Alston & Bird Privacy, Cyber & Data Strategy Blog

The EU Digital Omnibus: A European Data Law Shake-Up May Be Coming

By , and

On November 19, the European Commission (EC) released its EU Digital Omnibus proposal – a 153-page document accompanied by an explanatory memorandum and a Staff Working Document. This proposal introduces amendments, deletions, and replacements to several cornerstone EU digital laws, including:

  • The GDPR.
  • The Data Act.
  • The AI Act.
  • The ePrivacy Directive.
  • Other instruments such as the Data Governance Act, NIS2 Cybersecurity Directive, the Regulation on fairness and transparency for online intermediation services, and the Directive on open data and reuse of public sector information.

What’s Changing?

The EU Digital Omnibus aims to:

  • Update long-standing concepts and obligations (g., under the GDPR and ePrivacy Directive).
  • Consolidate provisions across related frameworks (Data Governance Act, Open Data Directive, Data Act).
  • Adjust timelines for obligations not yet in force (notably under the AI Act).
  • Simplify compliance for SMEs by removing certain procedural requirements.
  • Strengthen supervisory powers at the EU level.

Key Proposed Amendments

Some of the most notable changes include:

  • GDPR:
    • A revised definition of personal data.
    • Two new exemptions for processing special categories of data (e.g., identity confirmation and AI system development under specific conditions).
    • Broader use of legitimate interests as a legal basis for AI development, subject to safeguards.
    • Updated rules on data subject access rights – including an additional exemption which applies where the data subject abuses the right for purposes other than the protection of their personal data.
    • Modified information obligations for controllers.
    • Revised rules on automated decision-making.
    • Extended personal data breach notification deadline to 96 hours (up from 72).
    • Introduction of an EU single-entry point for reporting data breaches and security incidents.
  • ePrivacy Directive:
    • New rules for processing data from terminal equipment, changing consent requirements – for example in the context of cookies.
  • Data Act:
    • A new exemption in relation to trade secret protections where data is disclosed to third countries.
    • Lighter touch switching rules for custom-made cloud services.
    • Removal of smart contract requirements in data-sharing contexts.
  • AI Act:
    • Adjusted timelines for high-risk AI system obligations (up to 16 months after the original deadline).
    • Revised AI literacy requirements.
    • Updated post-market monitoring obligations.
    • New compliance modalities for SMEs.
    • Centralized oversight for certain AI systems at EU level.

What’s Next?

The EU Digital Omnibus proposal is at the first stage of the EU legislative process. The European Parliament and the Council will now review it, and they will have to agree on the final text of the law before it is published. This process can be lengthy, and there is no guarantee that all amendments proposed by the EC will ultimately be adopted.

In the meantime, companies whose activities are in scope of one more of the affected EU laws should continue to ensure compliance with the current rules and regulatory guidance.

Questions?

A&B’s Privacy, Cyber & Data Strategy Team is closely monitoring the latest developments in this area. lf you would like to discuss the EU Digital Omnibus proposal or its potential impact on your business, please feel free to contact us.

LinkedIn
Avatar photo

About Alice Portnoy

Alice Portnoy is a Senior Associate in Alston & Bird’s Brussels office and a member of the Privacy, Cyber & Data Strategy Team. Alice focuses her practice on technology and data privacy matters with experience counseling national and international companies across the media and entertainment, pharma, scientific research, education, nonprofit, and food and retail sectors.

[Read Bio]

Wim Nauwelaerts

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Avatar photo

About Paul Greaves

Paul Greaves advises on all aspects of privacy, cyber, and data law across a diverse range of clients - from global technology firms to life sciences startups expanding into Europe. His extensive experience includes advising on EU and UK GDPR compliance projects, cross-border data transfers, and personal data breaches.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly