GDPR under revision: Key takeaways from the Digital Omnibus Regulation proposal

Alert
|
6 min read
Tim Hickman |
Dr. Detlev Gabel |
Dr. Sylvia Lorenz |
Clara Hainsdorf |
Daniel Mair

On 19 November 2025, the European Commission published its Digital Omnibus Package (the "Package"), setting out proposed amendments to the EU's digital regulatory framework as part of a broader simplification and competitiveness initiative. Although the proposals will be refined through negotiations with the European Parliament and the Council of the EU, the Package – if adopted in its current form – would introduce significant changes to data protection rules, cookie and tracking requirements, cybersecurity obligations, and the EU AI Act.1

The Package is composed of two draft regulations: (i) a general "Digital Omnibus", which would amend a range of existing instruments, including the GDPR, the ePrivacy Directive, the NIS2 Directive and the Data Act;2 and (ii) a separate "Digital Omnibus on AI" focused on targeted adjustments to the EU AI Act.

In this article, we outline a number of the most significant changes proposed to the GDPR only.

Redefining “personal data”

The Package proposes two amendments to clarify the concept of "personal data" under the GDPR (references to the "Amended GDPR" relate to the GDPR as it would be amended under the proposals set out in the Package).

  • Definition of "personal data" (Art.4(1) Amended GDPR) – The definition of "personal data" under the Amended GDPR would be amended, effectively codifying the recent decision of the CJEU in SRB.3 The revised definition would clarify that information is not personal data for a given entity if that entity cannot identify the natural person to whom the information relates, taking into account "the means reasonably likely to be used" to achieve identification.
  • Pseudonymisation (new Art.41a Amended GDPR) – The Package also introduces the possibility that pseudonymised data may, in certain circumstances, no longer be considered personal data for certain entities. The details of such circumstances would be specified through implementing acts adopted by the Commission.

These changes could materially alter existing compliance positions by limiting the circumstances in which information qualifies as personal data, meaning that some data currently treated as personal data may no longer be within scope of the Amended GDPR. However, in line with the decision in SRB, it will continue to be necessary to distinguish precisely for whom and under what circumstances information constitutes personal data. In that decision, the CJEU determined that the controller's obligation to provide information to the data subject at the time of data collection exists regardless of whether, after subsequent pseudonymisation, the data constitutes personal data from the perspective of a potential recipient or not.

Artificial intelligence (“AI”)

Two additional proposals in the Amended GDPR addresses the processing of personal data when developing and deploying AI systems and models.

  • Processing for AI development (new Art.88c Amended GDPR) – The Package includes a new provision to clarify that controllers can rely on legitimate interests under Art. 6(1)(f) Amended GDPR to process personal data for the development and operation of an AI system. Such reliance would remain subject to the usual balancing test for legitimate interests, appropriate safeguards, and any EU or Member State laws that expressly require consent for the relevant processing.
  • Special category personal data ("SCD") and AI systems (Art.9(2) & new Art.9(5) Amended GDPR) – Taken together, the proposed amendments would allow residual processing of SCD in the context of developing and deploying AI systems and models, provided that the controller "effectively protect[s] without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties". The proposed addition of Art.9(5) in the Amended GDPR also makes clear that, as a general rule, SCD should not be used for the development or operation of AI systems.

Together, these provisions aim to clarify the circumstances in which personal data (including SCD) may be processed for AI-related activities.

Key operational amendments

The Package also proposes to revise several practical data protection obligations, including data subject access requests ("DSARs"), personal data breach notifications, and data protection impact assessments ("DPIAs").

  • DSARs (Art.12(5) Amended GDPR) – The proposed amendment introduces a new ground for refusing (or charging a reasonable fee for responding to) a DSAR where "the data subject abuses the rights conferred by [the Amended GDPR] for purposes other than the protection of their data" (emphasis added). The scope of this exemption remains uncertain, including whether it could assist organisations in responding to a DSAR submitted in litigation, where the purpose of the DSAR appears to be to obtain information for use in that litigation.
  • Personal data breach notifications (Art.33 Amended GDPR) – The proposed amendment would: (i) raise the threshold for notifying data protection supervisory authorities ("SAs") regarding personal data breaches, aligning the threshold in the Amended GDPR with the threshold for notifying data subjects (i.e., only where a breach "is likely to result in a high risk to the rights and freedoms of natural persons"); (ii) extend the deadline for notifying SAs from 72 to 96 hours; and (iii) introduce a single-entry point for incident reporting (once established), which would also act as the single-entry point for various other related notifications (e.g., under NIS2 / DORA).4 In addition, the European Data Protection Board ("EDPB") would be mandated to prepare a common notification template and a list of circumstances in which a breach is likely to result in a high risk to an individual's rights and freedoms, with both instruments subject to review at least every three years and updates where necessary.
  • DPIAs (Art.35 Amended GDPR) – The proposed amendment would harmonise DPIA requirements across the EU through EU-wide guidance. Under this approach, the EDPB would compile unified lists of processing activities that do or do not require a DPIA, and create a standard DPIA template and methodology. Once approved by the Commission, these EU-wide lists would supersede national lists, ensuring that organisations face the same DPIA triggers across all Member States. Any national lists already published by SAs would continue to apply until the Commission adopts the relevant implementing act.

Collectively, the proposals seek to harmonise and simplify day-to-day data protection compliance, standardising expectations across Member States while refining when and how organisations must respond to DSARs, data breaches and high-risk processing.

Conclusion

The Package is at the proposal stage and will face rounds of revisions in the legislative process. Current expectations suggest a realistic timeline for adoption would be around mid-2027, although earlier agreement is possible if negotiations proceed smoothly.

Notwithstanding the further revisions that may yet be made, the Package signals a meaningful shift in the Commission's approach to digital regulation. Organisations should therefore continue to track developments closely, monitor how the final text takes shape, and be ready to assess any opportunities or operational adjustments as the legislative process advances.

Emily Digby, a Trainee Solicitor at White & Case, assisted in the development of this publication.

1 Regulation (EU) 2024/1689 (the "EU AI Act").
2 Regulation (EU) 2016/679 (the "GDPR"), Directive 2002/58/EC (the "ePrivacy Directive"), Directive 2022/2555 (the "NIS2 Directive") and Regulation (EU) 2023/2854 (the "Data Act").
3 Case C-413/23 P.
4 Regulation (EU) 2022/2554 ("DORA").

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

Tim Hickman
Tim Hickman
Partner|London
Services
Artificial Intelligence (AI), Data, Privacy & Cybersecurity, Technology Transactions, Fintech, Technology, Privacy Advisory and Compliance
Dr. Detlev Gabel
Dr. Detlev Gabel
Partner|Frankfurt
Services
Technology Transactions, Intellectual Property, Data, Privacy & Cybersecurity, Technology, Sports, Fintech
Dr. Sylvia Lorenz
Dr. Sylvia Lorenz
Partner|Berlin
Services
Artificial Intelligence (AI), Intellectual Property, Data, Privacy & Cybersecurity, Technology Transactions, Fintech, Technology
Clara Hainsdorf
Clara Hainsdorf
Partner|Paris
Services
Intellectual Property, Technology Transactions, Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Litigation
Daniel Mair
Daniel Mair
Associate|London
Services
Data, Privacy & Cybersecurity, Technology, Technology Transactions, Artificial Intelligence (AI)

Service areas

Top