Digital Omnibus: What changes in data protection (GDPR) can be expected?

With its proposal for a "Digital Omnibus," the European Commission is intervening directly in the regulatory framework of the GDPR for the first time (we reported on this in Data Protection Update No. 219 and No. 221). The aim is to clarify selected provisions, adapt them to related legislation such as the Data Act and the AI Act, and at the same time reduce the implementation burden on companies. Of particular significance are changes to the central concepts of the regulation and new opening clauses for the training of AI systems. These interventions fundamentally affect the practical application of the GDPR and raise questions about scope, compatibility, and possible effects on the existing level of data protection. The following article analyzes the planned adjustments in detail and highlights the resulting implementation requirements for controllers and processors.

I. Background: The EU Commission's Digital Omnibus

The Digital Omnibus is the EU Commission's response to the growing complexity of European digital law. In recent years, a series of new regulations have come into force that are closely related in terms of content but often use different terms, procedures, and deadlines. For companies and public authorities, this leads in practice to double checks, parallel reporting obligations, and uncertainties at the interfaces between the Data Act, AI Act, GDPR, ePrivacy, and cybersecurity law.

To reduce these inconsistencies, the Commission launched a simplification process in the summer of 2025 and sought feedback from administrations, businesses, and associations. Based on this, initial drafts for a "Digital Omnibus" have now been presented. The aim is to better harmonize existing regulations, standardize terminology, and remove unnecessary overlaps. This also includes selective adjustments to the GDPR, which are intended to clarify the interaction with AI and data regulation and simplify certain processes.

II. Planned changes to the GDPR through the Omnibus

1. Definition of "personal data" pursuant to Art. 4 No. 1 GDPR

The Digital Omnibus clarifies for the first time the term "personal data" as a central point of reference in the GDPR. The proposed addition to Art. 4 No. 1 clarifies that pseudonymized data is not personal data for the data recipient simply because it has a personal reference for the controller. In the future, the only decisive factor will be whether the specific data owner has means at their disposal that would "reasonably likely" lead to identification.

Although this wording is in line with ECJ case law, it clearly shifts the standard towards a narrower, addressee-related approach. Recital 25 expressly emphasizes that the existence of additional information held by third parties does not automatically make the data personal data for all parties involved. In practice, this means a significant strengthening of pseudonymized and context-dependent "low-identification" data processing, because anyone who does not have a realistic possibility of re-identification is generally no longer covered by the GDPR. Even the risk of subsequent transfer to an entity that has the relevant additional information does not change this for the original processor. The Commission refers to the ECJ line, according to which an identification risk is not "reasonably likely" if it would be factually meaningless or would require disproportionate effort. In addition to this, a new Article 41a GDPR is to oblige the Commission to define technical standards that exclude the restoration of personal references as far as possible. In practical terms, this significantly expands the scope for data processing entities. In the future, the same file may be considered personal data for Company A, while for Company B it may be considered non-personal information due to a lack of technical or organizational means of identification. For AI providers, cloud service providers, and data intermediaries in particular, this means a noticeable expansion of processing zones that are exempt from data protection.

2. Legitimate interest as a basis for AI training (Art. 6(1)(f) GDPR)

In recitals 27 and 28, the Commission clarifies that the training, testing, and validation of AI systems and models using personal data, including large generative models such as LLMs, can in principle be based on a legitimate interest in processing under Art. 6(1)(f) GDPR. The Commission emphasizes that AI systems regularly rely on large amounts of data in all phases of their life cycle and that this training in many cases brings social benefits, such as bias detection, increased security, or improved accessibility. This establishes a legal basis that providers can systematically invoke in the future without having to rely on consent. However, the familiar three-step model of Art. 6(1)(f) remains unaffected: the balancing of interests must still be carried out and documented, and all principles of the GDPR continue to apply. However, the draft tightens the requirements for this balancing act. Controllers must in particular consider whether AI training benefits data subjects or the general public, whether the processing meets their reasonable expectations, and what specific safeguards are in place to prevent risks such as data leaks, regurgitation, or unintentional memorized content. The Commission explicitly mentions measures such as increased transparency, data minimization, an unconditional right to object, or the consideration of technical signals that are intended to exclude the use of data for training purposes.

