Digital Omnibus: the major european reform between simplification, innovation, and new challenges for privacy

Below is an overview of the main cross-cutting innovations proposed by the Digital Omnibus, with impacts across the entire European digital regulatory landscape.

Redefinition of the Concept of “Personal Data”

One of the most significant changes concerns the proposed revision of Article 4(1) of the GDPR, which seeks to redefine the concept of “personal data”. Under the new formulation, information would be considered personal data only when the data controller is actually able to identify the data subject, taking into account reasonably available means.

This criterion, aligned with CJEU case law, aims to make the GDPR’s scope more proportionate but raises questions about the potential narrowing of protections for data subjects.

New Exceptions to the Prohibition on Special Category Data

According to the proposed regulation, the Digital Omnibus introduces two additional exceptions to the general prohibition on processing special category data:

For the development and training of AI systems, provided that strict measures are adopted, including data minimization, pseudonymization, and removal of unnecessary data.

For the processing of biometric data for authentication purposes, allowed under limited and secure circumstances, provided that technical and organizational measures are implemented to prevent any other use and protect data from unauthorized access.

Online Tracking: Toward a More Streamlined Regime

Regarding tracking technologies, the reform proposes a clearer distinction:

Data collected via tracking technologies (e.g., cookies) would be permitted without explicit consent only for technical purposes, security, service delivery requested by the user, or internal statistics.

Consent would remain mandatory for profiling and marketing activities, with controllers required to respect user choices for at least six months, avoiding repeated consent requests.

Strengthening the “Legitimate Interest”

The Digital Omnibus proposes to strengthen legitimate interest as a legal basis for data processing, particularly for AI development and training, provided that adequate technical and organizational measures—such as pseudonymization and minimization—are implemented, and transparency toward data subjects is ensured.

Simplifications on Data Breach Notification and European Single Point of Contact

Another pillar of the Digital Omnibus is the rationalization of notification obligations under European law:

Establishment of a single access point for reporting incidents and breaches, managed by the European Union Agency for Cybersecurity (ENISA), to avoid multiple notifications to different national authorities.

Data breach notifications could be submitted within a longer period of 96 hours (currently 72 hours).

The EDPB (European Data Protection Board) would provide standardized templates and checklists for notifications and impact assessments, which the European Commission would adopt to ensure harmonization and simplification.

Data Act as the “Backbone” of the New Regulatory Framework

The Digital Omnibus strengthens the role of the Data Act, expanding it and coordinating it with other European data regulations. In particular, the proposal foresees the integration into the Data Act of provisions currently contained in:

• Data Governance Act
• Free Flow of Non-Personal Data Regulation
• Open Data Directive

The objective is to establish a single, coherent framework for data access, sharing, and reuse across the EU.