EU Digital Omnibus proposals to reform data and AI laws – the leaked version

It has been rumoured for some time that the European Commission was proposing to amend the EU AI Act, either by “stopping the clock” on entry into force or enforcement, or by simplifying some of its provisions. In addition, the ePrivacy Directive was due to be replaced by a new regulation at the same time as the GDPR became law, but the EU institutions were unable to reach consensus on the changes.

Although transposition of some of the EU new laws is still underway in the Member States, the Commission now proposes to pass a “Digital Omnibus” to reform these laws, but also go further, reforming related EU legislation, including making significant changes to the GDPR. Leaked drafts of the proposals to reform the data and cyber laws (the GDPR, ePrivacy Directive, Data Act, Data Governance Act and the NIS2 Directive) and the EU AI Act have been published.

Some of the more significant proposals are as follows:

GDPR

• Personal data: The definition of personal data will be amended to reflect recent case law of the EU Court of Justice. The relevant factor would be whether a specific entity can identify an individual, taking into account the means that entity is likely to use.
• Special category data: Data will only be categorised as special category data if it directly reveals information about an individual's sensitive characteristics. This means that data from which sensitive characteristics can be inferred will not be special category data.
• The proposal adds new conditions that permit the processing of special category data: 
  
  • development and operation of an AI system or model (subject to safeguards); and 
  • use of biometric data to prove identity under the user's sole control.
• DSARs: The proposal extends the circumstances in which a controller may reject a data subject access request (DSAR) or charge a reasonable fee to where the data subject is exploiting their GDPR rights for purposes other than protecting their data.
• Privacy notices: In certain limited situations where a controller collects data directly from a data subject, the controller will not be required to provide the individual with a privacy notice if there are reasonable grounds to believe that the individual already knows the controller's identity and the purpose of, and lawful basis for, the processing.
• Automated decision making: Solely automated decisions which have a legal or similarly significant effect on an individual can be taken when necessary for entering into or performing a contract with the data subject, regardless of whether the decision could be taken otherwise than by solely automated means.
• Breach reporting: Controllers will only be required to report to the DPA personal data breaches posing a high risk to data subjects. Reports must be made via a new platform (see the proposed NIS2 amendments below), and the reporting deadline is increased from 72 hours to 96 hours. The European Data Protection Board (EDPB) must prepare a reporting template.
• DPIAs: The EDPB must develop lists setting out the processing operations for which data protection impact assessments (DPIAs) are required and not required, plus a template and methodology for conducting DPIAs.
• Cookies: To avoid the so-called “consent fatigue”, consent will not be required where cookies and similar technologies are used for aggregated audience measurement and security purposes. Note that the cookie rules are currently contained in the ePrivacy Directive, but the draft proposes inserting this amendment into the GDPR.
• Training AI models: Legitimate interest can be used as the lawful basis to process personal data to train AI models.
• Anonymisation and pseudonymisation: The draft proposal indicates that the Commission intends to introduce new rules about anonymisation and pseudonymisation techniques.

NIS2

• Incident reporting: There will be a single platform for reporting incidents under the GDPR, NIS2, DORA and the Critical Entities Resilience Directive.

Data Act

• Trade secrets: Data holders will not be required to disclose trade secrets if they can demonstrate that there is a high risk that such disclosure poses a high risk of unlawful transfer to third countries with weaker protection compared to that under EU law.
• Cloud switching requirements: There will be exemptions from the new cloud switching requirements (click here to read our article) for certain services and providers, which will be subject to lighter regimes:
  
  • data processing services that are custom-made to the customer’s needs or ecosystem; and
  • SMEs and small mid-cap sized providers of data processing services other than IaaS, where the contract was concluded on or before 12 September 2025.

Data Governance Act

• This will be repealed, and the Data Act will be amended to add some of the Data Governance Act’s provisions.

EU AI Act 

• The Commission is still considering whether to "stop the clock" on the Act’s entry into force or enforcement. 
• Some aspects of the Act will be enforced by the EU AI Office rather than by national authorities.
• There will be a grace period on the “watermarking” obligation for AI systems which have been placed on the market before those obligations became applicable.
• The AI literacy obligation (which became applicable in February 2025) will move from the organisation itself to the EU and national authorities.
• There will be expanded exemptions from the Act’s obligations for small mid-cap entities.

The changes set out in the draft proposal go further than expected and have provoked strong reactions from privacy activists. On 11 November noyb (Max Schrems’ privacy organisation), the Irish Council for Civil Liberties and European Digital Rights published a joint open letter to the European Commission expressing concern about the impact that these proposals would have on individuals’ privacy. On 13 November a coalition of 127 civil society organisations, trade unions and defenders of the public interest sent another open letter, urging the EU Commission to rethink its plans.

However, the changes would be welcome to many, as they would make some aspects of GDPR compliance less onerous, in particular the rules on using personal data to develop and operate AI models. In addition, the Data Act’s rules on cloud switching fees have caused serious concerns for SaaS providers, so the proposed relaxation of the rules for certain services will be welcome to relevant businesses.

We will update this article once the official proposals are published.