For those operating in the European Union, the list of digital technology laws is becoming daunting. Compliance with GDPR to the AI Act — with stops along the way for the ePrivacy Directive and many more – is a significant undertaking. To simplify this confusion, the European Commission is proposing modifications to many of its data laws. It released the first attempt of these changes in the Digital Omnibus Regulation Proposal.
The proposal takes a multi-pronged approach. If passed, it will impact GDPR, simplify rules around AI, data sharing, and modify the EU's approach to cybersecurity, to name but a few. This proposal is far from final: the European Parliament and the European Council must review and debate the proposed changes before any are implemented into law. What is potentially on the horizon?
- With respect to GDPR, there are many things under consideration. A few highlights include making it easier for businesses, in low-risk situations, to give less detailed information in response to a rights request. Also on the horizon is the potential of a 96-hour breach-notice window, instead of 72 hours. Related to this is the possibility for a single point of notification for breaches. And, modify GDPR to clarify that if a business cannot re-identify an individual in practice, that information is not personal data. There is also the potential for a new legitimate interest for data processing of developing or operating AI systems—provided certain safeguards are followed.
- For the ePrivacy Directive (Cookies), changes include incorporating it into the GDPR. As part of this would be new rules to make it easier for users to give or refuse consent and manage choices.
- The omnibus proposal also contemplates changes to the AI Act. These include delaying full application of high-risk rules until necessary standards and guidance are ready, providing phased transition periods and fallback dates. Also, under consideration are changes to bias testing, and extending lighter regulatory requirements from small firms to small‑mid caps. The omnibus proposal also contemplates shifting certain training responsibilities from companies to the Commission and Member States.
- With respect to the Data Act, among the proposed changes are limiting business data-sharing obligations with government to public emergencies. And, expanding rules for switching between cloud providers to include Small Mid-Cap Companies (SMCs), not just small and medium-sized enterprises. Also being contemplated are making the law's smart contract data sharing less strict and easier to follow.
Putting It Into Practice: This is the first step of process that will continue to develop throughout 2026. We will be monitoring for future developments. In the meantime, for companies that operate in the EU, this is another reminder of the importance of a principles-based approach to compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
