September 2025.

Data Governance Act

• This will be repealed, and the Data Act will be amended to add some of the Data Governance Act's provisions.

EU AI Act

• The deadline for providers and deployers of high-risk AI systems to comply with their obligations under the Act (currently 2 August 2026) is delayed until either:
  • six or 12 months (depending on the category of high-risk system) after the relevant standards and other support tools for high-risk AI requirements become available; or
  • 2 December 2027 (for systems listed in Annex III) and 2 August 2028 (for systems covered by laws listed in Annex I) at the latest.
• AI systems built on general-purpose AI models or embedded in very large online platforms and very large search engines will be regulated by the EU AI Office rather than by national authorities.
• There will be a grace period on the "watermarking" obligation for AI systems placed on the market before 2 August 2026 – the compliance deadline is extended from that date until 2 February 2027.
• The AI literacy obligation (which became applicable in February 2025) will move from the organisation itself to the EU and national authorities.
• There will be expanded exemptions from the Act's obligations for small mid-cap entities.

The changes set out in the proposal go further than expected and have provoked strong reactions from privacy activists. On 11 November noyb (Max Schrems' privacy organisation), the Irish Council for Civil Liberties and European Digital Rights published a joint open letter to the European Commission expressing concern about the impact that these proposals would have on individuals' privacy.

However, the changes would be welcome to many, as they would make some aspects of GDPR compliance less onerous, in particular the rules on using personal data to develop and operate AI models. In addition, the Data Act's rules on cloud switching fees have caused serious concerns for SaaS providers, so the proposed relaxation of the rules for certain services will be welcome to relevant businesses.

The changes set out in the proposals will need to go through a public consultation and the EU legislative process before they become law, and are likely to be amended in the course of that process. We will monitor developments and provide updates in further articles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.