Digital Omnibus: does it pave the way for simplification of GDPR

Introduction

"Europe is lagging behind," "too many rules, not enough innovation," "stifled by its own framework": the refrain is well known. Faced with this recurring criticism, the European Commission is going on the offensive and presenting a colossal project on November 19, 2025: the Digital Omnibus. This ambitious proposed regulation could redefine the European digital landscape. Between administrative simplification and fears of weakened protections, this package of measures profoundly alters the GDPR, the AI Act, and cybersecurity rules. Here we break down a reform that is already dividing Europe.

1. What is the Digital Omnibus?

The Digital Omnibus is a set of legislative measures proposed by the European Commission to simplify and harmonize digital regulations within the European Union. This initiative aims to reduce the administrative burden on businesses while maintaining a high level of data protection and cybersecurity.

1.1 Background and objectives of the reform

Faced with recurring criticism of excessive European regulation, the Commission published the Digital Omnibus with clear objectives:

• Reduce the administrative burden for all businesses by 25% by 2029
• Reduce obligations for SMB by 35%
• Generate up to €5 billion in savings
• Stimulating European innovation, particularly in the field of artificial intelligence

The proposal affects a wide range of legislation: the GDPR, the ePrivacy Directive,the AI Act, NIS2, DORA, and the Data Act. These are a series of changes on a scale unprecedented since the GDPR came into force GDPR 2018, which form the basis of European digital regulation.

2. Major changes to GDPR

The Digital Omnibus proposes substantial changes to the General Data Protection Regulation. Here are the key points of this transformation:

2.1 Redefinition of personal data and pseudonymization

Proposed change: Information would only be considered personal data if the entity that holds it has means that are reasonably likely to identify the Data subject. This definition of personal data is based on the ruling of the Court of Justice of the European Union of September 4, 2025.

New – Implementing acts: The text provides for the possibility for the European Commission, together with the European Data Protection Board (EDPB), to assist data controllers in qualifying pseudonymized data. Implementing acts may specify the relevant means and criteria, including the state of the art of available techniques and the assessment of the risk of re-identification.

Consequence: This "subjective" approach to the personal nature of data could allow certain pseudonymized data, currently protected by the GDPR, to fall outside the scope of the regulation. A company receiving pseudonymized data from a third party could process it freely if it does not have the means to re-identify individuals.

⚠️ Point of attention: Privacy advocates fear that actors such as advertising agencies will exploit this loophole by claiming that they do not have the means to identify individuals. Some NGOs even denounce a potential setback for fundamental rights.

2.2 Legitimate interest in training AI models

Proposed change: The Digital Omnibus would introduce the possibility of using personal data to develop or operate an AI system or model on the basis of legitimate interest, without systematically seeking users' consent (except where consent is required by law). This measure should facilitate the data sharing necessary for the development of European AI.

Condition: The data controller should implement technical and organizational measures to protect the rights of data subjects.

Consequence: Technology companies could legally access vast amounts of data to develop their AI systems, provided they respect an unconditional right to object. This development marks a significant change in the lives of companies developing artificial intelligence solutions.

✅ Important note: The CNIL (National Commission for Information Technology and Civil Liberties) already allows this practice in certain cases. The reform would simply enshrine it explicitly in European law and harmonize it across Member States. This measure is part of a drive to encourage the emergence of companies developing artificial intelligence solutions within the European Union.

2.3 New exceptions to the processing of sensitive data

The Digital Omnibus provides for two new exceptions to the general prohibition on processing sensitive data (Article 9 of GDPR):

a) Exception for biometric data: Processing would be exempted when necessary to confirm the identity of the Data subject the data and means of verification are under the exclusive control of that person. This exception applies in particular to biometric recognition systems on personal devices (such as fingerprint unlocking or facial recognition).

b) Exception for AI – residual sensitive data: An exception is provided for the residual processing of sensitive data (racial origin, political opinions, health, sexual orientation, etc.) in the context of the development and operation of an AI system or model.

Strict condition: Data controllers must implement appropriate technical and organizational measures to prevent the collection of such data. If, despite these preventive measures, sensitive data is identified, the controller delete it.

Consequence: Instead of prohibiting the use of an entire dataset containing some sensitive data residues, the reform would allow its use provided that these residues are neither exposed nor reused in the model's responses.

2.4 Clarification and limitation of the right of access

Proposed change: Where the right of access is exercised abusively for purposes other than the protection of personal data, the data controller may refuse to comply with the request or charge reasonable fees.

Additional clarification: Requests that are too general and imprecise would be considered excessive. The conditions for demonstrating that a request for access is excessive would also be specified in the text.

Consequence: This amendment aims to limit responses to requests for access rights, particularly from former employees seeking information in the context of litigation or to obtain damages under threat of legal action. This echoes certain case law decisions relating to access rights.

⚠️ Point of vigilance: Although the contours of this essential GDPR right GDPR already been clarified by the EDPS, digital rights advocates fear that this restriction could limit citizens' access to their own data and complicate journalistic investigations. Collective action could be considered if the final text proves too restrictive.

