EU AI Act, GDPR, and Digital Laws Changes Proposed

Major changes have been proposed to EU AI, data and wider digital laws. On 19^th November 2025, the European Union Commission issued its much anticipated Digital Omnibus Regulation Proposal, (the “Digital Omnibus”) and also its Digital Omnibus on AI Regulation Proposal, (the “AI Omnibus”). The mooted changes potentially impact the “Brussels effect” seen post GDPR and add potential complexities to the compliance efforts of businesses.

Background

At a time when the U.S. Trump Administration is adopting a deregulation approach in light of its “AI Arms Race” policy, the Commission’s intention behind both the Digital Omnibus and the AI Omnibus is based upon the following: to save European businesses, particularly small mid-caps, (“SMCs”) and small and medium-sized enterprises, (“SMEs”), both time and costs in relation to compliance; to facilitate innovation, increase competitiveness and encourage growth in the digital space; and to maintain robust data protection and other fundamental principles. 

The new proposals are the result of extensive consultations with stakeholders.  Among other things, they are intended to amalgamate, simplify and harmonise the existing EU requirements around data, artificial intelligence (“AI”) and cybsersecurity through the clarification and relaxation in certain circumstances of a number of the more rigorous rules which govern these areas. 

The two Omnibus proposals will now be subject to the trilogue process, requiring approval from both the European Parliament and the Council before they can pass into law (under the usual process, adoption is likely by mid-2026, although this could be sooner if the European Parliament applied its urgent process).  The proposals are unlikely to escape this negotiation process unscathed and may well be subject to considerable further discussion and challenge. 

Despite criticism from various quarters, the Commission does not appear to view the proposed changes as a move towards deregulation of data protection, AI and cybersecurity, but rather as a regulatory “de-cluttering” which would enhance the existing legislation while leaving it firmly anchored within the framework set out in the Charter of Fundamental Rights of the European Union.

Key Points in the Omnibus Proposals

• Proposed clarification of the definition of "personal data," especially for pseudonymised data.
• Question of whether personal data may be processed for the purposes of AI development and training on the basis of "legitimate interests", not only consent, may finally be resolved (although the Digital Omnibus provides that legitimate interests can only be relied upon if controllers comply fully with the existing EU General Data Protection Regulation 2016/679 (the "GDPR") safeguards).
• Data subject access requests ("DSARs") may be refused by a controller or subject to a fee (with justification) where a data subject seeks to exercise their right of access.
• Wider range of first-party cookies may be exempt from consent requirements; lawful bases beyond consent (e.g., legitimate interests) may become possible.
• Consolidated data breach reporting via a "single-entry point" may be introduced. Breach reporting deadline may be extended from 72 to 96 hours with a standardised reporting template.
• Enhanced protection against leakage of trade secrets under EU Data Act may be introduced.
• The application of certain high-risk AI requirements may be delayed until December 2027 due to implementation challenges.
• The Commission favours shifting responsibility for promoting AI literacy to EU Commission and Member States.
• Proposals would allow processing of special category personal data to address bias in AI systems, subject to safeguards.
• Relaxation of registration requirements for low-risk AI systems used in high-risk areas is proposed.
• Regulatory benefits for SMEs may be extended to SMCs.

The Digital Omnibus

Some of the most significant proposals set out in the Digital Omnibus, which impact (among other things) the GDPR, include the following:

1. Definition of Personal Data.  Among other changes to definitions, the Digital Omnibus aims to change the definition of “personal data”, which would be clarified to reflect EU case law. Pursuant to the suggested changes, a controller would be able to treat pseudonymised personal data as not being subject to the GDPR, provided that the relevant controller was unable to re-identify the data. 
   
   This would be the case notwithstanding the fact that such data could be deemed to be personal data in the hands of a third party to whom the relevant data was transferred if that third party was able to re-identify the individuals to whom such pseudonymised data relates.
   
   Proposals to amend the definition of “special categories of personal data”, which had been included in previous leaked versions of the proposals, do not appear to have been included in the definitive version.
   
