Improving the workability of EU digital rules: the Digital Omnibus from a privacy perspective

The Digital Omnibus has been positioned as a regulatory “simplification” exercise and the European Commission’s stated aim is to simplify and clarify certain obligations while preserving the GDPR’s core protections. In fact, we believe that in fact, the Digital Omnibus seeks to address the operational friction that has emerged as organisations attempt to comply simultaneously with GDPR, the EU AI Act, the Digital Services Act (DSA) and the Digital Markets Act (DMA). From a purely privacy perspective, the Digital Omnibus is better understood as a recalibration of how existing obligations apply in practice.

The central objective is clear: improve workability, legal certainty and proportionality while maintaining fundamental rights and accountability. 
 

What the Digital Omnibus is (and is not)

From a privacy standpoint, the Digital Omnibus should not be interpreted as deregulation. It frames itself as:

  • a coordinated set of amendments and clarifications across EU digital law
  • designed to reduce duplication and inconsistency in compliance activities
  • responding to organisations now managing data, AI and digital risk as one, not separate silos

It is not:

  • a replacement for GDPR requirements
  • a weakening of data subject rights
  • an exemption for AI or digital innovation from data protection law

GDPR remains the foundation of regulation but how obligations are applied, prioritised and evidenced is changing.

What is proposed from a privacy perspective

Regulatory simplification: a shift toward risk and impact

A theme emerging from the Digital Omnibus is the move away from purely procedural compliance toward risk-based, outcome-focused regulation. Three priorities are particularly relevant for privacy teams:

Reducing operational burden

The Digital Omnibus aims to reduce repetitive and overlapping assessments, particularly where similar information is being produced for multiple regimes. Proposals such as “report once, share many” and the introduction of a Single-Entry Point (SEP) for cyber and personal data breach reporting are a move towards standardised EU-wide reporting. Clearer thresholds for regulatory action are also intended to help organisations focus effort where it matters most.

Targeting enforcement where risk is highest

Breach reporting expectations are shifting toward an impact-led approach. Low-risk incidents may require less formality, as regulatory attention is concentrated on incidents that can cause genuine harm to individuals. This aligns closely with GDPR’s existing risk-based framework but offers greater clarity on proportionality in practice.

Supporting AI innovation without removing accountability

The Digital Omnibus seeks to reduce friction between the AI Act and GDPR, particularly for AI development and deployment, aiming to clarify overlaps, reduce duplication and simplify certain compliance expectations.

GDPR clarifications: practical changes with operational impact

Several GDPR-related clarifications stand out for privacy professionals:

DSAR handling

There is greater emphasis on the ability to refuse or charge fees for requests that are “manifestly unfounded or excessive”, particularly in contexts such as employee litigation.

The proposal provides clarification on the interpretation of Article 12(5) GDPR, particularly in relation to requests considered “manifestly unfounded or excessive”. This threshold already exists under the GDPR, the Digital Omnibus seeks to clarify its application in practice. This could include circumstances where the right of access is exercised for purposes other than data protection such as a litigation tactic or within adversarial employment contexts.

Importantly, this does not amend the substance of Article 15. The burden of demonstrating that a request is “manifestly unfounded or excessive” would remain with the controller, and any refusal or decision to charge a reasonable fee would still require clear justification, documentation and consistent application. The proposal represents a clarification of proportionality in enforcement rather than a restriction of data subject rights.

Breach notification

Proposals include extending the notification window from 72 to 96 hours and introducing a single high-risk threshold for notification to both supervisory authorities and affected individuals. Combined with the SEP model, this has the potential to simplify incident response, provided organisations revisit their internal triage processes.

Reducing cookie consent fatigue

The proposals are intended to reduce repetitive consent banners by supporting recognised user preference signals, while preserving the core GDPR requirements for transparency and valid consent. Measures such as a single-click “no” option, restrictions on repeated consent requests and limited consent-free exemptions reflect a more pragmatic regulatory stance, but still with careful assessment and transparency.

AI and personal data: lawful bases clarified, not removed

One of the most significant developments being discussed is the clarification of lawful bases for AI model training. The Digital Omnibus recognises AI model development as a legitimate interest, particularly for general-purpose models. The proposals seek to provide greater legal certainty around relying on legitimate interests for AI training, subject to safeguards, transparency and the right to object.

Certain conditions remain which include:

  • necessity and proportionality should be demonstrated;
  • appropriate safeguards should be in place; and
  • transparency should be meaningful for individuals whose data is used.

Crucially, GDPR principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation and accountability all continue to apply in full. AI development is not exempt from GDPR, rather, lawful bases are being interpreted more pragmatically.


Streamlining Risk, Accountability and Documentation

Another strong theme is convergence. The Digital Omnibus encourages alignment between:

  • Data Privacy Impact Assessments (DPIAs) and AI risk assessments reducing duplicated documentation
  • accountability across the AI lifecycle, with clearer allocation of responsibility
  • EU-wide approaches to defining and documenting high-risk processing

Where an AI system and general-purpose model are provided by the same entity, oversight would move to the European AI Office, reducing engagement with multiple national authorities. Documentation obligations are also being refined with published EU-wide lists of high-risk activities, standardised templates and a self-assessment model for systems that are low-risk or narrowly constrained.


What should Privacy and Compliance teams be doing?

For privacy professionals, the Digital Omnibus sends a clear signal: compliance expectations could become more risk-sensitive, more integrated and more outcome-driven.

Organisations should understand:

  • That the proposal is subject to change and the final article could be end up quite different
  • How current policies, programs and procedures are compliant to existing regulatory requirements
  • How GDPR, AI Act and digital compliance activities could be streamlined without weakening controls
  • whether current AI training and development activities are supported by clear lawful bases, safeguards and transparency
  • how accountability and documentation can be simplified while remaining defensible

The Digital Omnibus aims to sharpen responsibility, not remove it.


Status and Next Steps

The Digital Omnibus forms part of a package of legislative proposals which will now be subject to the ordinary legislative procedure. The proposals will be examined and negotiated by the European Parliament and the Council and may be amended before the final text is adopted, probably in mid-to-late 2026 or early 2027.

Timelines for implementation will depend on the progress of the legislative process and the final agreed wording. The GDPR continues to apply in full. However, as mentioned, this is an appropriate time for organisations to assess where the proposals may have operational impact if adopted.

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.