The European Commission published a far-reaching set of proposed changes to existing data and AI legislation on 19 November 2025 as part of its Digital Omnibus, which seeks to simplify existing data privacy, cybersecurity, and AI rules, and boost innovation by requiring less time to be spent on compliant and administrative work.
The changes carry implications that will extend beyond EU borders, particularly for the United Kingdom, which has the UK GDPR (a retained and amended version of the EU GDPR) in force. The published proposals will need to be negotiated and agreed with the European Parliament and the Council of the EU. If the proposals are made law in the EU they will not take direct effect in the UK but the UK's data commissioner, the ICO, will doubtless consider changes made to the EU GDPR and whether similar changes will need to be made to the UK GDPR so that it does not end up being more prohibitive than the EU version.
The European Commission's staff working document notes that the Digital Omnibus could amount to EUR 5 billion in cost savings for businesses by 2029 and a further EUR 1 billion for public authorities. The Digital Omnibus has had a mixed reception – for example, the Lovelace Institute has commented " If passed, the Omnibus will be the most significant and extraordinary reversal in digital rights in a generation, leaving the EU with worse personal data protection than, for instance, California in some respects.
Key Changes to the GDPR
The Digital Omnibus amendments to the GDPR focus primarily on streamlining compliance obligations and enhancing regulatory consistency. Notably, a change to the definition of personal data is proposed to clarify that where data is held and could be used to identify a person, it will only be classified as personal data where the holder of the data has a reasonably likely way to identify that person. This follows the recent case of EDPS v SRB, where the Court of Justice decided that pseudonymised data sent to a third party could amount to personal data for the sender but not for the recipient if it did not have the key to unlock the data.
The amendments also allow for personal data and special category data to be processed under the "legitimate interest" ground to develop and operate AI systems (with safeguards in place). The use of personal data to train AI is currently tricky as data subjects whose data is held by one controller will not expect their data to be provided to an AI system and used to train it.
Data controllers will be given the right to refuse subject access requests where they deem that the data subject is abusing the right to raise requests. Controllers will also not need to provide privacy notices to data subjects where the processing is low risk and it is reasonable to consider that the data subject knows the identity of the controller and the reason for processing.
Implications for the EU AI Act
The Digital Omnibus also refines the EU AI Act, which establishes a risk-based regulatory framework for artificial intelligence systems. The amendments clarify definitions of high-risk AI applications, adjust compliance timelines, and introduce more nuanced requirements for AI system documentation and transparency. Particular attention has been paid to ensuring coherence between AI regulation and existing data protection obligations, recognising that many AI systems rely heavily on personal data processing.
The revised framework maintains the Act's fundamental architecture—prohibiting certain AI practices outright, imposing strict requirements on high-risk systems, and establishing lighter-touch obligations for limited-risk applications—whilst providing greater regulatory certainty for businesses developing and deploying AI technologies.
Simplified cybersecurity reporting
Businesses must currently report cybersecurity incidents under several laws, including the NIS2 Directive, GDPR and the Digital Operational Resilience Act (DORA). The Digital Omnibus introduces a new single-entry point where all incidents can be reported.
Cookie rules
The amendments will reduce the number of times cookie banners pop up and allow users to indicate consent with one-click and to save their cookie preferences centrally in browsers.
Improved access to data
The package aims to open access to data as a key innovation driver. The proposal is to:
- Consolidate EU data rules through the Data Act and merge four pieces of legislation into one;
- Boosting European AI companies by unlocking access to high quality and fresh data sets for AI development and training; and
- Provide model contractual terms for data access and use, and standard contractual clauses for cloud computing contracts.
Data Union Strategy
The new Data Union Strategy outlines the provision of wider access to data, including data labs and a strategic approach to European data including guidelines to assess fair treatment of EU data abroad.
European Digital Wallet
This initiative is to design a single platform for businesses to simplify their interactions across the EU. Businesses using the platform will be able to digitally verify identities, sign documents, time stamp and exchange digital information across borders.
Impact on the United Kingdom
For the UK, these developments present both challenges and opportunities. Despite Brexit, the UK maintains adequacy decisions allowing personal data to flow freely from the EU, contingent upon maintaining essentially equivalent data protection standards. Significant divergence between EU and UK approaches could jeopardise this arrangement, potentially disrupting the operations of businesses relying on transatlantic data flows.
The UK government has signalled its intention to pursue a more "pro-innovation" regulatory approach, recently consulting on reforms to UK GDPR and developing its own AI regulatory framework based on principles rather than prescriptive rules. However, organisations operating across both jurisdictions will need to navigate potentially divergent requirements, increasing compliance complexity and costs.
Conclusion
The Digital Omnibus represents the EU's commitment to maintaining leadership in digital regulation whilst adapting to technological advancement. For the UK, these changes underscore the ongoing challenge of balancing regulatory independence with the practical realities of international commerce and the need to maintain close alignment with its largest trading partner.
