On 19 November 2025, the European Commission (EC) published a set of proposed amendments under its Digital Omnibus Proposal, a three-part proposal designed to update and simplify existing EU laws on privacy, data, Artificial Intelligence (AI) and cybersecurity.
As geopolitical rifts continue to spillover business operations and the race to lead in AI accelerates, the EC’s proposal signals a broader pattern globally towards regulatory simplification and systemic reordering. Specifically, the omnibus seeks to reduce compliance and operational costs for smaller businesses, provide more clarity regarding existing data protection concepts, and enhance innovation by further embracing risk-based approaches.
To mark this year’s Data Protection Day, we take a closer look at five of the proposed amendments to the General Data Protection Regulation (EU) 2016/679 (GDPR).
- Rules around AI expected to loosen
- Streamlined thresholds for data breaches
- Redefining – slightly – what qualifies as personal data
- Abusive access requests could be denied
- Less cookie pop-ups on the horizon
Rules around AI expected to loosen
The proposal clarifies that the processing of personal data for AI use and development may be based on ‘legitimate interests’.
Apart from those instances where consent is explicitly required in terms of EU or member state law, the amendment would clarify where a controller may rely on ‘legitimate interests’ as a legal basis (i.e. Article 6(1)(f) of the GDPR) in the context of the development and use of AI. As a reminder, such legal basis requires a balancing test to be carried out and documented between the legitimate interests of the controller and the rights and freedoms of data subjects.
Also in the context of AI, the proposal introduces an additional condition under Article 9(2) of the GDPR, for those instances where the controller did not intend to process special categories of data (such as health or biometric data) for the development or use of its AI systems or models, but such data are nevertheless being processed residually. The controller will still be required to implement appropriate technical measures through the AI lifecycle, such that special categories of personal data are not processed, or are deleted once identified in datasets, or inversely, sufficient measures are taken to prevent their disclosure.
Streamlined thresholds for data breaches
Deadlines to report personal data breaches would be extended to 96 hours.
Currently in terms of the GDPR, controllers are required to report personal data breaches to competent authorities within 72 hours of becoming aware of such breach. The recent omnibus aims to alleviate this strict deadline by an extra 24 hours. Furthermore, the proposal would raise the threshold to notify the supervisory authorities to only ‘likely high risk’ situations, which would align with the requirements of Article 34 for communicating a personal data breach to a data subject.
Redefining – slightly – what qualifies as personal data
Data would no longer be considered personal unless a natural person is reasonably likely to be identified
Following a recent ruling from the EU Court of Justice, the proposal wishes to amend the definition of personal data in terms of Article 4 of the GDPR. Namely, the amendment puts forth that data will not be considered as personal if the organisation having it in its possession does not have ‘means reasonably likely to be used’ to identify the person associated with the information.
This new definition would introduce a less rigid, context-specific approach whereby entities wishing to be exempted from the GDPR would be required to demonstrate that they indeed do not possess reasonable means to re-identify a data subject.
But with this move also comes some uncertainty, specifically with regards to existing controller-processor arrangements in terms of Article 28 of the GDPR – for instance, where information is not considered as personal data for the processor, it remains to be seen whether the controller is still required to impose Article 28 obligations on such processor.
Abusive access requests could be denied
Where access requests are unfounded, excessive, or used for purposes other than for data protection, controllers may reject such requests or charge a fee.
While previous guidance from the European Data Protection Board suggested that data subjects are not obliged to give reasons or to justify their data protection rights requests, controllers have inversely repeatedly reported that significant resources are dedicated to deal with abusive access requests. To remedy this, the EC is suggesting limiting the right granted under Article 15 to purposes solely related to the protection of a person’s personal data, namely for them to be aware of and to verify the lawfulness of the processing activities of the controller. The EC argues that this will ‘allow controllers to allocate their resources more effectively and focus in a timely manner on genuine access requests’.
Less cookie pop-ups on the horizon
The provision would enable users to provide consent with a single click, with their choice to be respected for a period of 6 months.
Rules on cookies – which currently stem from the ePrivacy Directive (as transposed into local law) – require the consent of users before accessing information stored on their terminal equipment. The rules are expected to move under the GDPR, and in addition, consent would no longer be required for certain low-risk purposes such as audience measurement when carried out by a media service provider or for creating website and application usage statistics. Users would also be able to give or refuse consent via a single-click button and save their preferences through centralised browser settings.
Actions to take now
The digital omnibus remains a proposal at this stage, and the amendments outlined above may further evolve once the package goes through the European legislative process. Against this backdrop of a fast-moving regulatory terrain, business and compliance leaders need an agile playbook to navigate such disruptions.
Here’s three strategic actions to help organisations approach this challenge with confidence:
Stay up to date
with our latest thought leadership
Contact us