   
2. Additional Exemptions Allowing Processing of Special Category Data.  The proposals envisage that two additional exemptions from the general prohibition on processing special categories of personal data would be introduced.  One exemption would allow the processing of biometric data where necessary for confirming a data subject’s identity and where the data and means for verification were under the sole control of the data subject.
   
   The proposals also address the basis on which AI systems may be developed and operated: processing of personal data for the purposes of developing and training AI systems could be justified on the basis of the controller’s “legitimate interests”, subject to the implementation of appropriate guardrails.  This development would recognise the practicalities of the development of AI systems in practice.
   
   
3. DSARs.  The proposals would see the rights of individuals to make a DSAR becoming more limited in certain circumstances.  If an individual submitted a DSAR for reasons other than for the purposes of simply exercising his or her fundamental right of access, or abused the right of access, the relevant controller could either refuse to comply with the DSAR, or charge a reasonable fee for doing so, although controllers would need to be able to justify any refusal to comply with a DSAR.
   
   
4. Information Rights.  A controller’s obligations to inform individuals about how their personal data will be processed under Article 13 of the GDPR would also be amended.  According to the proposals, these obligations would not apply if there were reasonable grounds to assume that the individuals already had the relevant information, unless the controller was planning to share the data with other recipients, transfer it to a third country, subject it to automated decision-making, or if the processing was high-risk.
   
   
5. Cookies.  Various changes are also proposed to the rules around cookies.  The proposed changes would mean that consent would not be required for deployment of a wider range of first party cookies than is currently the case (for example, the use of certain technical cookies, transmission cookies, cookies measuring a website’s audience and certain contractual cookies, among others).
   
   As the rules in respect of cookies would be amalgamated within the GDPR, lawful bases other than consent potentially could also be relied upon, for example, legitimate interests. This would be a sea change from the e-Privacy Directive approach driving current cookie banners.  
   
   The proposals also envisage the introduction of a machine-readable settings-based system which would allow users to refuse or accept cookies using a simple “yes”/”no” response and would oblige organisations to note and abide by such choices for six months.  It is hoped that this would help to address the issue of “cookie consent fatigue” amongst individual users by reducing the need for repeated requests for consent.
   
   
6. Breach Reporting.  Regarding cybersecurity, the proposals envisage amending the GDPR to align the requirement for the controller to notify data breaches to the competent supervisory authority with the requirement to notify data subjects of such breaches only if a breach was likely to result in a high risk to the rights and freedoms of the data subject.
   
   The amendments would also attempt to consolidate the current “patchwork” of breach reporting requirements set out in various different regulations (e.g., the GDPR, the Digital Operational Resilience Act, (“DORA”) and Directive (EU) 2022/2555, (the “NIS2 Directive”)) to introduce the concept of a “single-entry point” through which organisations would make data breach notifications (this would be developed by ENISA (i.e., the European Union Agency for Cybersecurity)).
   
   Other proposed cybersecurity-related changes include the introduction of a breach-reporting template (to be developed by the European Data Protection Board, (the “EDPB”)) and the extension of the deadline for reporting data breaches from 72 to 96 hours, which would doubtless come as a relief to many organisations.
   
   
7. EU Data Act.  Certain changes to the EU Data Act, (which recently entered into force) are also proposed, such as increased protections to try to prevent the leakage of trade secrets to other jurisdictions.
   
   
8. Platform-to-Business Regulation.  The Commission also intends to repeal the Platform-to-Business Regulation, which has been superseded by other legislation in many areas.

The AI Omnibus

Various consultations highlighted difficulties in effectuating the EU AI Act, (the “AI Act”).  Some examples of difficulties include the absence of harmonised standards for the AI Act’s high-risk requirements, guidance and compliance tools, as well as delays in the appointment of conformity assessment bodies and national competent authorities. 

