The European Commission published two draft Regulations on November 19, 2025: the Digital Omnibus (available here) and the Digital Omnibus on AI (available here).

The European Commission launched a Digital Package on Simplification as part of its broader initiative to simplify the EU rulebook. Serving as a stress test for existing digital rules, Digital Omnibus aims at addressing stakeholders’ concerns with an ambitious list of amendments.

The challenge is to simplify rules and procedures to relieve small mid-cap companies from burdensome obligations, while maintaining the underlying objectives of the regulatory framework and preserve fundamental rights.

The scope of the draft Digital Omnibus Regulation on the simplification of the digital acquis concerns several regulatory frameworks, including the GDPR, the ePrivacy Directive, the Data Act, and the Cybersecurity framework.

This note provides keys to understanding the substantial modifications proposed by the European Commission regarding GDPR and ePrivacy.

GDPR Key definitions and general principles

Updating the definition of personal data and consolidation of “SRB” ruling. Article 4(1) GDPR defining “Information related to a natural person” would be complemented by the introduction of the perspective of the entity processing the data and the means reasonably likely to be used to identify natural persons. This would incentivize the use of pseudonymisation and other anonymization techniques.

Implementing act on pseudonymisation. A new Article 41a GDPR provides that the European Commission will adopt implementing acts specifying means and criteria to determine whether pseudonymized data no longer constitutes personal data for certain entities. The EDPB will be closely involved in the preparation of the implementing acts and shall issue an opinion on such acts.

Greater clarity on purpose limitation. Amendment to Article 5(1)(b) GDPR explicitly establishes that further processing “in the public interest, scientific or historical research purposes or statistical purposes” must be considered compatible with initial purposes of the processing, independently from the compatibility test of Article 6(4) GDPR.

New grounds for the processing of special categories of data, incl. AI model training. Amendment to Article 9 GDPR sets two new exemptions to the processing of special categories of data: (i) in the context of the development and operation of AI systems and (ii) for biometric verification. The AI training exemption comes with additional safeguards, ie. implementing appropriate measures to avoid the collection and processing of special categories of data.

new limitations to Data subjects’ rights

Introducing more proportionality in the exercise of data subjects rights. Amendments to Article 12(5) GDPR introduce more flexibility for data controllers to charge reasonable fees or refuse to act on the data subject’s request, especially for data access requests when data protection rights are abused for other purposes than the protection of data. The burden of proof that the data subject’s request is manifestly unfounded or that there are reasonable grounds to believe excessive remains to the data controller.

Introducing new exemptions to the obligation to provide information. Amendments to Article 13 GDPR allow exemptions to providing information when (i) personal data are collected on a clear, limited scope, (ii) the data controller’s activity is not data-intensive and (iii) there are reasonable grounds to believe that the data subject already has the information. The exemption doesn’t apply in case of data transfer to a third country, automated decision-making including profiling, or to high-risk data processing. Other exemptions to the provision of information would apply in the context of scientific research, when providing information proves impossible or would involve disproportionate efforts subject to the conditions and safeguards referred to in Article 89(1), or when providing the information is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such situation, the data controller must make the information publicly available and adopt appropriate measures to safeguard the data subject’s rights, freedoms, and legitimate interests.

Limiting the necessity criterion in profiling. Amendments to Article 22 GDPR now allow the decisions producing legal effects for data subjects or similarly significantly affecting them to be based solely on automated processing, including profiling, where that decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, regardless of whether the decision could be taken otherwise than by solely automated means.

AdditionaL compliance guidance from Authorities

Harmonized and more flexible personal data breach notification process. Amendments to Article 33 raise the threshold for the notification of data breaches to authorities. Personal data breaches are subject to notifications to Supervisory Authorities only when posing a high risk to data subjects. The draft proposal also implements a single-entry point for notifications, in coherence with the amended NIS2 Directive. The reporting deadline is increased from 72 to 96 hours.

New guidance from the EDPB and European Commission. The EDPB is vested with new tasks including providing templates for notifying a personal data breach and a list of criteria to help determining if a data breach results in a high risk to the rights and freedom of natural person. The EDPB must also provide guidance for DPIA – Data Protection Impact Analyses (Articles 35 and 70 GDPR). The European Commission is entitled to review and adopt such templates and guidance proposed by the EDPB and eventually update them.

introducing eprivacy principles within GDPR

Incorporating ePrivacy cookie rules into the GDPR – consent remains the principle. New Article 88a would incorporate Article 5(3) ePrivacy Directive into the GDPR for personal data only. The principle of prior consent to the storing and gaining of access to personal data stored in the terminal equipment of a natural person remains unchanged.

Adding 2 new exemptions to consent legal basis. In addition to the 2 existing exemptions (communication transmission and service explicitly requested), the provision introduces 2 new exemptions and the possibility for EU and Member States law to adopt exemptions to this principle subject to the limited objectives listed under Article 23(1) GDPR (inc. national security, public security…). The proposed 2 new exemptions are:

• the creation of aggregated information about the usage of an online service for audience measurement carried by the data controller of that service, and
• maintaining or restoring the security of services provided by the data controller and requested by the user.

Adding conditions to the implementation of consent legal basis to address consent fatigue. The user shall be able to accept or refuse the storing or gaining of access to his or her terminal, “in an easy and intelligible manner with a single-click button or equivalent means”. Other conditions aim at limiting the number of data subject solicitations:

• in case of consent given, the same data subject shall not be requested to consent again for the period for which the controller can lawfully rely on such consent; and
• in case of refusal, the same data subject shall not be requested to consent again during 6 months for the same purpose.

Creating new obligations for automated means to express user’s consent and objection. Draft Article 88b sets a right for data subjects to express consent and to object via automated and machine-readable means.Data controllers must respect the choices of the data subjects, with exceptions for media services providers websites. Reference standards will be drafted upon request of the European Commission. Point 6 creates a new obligation on providers of web browsers (which are not SMEs) to provide technical means to allow data subjects to consent, refuse and exercise the right to object through automated and machine‑readable means.

Limiting ePrivacy Directive to non-personal data. Article 5 of draft omnibus aims at amending ePrivacy Directive to clarify that article 5(3) no longer applies to personal data processing.

Clarifying the use of personal data for AI models training and operation

Legitimate interest as the legal basis for AI development and operation. Draft Article 88cestablishes that data processing activities necessary for the interests of the data controller in the context of the development and operation of an AI system or an AI model can be based on Article 6(1)(f) GDPR except where such interests are overridden by the interests of data subjects or when Union or national laws explicitly require consent. This position provides clarity after the EDPB opinion on AI models.

Recalling privacy principles in the context of AI. Appropriate organizational, technical measures and safeguards must be adopted, such as data minimization, transparency, or providing data subjects with an unconditional right to object to the processing of their personal data.

Next stepS

The draft proposal will be submitted to the European Parliament and the Council for adoption. The draft Regulation will be examined by Members of the European Parliament from January 2026 with the aim of adopting a final report by Q1 2026. In parallel, Member States will begin discussions within the Council to prepare their position.

From Q2 2026, the European Commission, European Parliament, and Council will initiate “trilogue” negotiations to reach a compromise text.

It is likely that the Parliament will apply urgent procedure to bypass Committee negotiations and go directly with a vote of the text, thus reducing opportunities to present amendments. In this case, the adoption of the text could be expected by Q1 2026 instead of mid-2026.