The European Commission is currently working on a comprehensive package to reform and consolidate European digital law entitled the “Digital Omnibus”. The Commission wants to eliminate overlaps between data protection, data and AI law, simplify regulations and reduce the administrative burden for companies and authorities, but of course without weakening the protection of fundamental rights.
Drafts, whose official publication has been announced for November 19, 2025, are available. This will be followed by the ordinary legislative procedure in the Council and Parliament. The drafts show surprisingly far-reaching changes to the Data Act, the GDPR and the AI Act.
Specifically, the Commission is planning two omnibus regulations (documents via netzpolitik.org):
- Omnibus I (“Digital Omnibus for the digital acquis”)Consolidation of the Data Act, Open Data Directive and Data Governance Act and adjustments to the GDPR.
- Omnibus II (“Digital Omnibus on AI”)Adjustments to the AI Act.
noyb warnsthe draft could damage the basic principles of the GDPR, for example by restricting the concept of personal data. The draft pursues a “death by a thousand cuts” strategy that systematically weakens existing protection standards.
Omnibus I
Data Act
The existing Data Act together with the Open Data Directive and the Data Governance Act will be merged into a consolidated legal act. This will include the following innovations:
- Retention of the ban on data localization requirements within the EU;
- strengthened protection mechanisms against unauthorized disclosure of trade secrets to third countries;
- Extension of existing simplifications for SMEs to small mid-caps (SMCs);
- higher fees and stricter conditions for the reuse of public data by very large companies and gatekeepers within the meaning of the Digital Markets Act (DMA);
- Standardization of the rules on open administrative data, protected data and data altruism;
- In addition, the Regulation on a framework for the free flow of non-personal data in the EU be integrated into the Data Act;
- Data access by authorities should only be permitted in “public emergencies”;
- the chapter on smart contracts is deleted.
GDPR
The GDPR is also to be amended with the aim of clarifying key terms and reducing obligations for harmless processing. The main changes are:
- Specification of the Definition of personal dataclarification that the personal reference requires a realistic possibility of identification;
- Clarification of the Concept of health data (only data “directly revealing information about health status” – a departure from the Case law of the ECJ);
- Exemption from use biometric data “to confirm identity under the sole control of the person concerned”;
- Permissibility of processing special categories for Development and operation of AI;
- Notification of security breaches:
- Extension of the mandatory reporting period to 96 hours;
- Reporting of security breaches via a single entry point system (“Single Entry Point for Incident Reporting”). This should enable reporting obligations to be fulfilled simultaneously in accordance with the NIS2 Directive, the GDPR, DORA, the Digital Identity Regulation and, if applicable, the CER Directive;
- EU-wide standardized negative lists for processing operations that are not Data protection impact assessment require;
- Right of refusal in the event of obvious misuse or abuse Request for information.
The Commission also proposes that the Training of AI models with personal data in future on the basis of the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR (which shows the previous bad feeling on this topic).
Cookies and online tracking
The processing of personal data on or from terminal equipment – i.e. the Tracking – should only be based on the GDPR. The basic consent requirement under the ePrivacy Directive (Art. 5 (3)) would no longer apply. Instead, a machine-readable preference system for cookies and tracking via browser or app settings, which website operators must respect (except media providers…).
Omnibus II: AI Act
The Digital Omnibus on AI is intended to simplify the AI Act. Feedback from implementation to date has shown delays and ambiguities. The Commission proposes the following measures:
- a possible adjustment of the Implementation deadlinesto take account of delays in standardization and the naming of authorities;
- Transitional period for the labeling obligation (“Watermarking”) for AI systems that were placed on the market before this obligation came into force;
- Extension of the facilitations for SME on small mid-caps (e.g. simplified documentation requirements, consideration for any sanctions);
- Commitment of the Commission and the Member States, AI Literacy itself instead of just making the deployers responsible;
- Reduction of the Registration obligations for AI systems that are used in high-risk areas but only perform procedural or narrowly defined tasks;
- Permissibility of use Special categories of personal data by providers or deployers for the purpose of detecting and correcting bias;
- Expansion of the use of test environments (“AI sandboxes”) and real-world tests;
- Clarification of the Interplay between the AI Act, Cyber Resilience Act and DSA;
- Centralization of the Supervision about AI systems in very large online platforms and search engines at the AI Office.