The European Commission presented the proposal for a digital omnibus regulation at the end of November 2025. This proposal comprises a package of legislative amendments. It affects, among other things, the AI Regulation and the General Data Protection Regulation (GDPR).
The European Commission aims to create a more uniform and efficient digital internal market. Companies have long complained about complex and overlapping rules arising from the European digital legislative framework. In short, with this proposal, the European Commission aims to:
At the same time, there are voices in the field that argue the proposed changes may have the opposite effect. In addition to potential negative consequences for the protection of fundamental rights, the proposed amendments may also have concrete practical implications for companies. This blog discusses the key implications of the proposed changes to the GDPR.
Definition of Personal Data
The current GDPR definition is broad. All information that can be directly or indirectly traced back to a natural person falls within its scope. The proposal introduces a relative approach, meaning that data are only considered personal data for a party if that specific party has the means that it could reasonably be expected to use to identify the individual concerned.
As a result, pseudonymised data may fall outside the scope of the GDPR when identification is practically impossible or not considered likely. This change makes the definition context-dependent and therefore subjective. What constitutes personal data for one party may not be so for another. This does not lead to simplification, but rather to increased uncertainty. Who determines whether a party would reasonably use certain means for identification?
Legitimate Interest
The European Commission intends to explicitly allow the processing of personal data on the basis of legitimate interest for two purposes:
This means that, in principle, no consent from data subjects is required to use their personal data for AI training. This exception allows AI systems to process large amounts of personal data, while other forms of data processing remain more strictly regulated. This may undermine the level playing field within the EU, as more leeway is granted to AI.
Large international companies in particular may benefit from this, as they have the resources to develop AI systems and use data from European citizens. For data subjects, it becomes virtually impossible to determine whether their personal data are being used for this purpose, making it difficult in practice to exercise the right to object.
In addition, the definition of scientific research in the proposal is broadly formulated. It includes any research that may lead to innovation, including technological development. There is a risk that companies may use this exception to shield commercial data processing activities from the GDPR.
Rights of Data Subjects
The proposal aims to relax the information obligations for SMEs. In straightforward situations, where limited personal data are processed and it can reasonably be assumed that the data subject is already aware, less information needs to be provided. An exception also applies to scientific research: if informing data subjects is impossible or would require disproportionate effort, this obligation no longer applies.
Furthermore, the right of access is restricted to prevent abuse. A request from a data subject may be refused or a reasonable fee may be charged if the controller can reasonably assume that the request is manifestly unfounded or excessive, or if the right is used for purposes other than data protection. The burden of proof for the controller is lowered by this amendment. While this may reduce administrative burdens for companies, it comes at the expense of transparency for data subjects.
Special Categories of Personal Data
Under the GDPR, the processing of special categories of personal data is, in principle, prohibited. This includes, among other things, biometric data used for unique identification. The proposal allows the processing of such data when this is necessary for identity verification and fully under the control of the data subject.
The proposal also permits, under certain circumstances, the processing of all special categories of personal data for the development and functioning of AI systems. The scope of this exception is unclear, which may result in AI systems increasingly being trained on such data. This increases the risk of unethical use and complicates compliance with data subject rights, which may negatively affect compliance. Moreover, this expansion may give large companies a disproportionate competitive advantage.
DPIAs
The lists for Data Protection Impact Assessments (DPIAs) will be standardized at the European level. There will be a list of processing activities for which a DPIA is required and a list for which it is not required. This reduces the need to conduct a DPIA as a precautionary measure.
Data Breaches
The proposal states that the notification obligation should apply only to data breaches that are likely to result in a high risk to the rights and freedoms of individuals. The notification deadline is extended from 72 to 96 hours. In addition, a single European entry point will be introduced, meaning that notifications under different legislation can be submitted to one European authority.
Opportunities and Risks
The proposal creates opportunities:
But also risks:
The proposal offers opportunities for innovation and the reduction of administrative burdens, but may also weaken privacy protection. For now, the actual effects remain uncertain, as it is still only a proposal. Companies would be well advised to closely monitor developments and take timely measures to anticipate them.
For any questions, please contact Hieke van Druten, Legal Associate IT, Privacy & Cybersecurity, or one of our other specialists within the IT, Privacy & Cybersecurity team.
Would you like to receive a monthly overview of updates and blogs in your inbox? Subscribe to our newsletter!