3. New opening for special categories in the AI context (Art. 9(2)(k) and (5))

In addition to the general legal basis in the area of Art. 6, the draft also expands the possibilities for processing special categories of personal data in connection with AI. The newly inserted Art. 9 (2) (k) allows for residual processing of sensitive data in the training, testing, or operation of AI systems, provided that the controller takes effective technical and organizational measures to avoid the collection and processing of such data "as far as ly possible" (Art. 9 (5)). This opening is deliberately narrowly limited: it only applies if sensitive data is not processed intentionally, but merely represents unavoidable inclusions that cannot be completely excluded even with high quality assurance standards. Article 9(5) requires controllers to actively identify and remove such data as soon as it is discovered. Only if removal requires disproportionate effort – for example, because removal from an already trained model would necessitate complete reconstruction – may removal be waived in exceptional cases. In this case, however, the data must be protected in such a way that it cannot be used to generate model outputs, disclosed, or otherwise made accessible. The corresponding recital 29 shows that the Commission recognizes the technical reality of modern AI systems, as even with strong pre-filtering, remnants of sensitive data may remain in the training material or be stored in the AI model. At the same time, the draft emphasizes that this exception is strictly limited to cases where the sensitive data is not necessary for the purpose. As soon as special categories are to be used specifically for AI training – for example, to detect bias or improve representativeness – the classic exceptions of Art. 9(2)(a–j) GDPR continue to apply.

4. Further GDPR amendments (brief overview)

In addition to these core areas, the omnibus bill makes several other clarifying adjustments. The definition of health data is specified and limited to cases where the health status must be immediately apparent. This is to prevent mere inferences or probabilities from automatically falling under Article 9. In addition, the rules on reporting data breaches are to be harmonized. Reporting obligations will only apply in cases of high risk, the deadline will be extended to 96 hours, and multiple reports under the GDPR, NIS2, and DORA will be replaced by a common reporting procedure. Finally, several provisions will be adapted terminologically to existing digital laws, in particular the AI Act and technical definitions from the DMA and eIDAS.

III. Criticism and unresolved legal issues

The proposed amendments to the GDPR have met with mixed reactions in politics, business, and data protection practice. While the Commission sees the adjustments as technical clarifications, many observers view them as substantive shifts that raise practical and dogmatic questions. One focus of criticism concerns the new interpretation of personal reference. The more context-dependent provision, according to which data is only personal for an entity if it itself has realistic means of identification, is generally regarded by experts as a consistent further development of ECJ case law; at the same time, there is concern that this will noticeably narrow the scope of application of the GDPR in practice. Particularly in the case of complex data ecosystems, cloud infrastructures, or service-based AI models, the question arises as to whether controllers will in future be able to argue too easily that they do not have any means of identification at their disposal and whether supervisory authorities will be able to effectively verify the plausibility of such assumptions at all.

The proposed justification of AI training on the basis of legitimate interest is also the subject of controversy. Although the basic mechanism of balancing interests remains formally unaffected, the new recitals effectively legitimize broad training and testing procedures that previously often required consent or complex anonymizing preprocessing. The question of whether an AI provider's general interest in innovation can regularly suffice to justify the processing of extensive data sets is still legally unclear. Open issues also concern the relationship to purpose limitation, the requirement of expectation congruence, and the practical feasibility of an "unconditional right of objection," which is currently only technically feasible to a limited extent in the context of large models.

The new exception in Art. 9 (2) (k) for unavoidable inclusions of special categories in AI training is particularly sensitive. While the recitals emphasize that the opening is narrow and only intended for residual data, the supervisory authorities question how actual avoidability can be verified. Models can "absorb" sensitive information in a variety of ways, and the technical possibilities for removing such content are currently limited. There is also controversy over how to draw the line between "disproportionate effort" and what is actually possible to clean up, especially in the case of models that have already been trained and whose retraining would incur high costs. The introduction of a new exception in Article 9 also raises the question of whether this establishes a parallel, AI-specific regime for sensitive data that is only partially compatible with the existing categories.

In addition, there are other unresolved issues, such as the impact of the new definition of health data on existing research and insurance models, the question of supervisory responsibilities in assessing "recipient-related" personal data, and the interactions between the GDPR, Data Act, and AI Act in shared data spaces and training infrastructures. The potential fragmentation resulting from national interpretation practices is also frequently cited as a risk: the more the personal reference and the balancing of interests depend on the specific context, the greater the risk of diverging assessments in the member states.