2.5 Removal of the obligation to provide information in certain situations

Important new development: The information requirement set out in Article 13 of GDPR be waived where it can reasonably be assumed that the Data subject already Data subject the information in question.

Scope of application: This would apply in particular to data collected within the framework of a clear and limited relationship, with an activity that is not data-intensive. A non-data-intensive activity is one that collects a small amount of data.

Exclusions: Processing related to employment, for example, is excluded from these activities. This exclusion would not apply when the data is:

• Forwarded to other recipients
• Transferred to a third country
• Used to make automated decisions
• Processed in a manner likely to result in a high risk to the rights of the individuals concerned

Objective: To reduce the information burden on smaller organizations. This measure will open up new opportunities for SMB currently devote significant resources to this obligation.

2.6 Changes to requirements relating to automated decision-making

Major change: The blanket ban on automated individual decisions, currently provided for in Article 22 of GDPR, would be removed.

New rule: Such processing would be permitted only in three cases:

• In connection with the performance of a contract
• In case of legal authorization
• With the explicit consent of the Data subject

This amendment clarifies and relaxes the conditions for using automated decisions, facilitating in particular the development of AI systems for risk assessment or service personalization.

2.7 Data breach notification: extended deadline and high risk

Proposed changes:

• The notification period would increase from 72 hours to 96 hours.
• Notification would only be required if the breach poses a high risk to the rights of the Data subject thus aligning the notification obligation with the obligation to communicate to the persons concerned).

Single point of contact for incident reporting: The draft envisages the use of a single point of contact for reporting security incidents to the supervisory authority, in order to reduce the administrative burden of reporting to multiple authorities in the event of a cross-border breach.

European harmonization: The EDPS would be required to prepare a common template for data breach notifications, thereby harmonizing procedures at the European level. Currently, when notifications are made in multiple jurisdictions, the information requested by supervisory authorities may vary. The European template would simplify the procedure for data controllers.

⚠️ Open question: This relaxation raises the question of the concept of "high risk." Indeed, without defined criteria, a case-by-case analysis will always have to be carried out by data controllers, taking into account the assessment elements recommended by the EDPS.

✅ ENISA portal: The Digital Omnibus provides for the creation of a single portal managed by ENISA (European Union Agency for Cybersecurity) for reporting all incidents (GDPR, NIS2, DORA, CER), which will automatically redistribute them to the competent authorities.

2.8 Harmonization of lists of processing activities requiring a PIA

New: A single list of processing activities requiring or not requiring a Data Protection Impact Assessment (DPIA) should be established at European level, allowing for the harmonization of the concept of high risk.

Accountability the EDPS: The European Data Protection Board would be responsible for proposing:

• These common lists
• A common model for implementing AIPDs
• A common methodology

Current situation in France: These lists have already been drawn up by the CNIL (National Commission for Information Technology and Civil Liberties), in particular using the PIA (Privacy Impact Assessment) tool, which enables AIPDs to be carried out. European harmonization should facilitate the work of companies operating in several Member States.

2.9 Integration of cookie rules (ePrivacy Directive)

Structural change: The cookie rules in the ePrivacy Directive should be incorporated into the GDPR. Two new articles should be added (88a and 88b), providing in particular for the requirement of consent for the storage of or access to personal data on the individual's terminal, subjecting this processing to GDPR

Simplified consent: User consent should be simplified via a single-click button to improve the online experience.

Automated signal: Consent to cookies would be expressed directly in the web browser, via an automated privacy signal. User preferences would automatically apply to all websites visited.

Consequence: Current cookie banners would become largely obsolete for most websites. Users would set their preferences once in their browser (Chrome, Safari, Firefox), thereby avoiding the 575 million hours wasted annually by Europeans clicking on these banners.

Notable exception: Media service providers would benefit from an exemption and would not be required to recognize automated signals, although they must still obtain explicit consent for third-party cookies.

✅ Gradual implementation: Initially, banners would evolve towards simplified options (yes/no with one click), then complete management would be transferred to browsers.

3. Reactions and controversies: an intense European debate

The Digital Omnibus is not universally popular. Between enthusiastic supporters and fierce opponents, the reform is crystallizing tensions over the future of European digital technology.

3.1 Criticism from civil society and NGOs

Max Schrems, founder of NOYB, did not mince his words. He described the reform as "the biggest attack on Europeans' digital rights in years" and even referred to "Trump-style legislative practices."

The main criticisms concern:

• Lack of impact assessment: The Commission published the reform without conducting an in-depth analysis of its consequences.
• A fast-track procedure: 127 civil society organizations denounce an expedited process
• A gift to American giants: New legal loopholes would mainly benefit large technology companies, not SMB
• A weakening of fundamental rights: The reform would undermine 40 years of protection against commercial surveillance.

3.2 Divergent positions of Member States

Member States are equally divided: France, Austria, Estonia, and Slovenia are strongly opposed to the proposal, believing that it weakens data protection. Conversely, Germany, which is traditionally strict, is supporting change on this occasion.

