The European Commission’s Digital Omnibus Proposal introduces a set of targeted changes to the GDPR that are intended to reduce unnecessary burden for organisations, increase legal certainty, and tackle persistent issues that have emerged in practice since the GDPR entered into force.
Importantly, the proposal does not seek to “re-open” the GDPR as a whole. Instead, it focuses on specific areas where the Commission considers that compliance costs are high, enforcement is fragmented, and the user experience has degraded. This is why the proposal combines a series of targeted reforms across core GDPR concepts and daily compliance obligations, including the regulatory approach to tracking technologies, transparency requirements, incident reporting, and areas increasingly shaped by new technologies such as AI.
This article is the first in a series in which we take a closer look at the Digital Omnibus Proposal, following the high-level introduction set out in our pilot article. Across the series, we will explore the proposed changes in more detail and assess their practical implications for organisations.
Below, we set out the most relevant changes for organisations and what these changes may mean in practice.
Below, we set out the most relevant changes for organisations and what these changes may mean in practice.
- Redefining “personal data” and pseudonymisation: narrowing GDPR scope in specific scenarios
- Cookies and tracking: bringing “terminal equipment” rules into the GDPR
- GDPR transparency: simplification of Article 13 information obligations
- Artificial intelligence: GDPR clarifications on AI development and special category data
- Automated decision-making: updated wording of Article 22 GDPR
- Key operational GDPR amendments: DSRs and DPIAs
- Personal data breaches: extended timelines and streamlined reporting
Conclusion
The Digital Omnibus Proposal does not change the fundamentals of GDPR compliance, but it introduces meaningful operational and conceptual shifts in areas where compliance has been most burdensome, fragmented or uncertain, for example with respect to cookie consent, data breach reporting and certain AI-related processing activities.
For organisations, the proposal’s clearest message is that the EU is moving toward:
- Fewer consent prompts but more meaningful and enforceable consent choices.
- More standardisation and automation in consent and compliance mechanisms.
- Closer alignment between privacy, cybersecurity and emerging technology regulation.
For compliance officers, it means that they will be very busy during the next compliance review cycle.
