Digital Omnibus: How the EU’s new proposal could reshape the GDPR

The European Commission has presented the so-called Digital Omnibus proposal, which bundles amendments to several digital regimes – including the GDPR. The aim is to align the GDPR with contemporary needs around the use of personal data in business, AI development and the cookie landscape, and to reduce unnecessary administration for both organisations and authorities. It is still only a proposal, but clear lines are already visible as to how data protection work may need to evolve. For many organisations, it may be valuable to engage GDPR specialists early to translate the proposal into concrete actions.

Purpose of the Digital Omnibus proposal

Digital Omnibus is not a “new GDPR”, but a series of adjustments to the existing Regulation. The purpose can broadly be divided into four parts:

• Make certain definitions more practically usable – for example, what constitutes personal data, how pseudonymised data should be handled and how purposes of scientific research should be assessed.
• Reduce unnecessary administration – by raising the threshold for when personal data breaches must be notified and when information must be provided to data subjects.
• Harmonise application across the EU – with EU-wide lists for DPIAs (impact assessments), common templates and clearer roles for the European Data Protection Board (EDPB).
• Integrate more digital issues into the GDPR – above all a) AI development and b) cookies/trackers and machine-readable stored consents from, for example, web browsers.

For businesses across Europe, this may mean that some aspects of today’s GDPR work can be simplified, while other areas – particularly AI, automated decisions and cookies – become more technically and strategically charged.

Key proposed changes to the GDPR – an overview

Below is a simplified walkthrough of the most central proposed changes, without entering into full legal detail.

1. The definition of personal data aligns with legal developments

• Information should not automatically be regarded as personal data for everyone merely because some other actor could identify the person.
• The question becomes more actor-dependent: is the person identifiable by “reasonable means” for that specific organisation?
• The Commission would be mandated to set criteria for when pseudonymised data should no longer be regarded as personal data for certain actors (a new Article 41a is proposed).

Practically, this means that assessing whether data is personal data is not only about what is possible in theory, but also about the capability and intent of the particular organisation holding the data.

2. Research and further processing

• The term “scientific research” is clarified and could encompass non-academic research, provided it contributes to knowledge development and adheres to ethical standards.
• Further processing for research purposes is clarified as compatible with the original purpose, without an additional assessment under Article 6(4) GDPR.
• The information obligation may be relaxed in certain research situations where it is impossible or would require a disproportionate effort to inform each individual.

3. Special categories, biometric data and AI

• New exemptions are proposed for:
  • biometric verification (for example, facial or fingerprint identification) where the data or tools are under the data subject’s own control
  • the handling of “residual data” – sensitive data that happens to be included in AI training, under strict technical and organisational safeguards
• A new Article 88c would clarify that AI systems and AI models may rely on the legal basis of legitimate interests, provided data minimisation, transparency and an unconditional right to object are ensured, and provided other laws do not require consent.

4. Rights and transparency obligations

• The information obligation may be reduced in “low-risk” situations (one can imagine tradesperson services where the tradesperson processes names and contact details to communicate with the customer) where:
  • the relationship with the data subject is clear and limited,
  • the activity is not particularly data-intensive, and
  • there are reasonable grounds to assume the data subject already has basic information about the processing.
• The ability to refuse or charge for manifestly abusive or excessively broad exercises of rights under the GDPR (particularly access under Article 15) is narrowed; abuse could, for example, involve using the right for purposes other than the protection of one’s personal data.

5. Automated decisions and profiling

• The rules on automated decision-making (Article 22) are reframed to state that such decisions are permitted when certain conditions are met.
• “Necessary for entering into or performance of a contract” should not be interpreted so strictly that the decision must be taken solely by automated means.

6. Personal data breaches

• The notification duty to the Data Protection Authority is limited to incidents that are likely to result in a high risk to the rights and freedoms of data subjects (the current wording is “unless unlikely”).
• The notification deadline is extended from 72 to 96 hours.
• An EU-wide single entry point is introduced for reporting, together with a harmonised template and a list of situations likely to involve high risk, prepared by the EDPB.

7. DPIAs (impact assessments)

• The EDPB would be tasked with developing:
  • an EU-wide list of processing operations requiring a DPIA,
  • a list of processing operations not requiring a DPIA, and
  • a common DPIA template and methodology.
• The Commission would adopt these as binding via implementing acts and they would be updated at least every three years.

8. Cookies, trackers and machine-readable preferences

• The GDPR would gain a new article on the storage of and access to personal data in terminal equipment (for example, cookies and app identifiers). In practice, this would move large parts of today’s e-privacy rules into the GDPR.
• Consent would be the default rule, with exemptions proposed for, for example:
  • strictly necessary cookies,
  • services expressly requested by the user,
  • certain first-party reach and audience measurement, and
  • security and fault diagnosis.
• Users should be able to say “no” via a simple single-click solution, and if the user refuses consent, the same request may not be repeated for the same purpose within six months.
• A new Article 88b GDPR is proposed requiring online services, over time, to read and respect standardised, machine-readable consent or opt-out preferences (for example from browsers); providers of browsers (not small businesses) would be required to build in such functions.

