Digital Omnibus: EU Commission Proposes to Streamline GDPR and EU AI Act

Introduction

The EU intends to simplify and streamline its complex landscape of digital law with the aim of reducing bureaucracy and boosting competitiveness for businesses operating in the EU. On this basis, the European Commission (Commission) published a proposed legislative pact (the Draft) on 19 November 2025 to amend aspects of the GDPR, the EU AI Act, and other EU digital acts as part of its Digital Omnibus reform. The Draft must now be agreed with the European Parliament (Parliament) and the Council of the EU (Council) before being finalised, and is expected to receive intense scrutiny.

What Are the Proposed Amendments to the GDPR?

The Draft proposes several amendments to the GDPR, seeking to alleviate administrative burden and clarify uncertainty, including:

• Definition of personal data: The Commission intends to clarify the definition of personal data in Art. 4(1) GDPR by establishing a subjective or relative interpretation of the term, i.e., the assessment of data as personal data or anonymous/non-personal data would be based on the perspective of the relevant data controller.The Commission’s proposed language in the Draft emphasises that data may be considered anonymous / non-personal data for a controller notwithstanding that a subsequent recipient of that data is able to identify the individuals: “[Such information] does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates”. (Art. 3(1) of the Draft, amending Art. 4(1) GDPR). This clarification reflects the Court of Justice of the European Union’s (CJEU’s) recent decision in EDPS v. SRB,See judgment of 4 September 2025 — C-413/23. in which the CJEU made clear that the scope of the GDPR is limited to situations where a person can be identified by the relevant controller. It is not clear whether data linked to persistent identifiers will be viewed as personal data if such identifiers are used to “single out” a natural person. As currently, much will likely depend on the circumstances of the individual case and the risks which the information in question may carry for data subjects. The Draft suggests the Commission may adopt implementing acts to make clear when pseudonymised data no longer constitutes personal data for certain entities. 
• AI training: The Draft explicitly recognises that controllers may process personal data for the purposes of AI training and operation on the basis of legitimate interests. However, the Draft requires controllers to take protective measures, providing non-binding examples such as data minimisation, data security, and giving data subjects the right to object. In addition, the Draft introduces a new exemption under Art. 9(2) GDPR to allow incidental processing of special category data in the development and use of AI systems and models subject to certain conditions. Controllers are first required to implement safeguards to avoid collection and processing of special category data, and — to the extent feasible — remove any special category data identified in training data sets or the AI system. If it is not possible to remove special category data or to do so would require “disproportionate effort”,The Recitals indicate that “disproportionate effort” in this context would include model re-engineering. the controller must ensure such data cannot be used to produce “outputs” or otherwise be made available to third parties. Further, under the proposed amendments to the EU AI Act (as set out below), the use of special category data for AI bias detection and correction is explicitly permitted on the basis of the Art. 9(2)(g) GDPR exemption (public interest authorised by law).
• Biometric data: The Commission proposes an additional new exemption under Art. 9(2) GDPR to allow processing of biometric data, if necessary, to verify or authenticate an individual (and provided the data needed for verification remains under the control of the data subject).The Recitals set out the distinction between the use of biometric data for verification/authentication purposes (as would be permitted under the new Art. 9 exemption), meaning one-to-one verification of an individual based on data provided by the data subject, and use of biometric data for identification purposes, meaning a one-to-many search to identify an individual in a database.
• Transparency: The Draft expands the existing exemption from the requirement to provide privacy notices. Privacy notices are not required if: there is a clear and limited relationship between the controller and the data subject; the controller’s activity is not data-intensive; and it can reasonably be assumed that the individual already has the necessary transparency information. This exemption would not apply to data processing related to profiling, data transfers to third countries, or data sharing with third parties. 
• Single-entry point for data breach reporting: The Draft aligns the data breach reporting thresholds under Art. 33 and 34 GDPR such that controllers must only notify data breaches to the relevant supervisory authority if the breach is likely to result in a “high risk” of harm to impacted individuals (currently under the GDPR, breaches must be reported unless “unlikely to result in a risk of harm”, a significantly lower threshold). The Commission also proposes to increase the breach notification deadline from 72 hours to 96 hours and to introduce a new single-entry point for breach and incident reporting under the GDPR, Network and Information Security Directive (NIS 2), Digital Operational Resilience Act (DORA), Electronic Identification, Authentication and Trust Services Regulation (eIDAS), and Critical Entities Resilience Directive (CER). However, incident and vulnerability reporting under the Cyber Resilience Act (CRA) would not be included in the single-entry point framework. Under the Draft, the Commission would adopt a harmonised template for breach reporting as well as a harmonised list of circumstances in which a personal data breach is considered likely to result in a high risk to individuals. 
• Data subject access requests: According to the Draft, controllers may reject abusive requests for access to data if data subjects pursue objectives that are not covered by the GDPR. This provision is likely to refer, in particular, to cases in which data subjects attempt to misuse requests for access to obtain evidence and other advantages in legal disputes with the controller, or simply to harass the controller. Such situations are frequently found, for example, in actions for damages under Art. 82 GDPR and in labour court disputes. In certain cases, courts have already rejected such requests as an abuse of law. However, the proposed amendments do not make fully clear the conditions under which controllers may reject such requests for access. Plaintiffs and their representatives are likely to argue in future that their requests for access do indeed serve to exercise data protection rights under the GDPR.
• Cookies and tracking technologies: The Commission proposes moving restrictions on the use of cookies and tracking technologies, when personal data is processed, from the ePrivacy Directive to the GDPR. Under the Draft, consent would not be required for the use of cookies involving personal data and any subsequent data processing: (a) for communication transmission; (b) to provide a service requested by the user; (c) aggregated audience measurement for the controller’s own use; or (d) security of the service or the user’s device. If consent is relied on to deploy cookies, the Draft makes clear that any subsequent processing of personal data collected via those cookies can rely on any GDPR legal basis (including legitimate interests, if appropriate). The Draft also addresses cookie consent standards, requiring controllers to implement single-click cookie opt-outs and to respect user opt-outs (i.e., not repeat the consent request) for at least six months. The current ePrivacy Directive cookies rules would remain applicable to cookies and tracking technologies that handle only non-personal data (e.g., certain analytics tools or security technologies), resulting in a divergent set of consent requirements which may not be easily accommodated in a uniform user interface. Moreover, it is not clear what information would be considered personal or non-personal data, e.g., persistent identifiers as referred to above. 

