The Digital Omnibus Proposal

What Is the Digital Omnibus Proposal?

This legislative proposal, which is more than 150 pages long, represents a comprehensive effort to simplify and modernise the European Union’s digital regulatory framework, primarily with a view to reducing administrative burdens and enhancing competitiveness.

The main objectives of the Digital Omnibus proposal include the introduction of immediate regulatory adjustments and the amendment of the existing data management and data disclosure rules under the Data Act, including the strengthening of trade secret protection in relation to data transfers to third countries. The proposal consolidates related legislation by incorporating the provisions of the Data Governance Act and the Open Data Directive, which are to be repealed, into the Data Act, thereby creating a unified legislative framework.

In addition, a single incident reporting point would be introduced, significantly reducing the multiple reporting obligations of businesses, particularly SMEs. Amendments would also be made to the General Data Protection Regulation GDPR, clarifying the concept of personal data and notification obligations. This package of measures is expected to result in significant cost savings for businesses.

What Are the Objectives of the Digital Omnibus Proposal?

The objectives of the Digital Omnibus proposal are aimed at simplifying EU digital rules and boosting innovation. Its main purpose is to help EU businesses innovate, grow, and save on administrative costs.

Competitiveness and cost reduction:

The proposal aims to increase technological competitiveness and generate savings for EU businesses by simplifying rules, streamlining procedures, offering one-stop-shop solutions, and eliminating overlaps and outdated provisions.

Unlocking innovation:

Simplification facilitates compliance, reflects the needs of the digital sector, and creates opportunities for innovation, while continuing to ensure the protection of the rights of European citizens and businesses.

Streamlining data rules, including the GDPR:

The proposal aims to simplify EU data rules, turning legal compliance from a costly burden into a competitive advantage for businesses. It consolidates data management rules into two major pieces of legislation: the Data Act and the General Data Protection Regulation GDPR, the latter of which remains a key regulatory instrument.

Increasing access to data:

The measures help businesses overcome practical obstacles in order to improve access to data, which is a key resource for promoting innovation.

Specific Objectives and Amendments Within the Digital Omnibus

Streamlining Cybersecurity

• Under the Cyber Resilience Act, simplified requirements would apply to small and medium-sized enterprises, together with automatic compliance with the cybersecurity provisions of the AI Act.
• A single ENISA reporting interface would be established for reports relating to the NIS2, GDPR, DORA, and eIDAS frameworks.
• An EU-level AI Act sandbox would be created, and AI literacy obligations would shift from companies to the European Commission.

Amendment of the Artificial Intelligence Act AI Act

• The proposal aims to reduce compliance costs for businesses. It introduces simplifications, such as extending simplified methods applicable to SMEs to small mid-cap companies SMCs as well.
• The application of rules relating to high-risk AI would be linked to the availability of supporting tools, such as standards. The Commission would modify the timeline for the entry into force of the rules applicable to high-risk systems by up to 16 months.
• The proposal would centralise the supervision of AI systems used by large platforms and search engines within the Commission AI Office, thereby promoting a more coherent enforcement strategy.

Amendment of the GDPR

• The proposal aims to reduce “cookie banner fatigue” through simpler and more user-friendly design.
• It would allow users to refuse all cookies with a single click or to set their preferences through centralised settings, for example through a browser.
• It would support businesses by proposing a whitelist of harmless purposes, such as statistics, for which user consent would not be required.

The concept of personal data Article 4 1 of the amended GDPR:

• Under the amended GDPR, the concept of “personal data” would change, essentially codifying the CJEU’s recent decision in the SRB case. The amended definition would clarify that, for a given organisation, information does not qualify as personal data if that organisation cannot identify the natural person concerned by the information, taking into account the means “reasonably likely to be available” to achieve identification. The proposal would thereby allow pseudonymised datasets to be shared and used, provided that the receiving third party is unable to re-identify the individual.
• Data controllers would continue to be fully subject to the obligations under the GDPR.

Consent management:

• Access would continue to be based on consent, but the rules would require that refusal of consent be made possible with one click or by an equivalent means. If the data subject refuses consent, the controller would not be allowed to request consent again for the same purpose for at least six months proposed Article 88a.
• Due to the pace of technological development, the Commission may issue implementing acts to further increase legal certainty and ensure the effective protection of citizens’ rights.
• Use of data for AI systems:
• The proposal clarifies that the processing of personal data for AI systems may take place on the basis of “legitimate interest” under the GDPR. The processing of personal data for AI models is lawful, provided that the specific use does not infringe any EU or national law and that the processing complies with all GDPR requirements.

Data breaches and DPIA impact assessment:

Incident notification threshold and deadline: the controller would only be required to notify the competent supervisory authority if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The notification deadline would be extended from 72 hours to 96 hours.

Scientific research exemption from the obligation to provide information:

It would not be necessary to provide information to data subjects where, in the case of processing carried out for scientific research purposes, providing the information proves impossible or would involve disproportionate effort. In such cases, the controller must make the information publicly available.

AI development and operation:

An exception would be introduced to the prohibition on processing special categories of personal data where such processing takes place in the context of the development and operation of an AI system or model, provided that appropriate technical and organisational measures are applied to avoid the collection of such data and that any identified special category data is removed, unless removal would require disproportionate effort.

Main Points of Criticism

Narrowing the protection of personal data and fragmenting data protection:

At present, data qualifies as personal data if a person can be identified from it by anyone using ordinary means. The Omnibus proposal, however, would allow companies to rely on internal “non-identifiability” criteria, meaning that the same data could be regarded as personal data by some entities and non-personal data by others. This creates legal uncertainty and weakens data protection.

Opening new paths for the use of sensitive data for AI purposes:

The Digital Omnibus broadens the use of “legitimate interest” as a justification for data use, making it easier for companies to use personal and sensitive data to train artificial intelligence systems. Since individuals often do not even know that their data is being used for such purposes, and since the data may not be effectively deleted later, this poses a serious risk to privacy and data protection.

Expanding automated decision-making and weakening human control:

Currently, within the data protection framework Article 22, there are restrictions on companies making automated decisions without human intervention in matters such as credit, insurance, or access to services. The Omnibus proposal would relax these restrictions, allowing automated systems to make decisions in sensitive matters without human review.

Does it really help small and medium-sized enterprises?

Although the Omnibus claims to help SMEs, it does not actually contain the solutions requested by these companies, such as templates, standardised forms, and predictable legal application. Instead, it introduces more exceptions and, with them, more uncertainty. This benefits large companies, while placing SMEs at a disadvantage.

Closing Thoughts

Overall, the Digital Omnibus represents an important step toward modernising digital regulation, simplifying the digital regulatory environment, reducing the administrative burdens of businesses, and strengthening the EU’s innovation potential. The package contains several amendments that may provide real relief for businesses, particularly through the rationalisation of data rules, the unification of cybersecurity reporting, and the fine-tuning of the practical application of the AI Act.

At the same time, the proposal has also attracted significant criticism. The narrowing of the concept of personal data, as well as the facilitation of data use for AI purposes, may create interpretative uncertainties that could lead to a weakening of data protection. In addition, there is a risk of a domino effect: if certain fundamental concepts and guarantees of the GDPR are weakened, this could easily spread to the entire EU data protection framework.

Furthermore, in several areas the proposal may favour large companies, while, contrary to its stated objective, it may create even greater compliance uncertainty for SMEs.