IV. Practical implementation for controllers and processors

If the Digital Omnibus is adopted in its current form, this would not only create additional adaptation requirements for companies, but also open up new scope for creativity. The changes affect key elements of GDPR practice: the question of when data is personal, the use of personal data for AI training, and the handling of sensitive data. Controllers should therefore examine which existing processes need to be adapted – and in which areas the new rules could result in concrete advantages.

A key component is the recipient-related reassessment of personal reference. In the future, companies would have to systematically document which means of identification they actually have at their disposal and which re- identification options are realistic. This requires structured expert opinions on the available data, supplementary information, and technical access options in each individual case. However, the effort is worthwhile: if a company can prove that identification is not possible with its own resources, the processing in question no longer falls within the scope of the GDPR. This eliminates extensive obligations – from information and accountability requirements to data subject rights and security measures. This can be a significant relief for data-driven business models, cloud service providers, or AI providers. Companies should therefore develop models and testing schemes at an early stage to classify data as "personal" and "non-personal in the recipient context." The clearer this distinction is made and documented, the greater the legal and organizational advantage.

For companies that develop, test, or train AI systems, the new possibility of relying on legitimate interest is gaining considerable practical significance. It makes it possible, but also necessary, to introduce a specific AI-related balancing model. In the future, the balancing of interests must focus more strongly on technical risks and, in particular, take into account the expectations of those affected, security mechanisms, and the possibility of objection. Companies should therefore develop standardized assessment matrices which, in conjunction with technical measures, create a consistent and audit-proof legal basis. When implemented correctly, this opening offers clear advantages: AI providers would no longer be dependent on cascades of consent or opt-in mechanisms that are difficult to scale. Particularly for models with large amounts of data or unstructured training sources, Art. 6 (1) lit. f n. F. provides a robust, long-term sustainable legal basis. Those who establish clear processes at an early stage not only improve legal certainty, but also accelerate development cycles and reduce coordination efforts.

The new opening clause for remaining sensitive personal data in Art. 9 (2) (k) also requires additional organizational and technical measures. In the future, companies will need procedures for identifying and removing sensitive data – for example, through automated classifiers, manual curation steps, or controlled review pipelines. At the same time, they must document in which cases removal would be technically impossible or disproportionate and which protective measures were then implemented. Although this process may seem complex at first, it creates a clearer regulatory framework for dealing with unavoidable sensitive residual data. Instead of operating in a gray area, companies can rely on a defined exception that, if properly documented, significantly stabilizes their legal position. This provides a legally secure way of dealing with this problem for the first time, especially for providers of large models where the complete removal of sensitive data can never be fully guaranteed.

In addition, there are further adjustments to general data protection management. The more restrictive definition of health data requires a reassessment of existing data categories, but also gives companies the opportunity to remove data that was previously incorrectly "over-categorized" from stricter sensitivity levels. This can have a positive effect on deletion periods, processing bases, and data protection impact assessments. The clarification on biometric verification enables leaner identity checks in certain use cases without the full Art. 9 regulatory apparatus coming into play.

Finally, those responsible must take into account the new interfaces between the GDPR, Data Act, and AI Act. In the future, the Omnibus will enforce more integrated governance across data classification, purpose limitation, risk analysis, and technical safeguards.

V. Conclusion and outlook

The EU Commission's drafts for a digital omnibus are an important step toward a clearer and more practical European data protection framework. The proposed amendments to the GDPR create greater legal clarity in key areas, but at the same time lead to new demarcation and documentation tasks. Companies will benefit from examining at an early stage which data processing operations may fall outside the scope of the GDPR in the future due to the new, context-based identifiability test, and how legitimate interest can be reliably established as a basis for AI training.

It remains to be seen how far the Parliament and Council will take the Commission's proposals. However, given the political pressure to facilitate digital innovation while maintaining a high level of data protection, it can be assumed that at least key elements of the draft will find their way into the final law. Companies should therefore closely monitor further developments and align their data protection and AI governance at an early stage so that it is compatible with the new regulations. This not only enables more efficient compliance, but also creates scope for new data-based business models.

This article was created in collaboration with our student employee Emily Bernklau.