Such issues have led to the proposed changes envisaged by the AI Omnibus.  Proposed steps to tackle these issues through specific simplification measures include the following (among other things):

1. High-Risk AI Systems.  The application of certain requirements around high-risk AI systems, which were due to become applicable in August 2026, would be postponed due to the delay in establishing standards and support tools (the suggested extension of the relevant deadlines is not intended to continue past December 2027).
   
   
2. AI Literacy.  The lead on ensuring AI literacy would be taken largely by the Commission and EU Member States, rather than the providers and developers of AI systems (although certain training requirements for deployers of high-risk systems would remain).
   
   
3. Special Category Data.  Providers and deployers of AI systems and models would be permitted to process special category personal data to uncover and rectify bias, subject to certain guardrails, which is intended to assist compliance with applicable data protection requirements.
   
   
4. Sandbox.  It is intended that real-world testing and AI regulatory sandboxes would be used more widely and an EU-level sandbox administered by the AI Office would be put in place.
   
   
5. Low-Risk AI Systems.  Registration requirements for providers of low-risk AI systems which are utilised for procedural or narrow purposes only, but which are used in high-risk areas, would be relaxed.
   
   
6. SMC Benefits.  SMCs would also be able to utilise certain regulatory benefits afforded to SMEs, if the proposals are implemented (these include simplified technical documentation rules and special consideration in the application of penalties).
   
   
7. Post-Market Monitoring.  Increased flexibility in post-market monitoring would be possible thanks to the removal of the requirement for a harmonised post-market monitoring plan.
   
   
8. Regulatory Interaction.  Specific amendments to explain how the AI Act and other EU legislation (such as the Cyber Resilience Act) work together and modifying the AI Act’s processes to enhance its implementation and functioning as a whole would be introduced.
   
   
9. Supervision.  The proposals would ensure that the AI Office would have centralised supervision of many general purpose AI systems, or AI systems embedded in the very large online platforms and very large search engines.

The Commission is also taking further steps to help with compliance under the AI Act and mitigate certain worries brought up by stakeholders. It is producing various further guidance setting out pragmatic and understandable directions which are relevant to the AI Act alongside other EU legislation (for example, guidance on the reporting of serious incidents by providers of high-risk AI systems, guidelines on the practical application of the high-risk requirements, and guidelines on the post-market monitoring of high-risk AI systems, further information is available here).

Comment

These proposed changes to the EU’s AI, data and wider digital laws have already attracted a lot of debate, as well as criticism. Max Schrems, who has actively and successfully challenged data transfer mechanisms such as Privacy Shield in court in the past, has been a particularly forceful critic. Some businesses and industry sectors, however, will no doubt welcome some of the changes, particularly where they have been struggling with the practicalities of current compliance.

It will be interesting to see what the final versions of the proposed amendments look like in practice, once the trilogue process is completed. 

In light of the numerous proposals, the Commission opened a public consultation on the same date as the Omnibus proposals were announced. The consultation will remain open until 11 March 2026, to allow for a full digital fitness check to assess the cumulative impact of the entire digital rulebook on the EU’s competitiveness, values and fundamental rights. The digital fitness test will stress-test the entire EU to identify further areas for simplification in the digital area.

Given the impact of the GDPR as a regulatory “gold standard” model and benchmark on which the data protection regimes of many other countries have now been based, it will also be interesting to observe the reactions of other jurisdictions, including the UK, to the proposed European regulatory changes and whether the so-called “Brussels effect” will lead to a fresh proliferation of similar changes in data protection, AI and cybersecurity-related laws in other countries.  Given the UK Information Commissioner’s (the “ICO”) pragmatic and risk-based approach to data protection, any simplification that mirrors the ICO’s perspective in this regard may well be welcomed. 

Despite all the moving parts and uncertainty, what is clear is that these proposals have added to the complexities for businesses and the need to seek advice before using data, developing or deploying AI, operating websites or other digital platforms and/or engaging in many other digital use cases.

Crowell & Moring will continue to monitor these fastmoving developments. For further information, please contact our team.