On 19 November 2025, the European Commission published a legislative package known as the Digital Omnibus. It is the most comprehensive proposal for GDPR changes since the regulation entered into force in 2018. The package covers amendments to the GDPR, the ePrivacy Directive, the Data Act, the Data Governance Act (DGA), the NIS2 Directive, and the AI Act.
On 11 February 2026, the EDPB (European Data Protection Board) and the EDPS (European Data Protection Supervisor) adopted Joint Opinion 2/2026 — their official position on the proposal. Earlier, on 20 January 2026, both bodies adopted Joint Opinion 1/2026 on the AI Act changes within the same package.
None of the proposed changes have entered into force yet. The proposal is still being processed in the European Parliament and the Council of the EU.
What Is the Digital Omnibus and Why It Affects Every Organisation
The Digital Omnibus consists of two EU regulations. The first — a “digital omnibus act” — amends over a dozen existing legal acts, including the GDPR. The second focuses exclusively on changes to the AI Act. Because both take the form of regulations, once adopted they will apply directly across the EU without requiring national implementation.
The Commission’s stated objective is twofold: simplifying rules and reducing administrative burden, particularly for small and medium-sized enterprises. According to the project documentation, the estimated annual savings from cutting red tape for businesses and public administrations amount to at least €1 billion per year.
Key Proposed Changes to the GDPR
1. Redefining Personal Data — Article 4(1) GDPR
This is the most far-reaching and controversial proposal in the entire package. The Commission wants to clarify that information does not constitute personal data for a given controller if that controller does not have the means to identify the individual. In other words — the mere possibility that another party could identify the person would no longer make the data personal from the first controller’s perspective.
Additionally — a new Article 41a — the Commission is seeking authority to issue implementing acts specifying when pseudonymised data may be treated as non-personal data for certain categories of recipients.
In practice, a company processing encrypted or pseudonymised data to which it holds no decryption key could argue it is not processing personal data at all — and therefore that the GDPR does not apply in that context.
2. Record of Processing Activities — Threshold Raised to 750 Employees
The current exemption from maintaining a record of processing activities (ROPA) applies to organisations with fewer than 250 employees — with exceptions for those processing sensitive data or carrying out large-scale processing on a regular basis. The Digital Omnibus proposes raising this threshold to 750 employees.
This change would potentially exempt many small and medium-sized businesses that currently must maintain a ROPA regardless of their type of processing.
3. Data Breach Notification — 96 Hours and a Higher Risk Threshold
The package proposes two changes to the personal data breach notification mechanism:
- extending the deadline for notifying the supervisory authority from the current 72 to 96 hours
- limiting the notification obligation to breaches likely to result in a high risk to individuals’ rights and freedoms — rather than the current broader threshold of “risk to rights and freedoms”
- introducing a Single Entry Point for simultaneously fulfilling notification obligations under the GDPR, NIS2, DORA, and other EU instruments
4. Processing Personal Data for AI Purposes — New Article 88c GDPR
The Digital Omnibus for the first time addresses processing personal data in the context of AI system training and operation in a systematic way. Key proposals:
- confirmation that legitimate interest (Article 6(1)(f)) may serve as the legal basis for processing data for AI purposes — provided a genuine balancing of interests is conducted
- an exception permitting the processing of special categories of data (sensitive data) in AI training — subject to technical and organisational risk-minimisation measures and an obligation to delete such data as soon as the purpose is achieved
5. Privacy Notices — Simplified Information Requirements
The proposal allows controllers to omit a full privacy notice in certain limited situations — where the relationship between the controller and the individual is unambiguous and the person already holds the basic information about the processing. The exemption does not apply to transfers to third countries, automated decision-making, or higher-risk processing.
6. Cookies Without a Banner — ePrivacy Rules Moving Into the GDPR
Rules on cookies and similar technologies would be transferred from the ePrivacy Directive into the GDPR — under new Articles 88a and 88b. The proposal envisages the possibility of handling user preferences automatically through technical means (e.g. browser settings), which in specified cases would eliminate the need for a consent banner. One notable restriction: if a user globally withholds consent via browser settings, the controller may not renew the consent request for the same purpose for at least six months.
7. Harmonisation of DPIA Across the EU
The Digital Omnibus proposes a single EU-wide list of processing operations requiring or not requiring a Data Protection Impact Assessment (DPIA), along with a common template and methodology developed by the EDPB — replacing the current 27 national lists. This is directly connected to the ongoing EDPB DPIA template public consultation, with a deadline of 9 June 2026.
The EDPB’s Position — What They Support and What They Firmly Oppose
The EDPB Firmly Opposes the Change to the Definition of Personal Data
This is the strongest objection in Opinion 2/2026. The EDPB and EDPS state that the proposal goes far beyond a targeted or technical amendment to the GDPR, does not accurately reflect CJEU case law, and would result in significantly narrowing the concept of personal data. They are particularly critical of empowering the European Commission to decide by implementing acts what is no longer personal data after pseudonymisation.
EDPB Chair Anu Talus: “Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights.”
EDPS Wojciech Wiewiórowski: “We strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data.”
The EDPB Supports or Cautiously Supports
- Simplification of information obligations for SMEs — provided individuals’ rights are preserved
- Raising the ROPA exemption threshold to 750 employees — with reservations about excluding public bodies
- DPIA harmonisation — provided the EDPB retains a central role in developing templates
- Extending the breach notification deadline to 96 hours and raising the risk threshold
- Introducing a Single Entry Point for breach notifications
- A derogation for sensitive data in AI training — with clarifications needed on scope and safeguards
- Possibility of handling cookies without a banner in limited cases
What This Means for Your Organisation Today
The Digital Omnibus is still a proposal. No changes are in force. The legislative process in the European Parliament and the Council of the EU is ongoing — and may bring significant modifications to the proposed text, particularly on personal data definition, where the EDPB’s opposition is unequivocal.
Three things worth doing now:
Maintain your record of processing activities — even if your organisation employs fewer than 250 people and technically qualifies for an exemption, a ROPA remains the foundation of GDPR compliance management. If the 750-employee threshold is eventually adopted, that will not mean the record is no longer useful — only that it is no longer formally required.
Document the legal basis for data processing in AI projects — the purpose, data categories, legitimate interest assessment. AI-related provisions may enter into force sooner than changes to the definition of personal data.
Do not treat pseudonymisation as a tool that excludes the GDPR — the EDPB has explicitly opposed this interpretation and it is unlikely the Commission’s proposal will survive parliamentary negotiations unchanged.
The next significant milestone: a high-level conference organised by the EDPS, the German Federal Commissioner for Data Protection (BfDI), and the Bavarian Data Protection Commissioner (BayLfD), focused on the implications of the Digital Omnibus for the GDPR and the broader EU digital regulatory framework — scheduled for 8 June 2026.
Sources: EDPB press release, 11 February 2026 | EDPB-EDPS Joint Opinion 2/2026 | UODO communication (PL)
Stay on top of GDPR changes — without the stress
iGDPR helps you keep your data protection documentation in order — processing records, DPIAs, authorisations, breaches. Ready for whatever the regulations bring next.
START FREE TRIAL