3.3 Reactions from the European Parliament

In the European Parliament, the Center, Left (S&D, Renew), and Green political groups expressed their outright opposition to the proposal, explicitly calling on the Commission to halt these changes to GDPR. This strong parliamentary opposition suggests that there will be intense debate during the ordinary legislative procedure that is now beginning.

4. Adoption schedule: where are we now?

The Digital Omnibus is only a proposal. The European Parliament and the Council of the European Union must now review, debate, and amend the text before it can be definitively adopted. A public consultation is open until March 11, 2026, allowing stakeholders to comment on this important page in European regulatory history.

4.1 Provisional schedule

December 2025:

• The European Commission formally submits its proposals to the European Parliament
• Referral to the appropriate parliamentary committees

Q2/Q3 2026:

• Voting on final reports in committee
• Adoption in plenary session of Parliament
• The Council defines its position
• Start of interinstitutional negotiations (trilogues)

Q3/Q4 2026:

• If discussions proceed without major setbacks, final adoption possible by the end of 2026
• Particular pressure to adopt AI provisions before August 2, 2026 (date of full implementation of the AI Act)

2027–2028:

• Gradual entry into force (20 days after publication in the Official Journal for most provisions)
• Operational implementation of technical measures (ENISA one-stop shop, automated consent signals)

5. Dipeeo's position on this reform

At Dipeeo, we consider this reform to be a logical evolution of the European framework. Here's why:

A necessary simplification: The accumulation of regulatory texts (GDPR, ePrivacy, NIS2, DORA, AI Act, Data Act) has created a complexity that has become counterproductive. The Digital Omnibus attempts to streamline this body of legislation while preserving its fundamental principles.

Adaptation to reality: Many of the proposed provisions simply formalize practices already accepted by national supervisory authorities, such as the CNIL (National Commission for Information Technology and Civil Liberties). European harmonization was expected, and common procedures (AIPD models, harmonized lists, notification models) will greatly facilitate the work of companies.

Compliance remains key: The reform aims to simplify, but not to deregulate. Companies will still have to demonstrate that they comply with data protection principles, with the same documentation and traceability requirements as before.

Our commitment: We are closely monitoring European discussions and will adapt our recommendations as the text progresses. The goal: to enable you to innovate without risk, while remaining aligned with developments in the European framework.

FAQ: 5 essential questions about the Digital Omnibus

1. Is the Digital Omnibus already in effect?

No. This is a proposal from the European Commission dated November 19, 2025. The text must still be submitted to the European Parliament and the Council for discussion before its potential final adoption in 2026. Final adoption is scheduled for the end of 2026, with effective implementation from 2027-2028.

2. GDPR the GDPR disappear with this reform?

No, the GDPR going away. The Digital Omnibus proposes targeted amendments to ease certain obligations and clarify gray areas, particularly regarding pseudonymization, the use of data for AI, and information requirements. The fundamental principles of GDPR transparency, minimization, security) remain intact. The reform aims to simplify often tedious procedures and clarify certain obligations for data controllers.

3. Will cookie banners really disappear?

Partially. The Digital Omnibus Act stipulates that users express their preferences directly in their browser via a single click button. Websites will have to respect these automated signals. For websites that only collect basic statistics, banners could disappear. For those using targeted advertising or third-party trackers, consent will still be required, but management will be simplified.

4. What does "legitimate interest in AI" actually mean?

Currently, using personal data to train AI generally requires the consent of the individuals concerned. The Digital Omnibus would allow legitimate interest to be relied upon when processing is necessary for the interests of the controller to develop or operate an AI system (except where consent is required by law). The company would have to demonstrate that this use is necessary and proportionate, and put in place appropriate safeguards. Individuals would retain the right to object.

5. How will pseudonymized data be classified after the reform?

The reform provides that the European Commission, together with the EDPS, may assist data controllers in classifying pseudonymized data. Implementing acts will specify the relevant means and criteria, including the state of the art of available techniques and the assessment of the risk of re-identification. This should provide greater clarity and legal certainty for businesses.

Conclusion

The Digital Omnibus represents a potential turning point in European digital regulation. Between necessary simplification and fears of weakened protections, this reform embodies the ongoing tension between innovation and fundamental rights.

There are numerous proposed changes: removal of certain information requirements, harmonization of PIPD lists, relaxation of automated decisions, extension of the deadline for reporting breaches, integration of rules on cookies, and above all, opening up legitimate interest for the development of AI.

The coming months will be decisive. Negotiations between the Commission, Parliament, and Council will shape the final version of the text. The compromises reached will determine whether Europe succeeds in reconciling economic competitiveness and citizen protection, or whether it sacrifices one for the sake of the other.

At Dipeeo, we remain convinced that well-designed compliance is not a hindrance, but a lever for trust and differentiation. We will continue to support you during this transition period, providing you with the tools and expertise you need to navigate this new regulatory landscape with confidence.

We can only hope that these simplifications will be implemented quickly, as they should reduce the administrative burden while preserving what is essential: the protection of the fundamental rights of European citizens.

Stay informed, stay compliant, stay competitive.