On 19 November 2025, the European Commission presented the Digital Omnibus, a draft regulation intended to adjust and modernize several mechanisms of the General Data Protection Regulation (GDPR), adopted in 2016.
Its stated goal: simplify, clarify, and adapt the legal framework to today’s digital ecosystem, particularly to artificial intelligence (AI).
Below is a summary of the proposed changes.
🔍 1. Clarifying the Scope of Personal Data
The Commission notes that certain GDPR obligations are disproportionate when applied to information that does not allow identification of a person, even indirectly.
The Digital Omnibus therefore proposes to better distinguish:
- data that genuinely qualifies as personal data;
- data “not relevant for identifying a person,” particularly those used for AI model training.
This clarification aims to reduce unnecessary compliance burdens without undermining the core purpose of personal data protection.
🔍 2. Adjusting Rules for Sensitive Data
Under the GDPR, “sensitive data” (racial origin, political opinions, health, biometrics, etc.) are in principle prohibited from processing, except under strict exceptions.
The Digital Omnibus introduces carefully controlled evolutions:
- allowing certain biometric data to be used for identity verification;
- permitting the exceptional and limited use of sensitive data for AI model training, with a guaranteed right to object for individuals.
These updates do not weaken protections: they create narrowly framed derogations to support responsible innovation.
🔍 3. Evolution of Data Subject Rights
The Commission identifies abusively repetitive or excessive requests (e.g., mass DSAR campaigns).
Under the proposal, data controllers may reject manifestly excessive or repeated requests, provided they justify the refusal clearly.
The intent is to protect individual rights without paralyzing organizations.
🔍 4. Cybersecurity: A Shift in Institutional Responsibility
Two notable changes are proposed:
- The notification deadline for personal data breaches would extend from 72 hours to 96 hours, enabling more accurate and complete reporting.
- Responsibility for receiving breach notifications would shift from national data protection authorities to cybersecurity agencies (in France: ANSSI).
This reflects the growing convergence between data protection and cybersecurity.
🔍 5. The End of Cookie Banners
The Digital Omnibus proposes replacing the current consent-based (opt-in) cookie model with a browser-level, centralized preference system based on automatic preference signals.
This reform aims to:
- eliminate the overload of cookie banners;
- reinstate user control through browser settings.
🔍 6. Strengthening EU-Wide Harmonization
The role of the European Data Protection Board (EDPB) would be reinforced to ensure more consistent interpretation and enforcement of the GDPR across Member States.
This responds to persistent concerns from companies operating in multiple jurisdictions.
🧭 The Digital Omnibus reflects an attempt to balance:
- fundamental rights, a cornerstone of the European model;
- competitiveness and innovation, especially in the context of AI.
Several structural questions remain:
- How far will these adjustments go once debated by the European Parliament and the Council?
- Can Europe truly establish a “third digital path,” distinct from the U.S. market-driven model and China’s surveillance-based model?
