Digital Omnibus: A Victory For Technology Or Commerciality?

The newly published Digital Omnibus Package from the EU Commission is perhaps surprising in the obvious influence of AI and other technologies such as biometrics. Some might argue that this results in a more commercial approach, reflecting the reality of data processing in the 21st Century. Others will likely be concerned about the possible erosion of fundamental rights and freedoms.

For those of you short on time, the TL;DR of the GDPR amendment proposals is below:

Definition of Personal Data: amendment to the definition of personal data to clarify that pseudonymised data in the hands of an entity that can't re-identify the individual is not personal data.

Abuse of DSARs: a right for entities to refuse to respond to a data subject access request where the individual is abusing the right of access for a purpose other than concern about data processing.

Streamlining data breach notifications: several changes to the data breach notification regime, including raising the threshold for regulatory authority notifications; extending the deadline to 96 hours; creating a single notification regime to avoid multiple notifications to multiple regulators; and developing a single template notification form for use across the EU.

Processing conditions for special category data: introduction of two new processing conditions to enable the processing of special category personal data: (i) processing in the context of the development and operation of an AI system (subject to some fairly strict parameters); and (ii) processing of biometric data where necessary for identity verification and provided that the biometric data is under the sole control of the data subject.

Recognised legitimate interests for training AI: confirmation that the processing of personal data for training and operating AI systems can be considered a 'legitimate interest' for the purposes of Article 6 GDPR.

Cookie consent: no consent required for analytics cookies creating aggregated information about the usage of an online service to measure the audience, provided that the analytics are carried out by the controller of the online service and for its own use.

For those of you with a little more time and/or inclination, the rest of this article delves into a bit more detail and commentary regarding the proposals:

Definition of personal data

Perhaps the first and most fundamental change proposed by the Omnibus Package is an amendment to the definition of Personal Data under Article 4 of the EU GDPR. This of course goes to the very heart of when the legislation applies because data that is not personal data is not subject to the GDPR.

The proposed amendment to the definition is arguably a clarification point, and it supports the CJEU's recent judgment in the case of EDPS v. SRB (see our summary of that judgment on the HSF Kramer data blog here) with respect to pseudonymised data.

The proposed clarification provides that "information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates."

For those of us based in the UK, this amendment would bring the European position more into line with the position already adopted in the UK where the ICO has previously confirmed in its regulatory guidance that the status of data which undergoes anonymisation or pseudonymisation techniques will depend on the context and respective 'hands' of those who process it. Accordingly, this means that pseudonymised data held by organisations which have the means and additional information to 'decode' it and therefore re-identify data subjects, will be classified as personal data; but pseudonymised data held by organisations without such means or additional information will not be personal data as it is 'effectively anonymised'.

However, the position goes against the fairly recently published (January 2025) EDPB guidance on pseudonymised data, which states that pseudonymised data will always be considered personal data. The proposed amendment to the definition may therefore meet with some resistance on its journey through the legislative process. However, in the opinion of the author only, it is a clarification that makes sense and arguably prevents legislative overreach from applying GDPR obligations in situations where a company cannot identify any individuals from the data it is processing.

Data breach notifications

Arguably another win for common sense lies in the proposed amendments to data breach notification obligations.

Perhaps a reflection of breach notification fatigue across the EU, personal data breaches would now only need to be notified if they present a high risk to individuals. This is the same threshold as currently applies to notification to individual data subjects, but a step-up from the current threshold for notification to regulators, which must be done unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Companies would also get an extra 24 hours to make their notifications, taking the deadline to 96 hours instead of 72 hours.

In recognition of the current obligations on companies to report cyber security incidents under multiple legislative regimes (including the EU GDPR, the NIS2 Directive and DORA), the Omnibus Package also proposes developing a "single-entry point" for notifications under the NIS2 Directive. GDPR breach notifications would be made to this single-entry point, avoiding the need for multiple notifications to be made, including in cross-border processing breach scenarios.

