Digital Omnibus Project: a nuanced simplification

On 19 November 2025, the European Commission presented its Digital Omnibus project, which aims to simplify its legislation on data, cybersecurity, and artificial intelligence.

Initially presented as a simplification for the benefit of small and medium-sized enterprises, there was talk here and there that this project would lead to the removal of essential and burdensome obligations for SMEs, in particular the register of processing activities.  

However, upon reading the text, one thing is clear: the promised simplification is not really apparent, while the proposed changes could create new complexities for the data controllers.

Through its plan to simplify the GDPR, the European Commission is placing various topics at the center of the debate, nine of which are taken up and developed in its staff working document:  

  • a revision of the definition of personal data, which would be conditional on the existence of reasonable means of identification;  

  • clarification of the concepts of anonymization and pseudonymization, through the publication of implementing acts on the means and criteria for establishing the personal nature of pseudonymous data;

  • further processing of personal data for scientific research purposes, which may be considered automatically compatible with the initial purpose pursued;  

  • possibilities of data processing for the purposes of developing and operating artificial intelligence (AI), by extending the legal basis of legitimate interest and creating an exemption from the prohibition on processing sensitive data;  

  • clarification of the limits of exercising the right of access, by classifying any request made for a purpose other than data protection as abusive;

 

  • the outlines of the information obligation incumbent on data controllers, by rewriting the exemptions to the information obligation at the time of data collection;  

  • the rules on automated decision-making, with the removal of the right of data subjects not to be subject to such decisions;  

  • the establishment of a uniform threshold for notifying data breaches to the competent authorities and data subjects, making notification of any breach conditional on the existence of a high risk to the rights and freedoms of individuals; and  

  • clarification of the concept of high risk and whether or not to carry out data protection impact assessments (DPIA), through the publication of a model, a method, and a list of processing operations for which a DPIA is required or not.  

  • Personal data and pseudonymization. The Digital Omnibus clarifies the concepts of "personal data" and "identifiable person", taking into account the reasonable means likely to be used to directly or indirectly identify a natural person.

This addition aligns with the CJEU decision, EDPB v. SRB, of 4 September 2025, which places the means of re-identification at the heart of the concept of pseudonymization (see our articles Anonymization vs. Pseudonymization: what is the true status of coded data? and Pseudonymization: a legal lever under certain conditions), and introduces a subjective element into the classification of personal data.  

This change could lead to an asymmetrical application of the text with regard to pseudonymized data, which will be considered personal or anonymous depending on the situation and the means of re-identification available to entities, and would place an additional burden on stakeholders to determine the application of the GDPR through case-by-case analyses.  

However, data controllers would, in principle, be assisted in such analysis through the future adoption by the European Commission of implementing acts specifying the means and criteria for determining whether or not pseudonymized data constitutes personal data.

  • Transparency and information obligation. The European Commission provides that the information obligation at the time of collection does not apply when the data has been collected in the context of a clear and limited relationship between the data subject and the data controller, for a non-intensive processing activity, and when there are reasonable grounds to believe that the data subject already has the information.

The Digital Omnibus also creates a new article for processing carried out for scientific research purposes and provides for an exemption from the information obligation where its implementation would prove impossible, involve a disproportionate effort, or render impossible or seriously impair the achievement of the objectives of the processing.  

With regard to scientific research, the Digital Omnibus goes further by including a definition of the term and considering further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes to be compatible with the initial purpose.  

  • Right of access. The Digital Omnibus also impacts the scope of the right of access, by considering requests for access made for purposes other than data protection to be abusive.

These proposed amendments directly echo to the debates on the scope of the right of access and its reconciliation with the gathering of evidence prior to any trial (see our articles Personal data and evidence in labor law: the French Supreme Court sharpens its position and Employees' right of access: lever or abuse?), but also, and above all, to requests made for the sole purpose of obtaining damages under threat of legal action.

This would give data controllers greater latitude to refuse access requests, despite the concerns of some stakeholders who denounce restrictions that are detrimental to data subjects, for whom the right of access reflects equality in terms of information ownership.  

  • Disappearance of the right not to be subject to automated decision. The Digital Omnibus now only explicitly targets cases in which a decision may be based solely on automated processing (necessary for the performance of a contract, authorized by appropriate legislation, based on the consent of the data subject).  

  • Artificial intelligence. Among the major changes proposed, the Digital Omnibus opens the doors of the GDPR to AI:  

  • by introducing, among the exemptions to the prohibition on processing sensitive data, processing carried out for the purposes of developing and operating an AI system or model; and  

  • by extending the legal basis of legitimate interest to the processing of personal data necessary for the interests of the controller in the context of the developing and operating an AI system or model.  

Stakeholders would benefit from a greater scope to process the personal data of their customers, users, employees, and other third parties in order to develop and improve their AI systems and models, provided that they satisfy the requirement of proportionality of such processing.  

  • Sensitive data. The Digital Omnibus also creates an exemption from the prohibition on processing biometric data when such processing is necessary to confirm the identity of a data subject and where such data or the means needed for the verification are under the sole control of the data subject.  

  • Cookies: consent is no longer required when processing is necessary to enable the transmission of electronic communications, provide a service explicitly requested by the data subject, create aggregated audience data on the use of an online service, or maintain and restore the security of a service.  

  • Personal data breaches. The Digital Omnibus increases the notification period to the competent authorities to 96 hours, instead of the current 72 hours, and announces that the European Commission will publish, within 9 months of the Digital Omnibus coming into force, a list of circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of individuals.  

  • DPIA. Similarly, the European Commission undertakes to publish a list of processing activities for which a DPIA is required or not, as well as a template and common methodology for conducting these analyses.  

Thus, the main principles of personal data protection remain in place and the text would only provide clarifications, some of which have already been enacted by the CJEU, or exceptions that will require additional analyses by data controllers and processors.  

Overall, the major contribution of this proposal is to take a clear step in favor of AI players to develop and operate their artificial intelligence systems and models with ultimately limited interference with personal data regulations.

At its proposition stage, the Digital Omnibus still needs to be adopted by the European Parliament and the Council of the European Union before it can enter into force, and is currently open for public consultation until 11 March 2026.

Jeannie Mongouachon, partner and Juliette Lobstein, associate at Squair

Read the article
Listen to the episode
Read the press release
Watch the video
Learn more
1st December 2025
Say, hey!
Cta Arrow
Saturday - Thursday:
8:30am - 10:45pm
Call for an appointment

hello@libertylaw.com

Brand logo

© 2024

Squair

Pages
Home
Activities
Team
News
Contact
Legal information
Legal notices
General conditions of use
Privacy policy