Changes of particular relevance for businesses in Europe

The proposal applies across the EU and will have clear practical implications for businesses operating in Europe.

Reduced notification burden for personal data breaches

The Data Protection Agency today receives many notifications about relatively limited incidents. With the requirement for likely high risk to trigger notification, and with EU-wide guidelines on what constitutes high risk, a large share of today’s “long tail” of breach notifications should fall away. This may lead to:

• less administrative burden for both private and public organisations, and
• greater focus on the serious incidents – both internally and by the Data Protection Agency.

Public sector, automated decisions and AI

Public authorities already use automated decisions in areas ranging from taxation to social security. The clarifications around automated decision-making in Article 22, together with new rules for AI development, are therefore highly practical:

• it will be clearer that automated decisions are permitted where the conditions are satisfied,
• the organisation must be able to justify that the chosen solution is necessary for the purpose, and
• AI training with personal data may rely on legitimate interests, but must then be surrounded by strong safeguards – particularly where sensitive data may be included.

Research-intensive environments – universities, healthcare and life sciences

Europe has many actors working data-driven with research, not least in healthcare and life sciences. Three points are particularly important:

• a clearer definition of scientific research and recognition that commercial interests do not exclude a research purpose,
• clarification that further processing for research is compatible with the original purpose,
• the possibility of relief from the information obligation where full individual information would make research practically impossible.

At the same time, requirements tighten on documentation, risk assessments and technical safeguards for sensitive data.

Websites, media and e-commerce

The proposed integration of cookie rules into the GDPR, together with requirements for a simple “no thanks” solution and respect for machine-readable consents, will affect, for example:

• media companies and advertising-funded services,
• e-commerce operators and member portals, and
• SaaS providers with web-based interfaces.

In the short term, work will be required to adjust banners, technical solutions and documentation. Over the longer term, it may reduce the tendency for users to “click any button to dismiss the banner” if browsers and standardised signals take over part of the job.

Practical impact on your organisation

For those responsible for data protection, the question is: What do we need to do differently if the proposal becomes reality?

Controllers and senior management

• Review how you define personal data in practice – particularly in data sharing and analytics projects. Is the person truly identifiable for you by reasonable means?
• Plan to update internal policies for:
  • personal data breaches (new threshold, new deadline, new reporting channel),
  • the DPIA process (forthcoming EU-wide list and template), and
  • the handling of AI projects and automated decision-making – both as a legal basis and as a risk issue.
• Prepare a transition plan: identify which processing activities are likely to be most affected (cookies, AI, research, breaches, DSAR handling).

Data Protection Officer (DPO)

• Develop concise guides on:
  • when the information obligation can be simplified for low-risk processing,
  • how abuse of rights should be documented if you need to refuse a request, and
  • how AI projects and automated decisions should be assessed and monitored.
• Prepare the organisation for more standardised DPIA work – both positive (less room for interpretation) and challenging (less flexibility).
• Strengthen collaboration with IT, development and information security on incident handling, pseudonymisation and logging.

Developers and IT

• Expect that:
  • pseudonymisation and anonymisation will gain importance, including assessing when recipients can no longer identify individuals by reasonable means,
  • AI pipelines must be designed to avoid sensitive data and to detect and protect any “residual data”, and
  • systems will need to read and respect machine-readable consent and opt-out settings from browsers and other clients.
• Ensure logging, detection of incidents and incident response align with the new deadlines and risk thresholds.

Marketing, product owners and web managers

• Plan for:
  • redesign of cookie banners so consent is obtained clearly and refusal is possible with one click,
  • managing the six-month rule not to repeat the same consent request after a refusal, and
  • a shift from manual consent choices to more automated, browser-based or other standardised settings.
• Review which analytics and marketing tools are used and whether they can be adapted to the new rules.

A simple checklist pending the legislative process

• Identify your most affected areas: AI, research, cookies, breaches, automated decisions.
• Set an internal monitoring point: who follows the development of Digital Omnibus and upcoming EDPB templates?
• Inventory where you currently have:
  • many breach notifications,
  • many rights requests (particularly access), or
  • a high dependency on cookies/trackers for the business model.
• Start a dialogue between legal, IT, security, marketing and the business so that technical and organisational changes can be planned in good time.

Morling Consulting’s expertise on GDPR changes

Digital Omnibus remains a proposal and both wording and interpretation may change during the legislative process. For many organisations it is not enough to “wait and see” – it is about understanding which areas are most exposed and building flexibility into governance, contracts and systems.

At Morling Consulting, our GDPR specialists can help organisations to:

• map which parts of your personal data processing are particularly affected by the proposed changes,
• update governance documents, records and processes for breach handling, DPIAs and rights,
• support AI, research and development projects with structured legal analysis and practical recommendations, and
• develop sustainable solutions for cookies, trackers and consent management in close collaboration between legal, technology and the business model.

By working proactively with the changes signposted by the Digital Omnibus proposal, organisations operating in Europe can both reduce risks and make use of the simplifications the proposal opens up – without compromising robust data protection.