In a further attempt at coordination and harmonisation, the EDPB is also being tasked with preparing a proposal for a common notification template to be used, which could (depending on the resultant form of the template) come as a welcome relief for companies who have previously had to navigate multiple different regulator notification forms and formats.

If these proposed amendments make it through then the EU would have a more "relaxed" notification regime than the UK and so it will be interesting to see what, if anything, the UK then does about its own breach notification requirements.

DSARs

When reform of the GDPR was first proposed in the UK, the original draft bill amended the provisions for data subject access requests to allow controllers to refuse "vexatious" requests, potentially as a result of the perceived abuse of DSARs for reasons other than genuine concern regarding data processing. Those amendments didn't make it through to the final text of the Data Use and Access Act 2025 and were criticised at the time as an attempt to fetter the fundamental rights of data subjects.

The Omnibus Package is however proposing something similar for Europe. The package proposes amendments to Article 12 GDPR to enable controllers to either charge a reasonable fee or alternatively outright refuse a request where the data subject "abuses the rights conferred by [the GDPR] for purposes other than the protection of their data".

There is obviously a lot of scope for interpretation of what is intended by the phrase "abuses the rights" and the burden of proof rests with the controller. But nonetheless, this amendment will undoubtedly be welcomed by controllers who have experienced the significant time and resource required to respond to data subject access requests where it appears that the purpose behind the request is something other than concern about data processing. For example, a fishing expedition or an attempt to get early disclosure in a litigation context. However, it will be interesting to see the extent to which there is any resistance to this particular proposal given its potential impact on one of the fundamental rights of data subjects.

AI and biometric data

The influence of AI is definitely felt throughout the drafting of the Omnibus Package. In particular, the proposals include a new Article 88c GDPR which appears to recognise training/development and operation of AI systems as a 'legitimate interest' for the purposes of Article 6 GDPR. This could be compared to the new 'recognised legitimate interests" in the UK introduced by the Data Use and Access Act 2018, although these were generally limited to processing necessary for National Security or crime prevention and the like.

In addition, and perhaps adjacent to the influence of AI in modern day business is the increase in processing of biometric data which has become much more commonplace since the date of GDPR implementation in 2018 when biometric data was introduced as a type of special category personal data requiring greater protection.

The Omnibus Package reflects this increased use of biometric data and introduces a new lawful basis for processing special category personal data, and specifically biometric data, at Article 9 GDPR. The proposed new condition permits the processing of biometric data where "necessary for the purpose of confirming the identity of a data subject (verification), provided that the biometric data or the means needed for the verification is under the sole control of the data subject". The qualification here presumably means that the biometric data would need to remain on, for example, a user's device but it does nonetheless open the door for commonplace biometric identity verification.

Cookie consents

The use of cookies and similar technologies by controllers has been a source of significant enforcement activity across Europe. But alongside that, the use of cookie banners and alternative mechanisms for obtaining cookie consent has become a potential source of frustration and challenge to the user experience for many online services.

The Omnibus Package proposes to incorporate cookie consent rules into a new Article 88a and 88b of the GDPR. It further proposes relaxing the cookie consent rule for analytics cookies which create aggregated information about the usage of an online service to measure the audience, provided that the analytics is carried out by the controller of the online service for its own use.

The proposals also codify what is already regulatory guidance around cookie banners, making it clear that any cookie banner must include a single "reject all" type button, and confirming a six-month window during which controllers are not allowed to ask for cookie consent again, after an individual has declined to give their consent.

Although the proposals in the Omnibus Package are just that – proposals made by the EU Commission – they will now need to go through the normal legislation procedure and get agreement from the European Parliament and the Council before being adopted. There is no official timeline for this, and we know from experience that the process can take a long time (the GDPR took years to get to an agreed position). However, given the proposals relating to the EU AI Act, we can perhaps assume that there will be pressure to reach agreement before the high-risk requirements to which they relate begin to apply (i.e. August 2026). At the very least, given the clear influence of new technologies (i.e. AI) on the proposals, it would be preferable for the proposals to be agreed and come into effect before technology significantly evolves such that different amendments are required.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.