What Amendments Are Proposed to the EU AI Act?

The Commission proposes several changes to the EU AI Act, including (most significantly) pushing back compliance deadlines for high-risk AI systems. 

• Implementation deadlines: The Draft delays the long-stop deadlines for providers and deployers to comply with the EU AI Act’s requirements from 2 August 2026 to: (i) 2 December 2027 for high-risk AI systems listed in Annex III (AI systems used for certain applications such as recruitment, emotion recognition, credit scoring, and others); and (ii) 2 August 2028 for high-risk AI systems per Annex I (products, or safety components of products, regulated by certain EU product safety laws). The relevant obligations may apply earlier if the Commission confirms that sufficient compliance support measures (such as harmonised standards and common specifications) are in place.In such circumstances, the high-risk AI system requirements will apply from six months (for high-risk AI systems listed in Annex III) or 12 months (for high-risk AI systems listed in Annex I) from the date of the Commission’s confirmation on sufficient compliance support measures. The deadline for compliance with the labeling obligations for AI-generated content under Art. 50(2) of the EU AI Act would be extended to 2 February 2027 for providers that have placed their systems on the EU market before 2 August 2026. 
  In order for these later deadlines to take effect in practice, the Draft pertaining to amendment of the EU AI Act (rather than the Digital Omnibus as a whole) must be adopted before 2 August 2026. As such, businesses have no guarantee that these suggested deferred deadlines will take effect; however, it is possible that these EU AI Act changes will be prioritised and progressed on a faster timetable than the rest of the Digital Omnibus, given they are set out in a separate proposal. 
• AI literacy: The current obligation for providers and deployers to ensure AI literacy of their employees would be abolished. Instead, the Commission and EU Member States would be required to encourage providers and deployers to develop AI competence in their organisations through funding and support measures.
• Bias check: As referenced above, the Draft would amend the EU AI Act to explicitly provide that providers and deployers may process special category personal data for the purposes of detecting and correcting bias in AI on the basis of the Art. 9(2)(g) GDPR exemption (public interest authorised by law). Certain conditions apply to the processing of special category personal data on this basis, including proportionality, security, and data deletion. 
• Regulatory sandboxes: The possibility of using sandboxes and real-world testing would be expanded at a national and EU level for the benefit of certain industries, for example, the automotive industry. 
• Supervision: Supervision of AI systems that either constitute or are integrated into major platforms and search engines designated as Very Large Online Platforms or Very Large Online Search Engines under the Digital Services Act would be bundled into the AI Office.

What Is the Impact on Companies?

If retained in the final regulation, the proposed changes could have far-reaching implications for companies subject to these EU digital laws, including, but not limited to, potentially: 

• narrowing the scope of personal data under the GDPR;
• facilitating use of personal data and special category data for AI training;
• simplifying data breach and cyber incident reporting;
• reducing and streamlining consent requirements for the use of cookies and the subsequent use of personal data; and
• extending compliance deadlines for high-risk AI systems.

Notably, the scope of many provisions and their practical implications remain unclear. This applies, for example, to the proposed amendments to cookies requirements, and the corresponding implications for consent management platforms have yet to be clarified. Further, the discussion around the distinction between personal and non-personal data is likely to continue as the Draft does not set out clear criteria in this regard. It is also unclear whether the deferred compliance deadlines for high-risk AI systems under the EU AI Act will come into force in time to be of practical benefit. These uncertainties are likely to pose considerable challenges in practice; however, companies can take steps to prepare for what comes next.

What Steps Can Companies Take Now?

It is not possible to predict which of the Commission’s proposed measures will be implemented in the final regulation and in what form. However, given the Draft will likely serve as a basis for further discussions within the EU, companies should comprehensively review the Draft, monitor developments, and start to consider potential operational and strategic implications. 

The Draft and its future development present an opportunity for a more practical and flexible digital regulation landscape in the EU. With this in mind, companies should consider engaging with, and providing feedback on, the consultations and ongoing discussions around the Draft. Companies may find it most useful to identify the requirements and regulations that pose the highest risks to the company or that remain unclear. 

For questions about the corresponding analyses and planning next steps within the framework of the further legislative process, please reach out to one of the contacts listed below.