Commission shows its hand on GDPR and AI Act reform

The European Commission today formally presented its long-awaited Digital Omnibus Package, aiming to simplify the EU digital rulebook and make key changes to data protection rules and the AI Act. 

The reforms, which aim to strengthen competitiveness in the EU, largely reflect those considered in the draft proposal of the rules, first reported by MLex on 4 November, but add new amendments to certain rules and definitions. 

The draft raised concerns from privacy advocacy groups including noyb, European Digital Rights and the Irish Council for Civil Liberties in an open letter sent to the commission on 11 November, warning of considerably reduced protections and possible conflict with the EU Charter of Fundamental Rights.

"The legislative process is the wrong tool if the goal is legal certainty; they are trying to address a problem through the legislative process that we should be addressing through regulatory guidance,” Baker McKenzie partner Lukas Feiler told Lexology PRO. 

Feiler added that he thinks the EU economy would benefit more from data protection authorities “taking more responsibility and making uncomfortable choices” and recognising “they are not just pure enforcement bodies”, but should instead also  issue guidance and set policy.

What is the same in the draft and new proposal? 

Both the draft and the current omnibus keep many of the same key amendments. 

This includes amending the definition of personal data, centralising data breach notifications, and clarifying that personal data used to develop and run AI systems can be processed on the basis of legitimate interests, provided controllers meet all GDPR conditions for that legal basis which includes a balancing test to ensure their interests do not override data subjects’ rights. 

The omnibus also extends the data breach reporting deadline from 72 to 96 hours, with notifications for cross-border breaches passed through a new EU single entry point using a standardised template to be written by the European Data Protection Board. 

“A single reporting point for data breaches and other security incidents as well as standardised templates will simplify crisis management,” Reed Smith partner Christian Leuthner told Lexology PRO. 

Computer and Communications Industry Association (CCIA) head of policy Alexandre Roure said in a statement that the omnibus is a “promising step towards simplifying EU tech rules” but is too narrow in scope and “leaves much of the EU’s patchwork untouched”.  

“Unprecedented regulatory complexity and legal uncertainty act as a direct tax on Europe’s competitiveness and innovation. Efforts to simplify digital and tech rules cannot stop here,” Roure said. 

Removal of new special category data definition 

The initial draft proposal for the GDPR would have amended the definition of special category data in article 9(1), but this has now been dropped. 

This would have seen the stricter special category rules only apply to data that “directly reveals” sensitive traits such as racial or ethnic origin, political opinions or health status, rather than data which simply reveals such information. The proposed amendment had attracted criticism from privacy group noyb, which said it would reduce protections available to those who do not directly announce sensitive data about themselves even when the information could be deduced.

Clearer definition of scientific research

The omnibus firms up how scientific research is treated under the GDPR, introducing a new section defining what research data is and how this should be handled. It defines research data as digital data and documents, though not including publications, that are generated through scientific research and needed as evidence or to validate results. Member states are also told to adopt “open by default” policies so that publicly funded research data is made publicly available as long as confidentiality, security and data protection concerns are taken into account. 

However, it adds that legitimate commercial interests have to be taken into account when publicly funded research data is made open and re-usable. 

Freshfields partner Christoph Werkmeister told Lexology PRO the explicit inclusion of commercial interests “makes the approach seem ambitious, especially in light of discussions around previously leaked GDPR amendments.”

The AI Act 

Under the omnibus published today, the commission has firmed up its simplification plans for the AI Act, which largely mirror the draft proposal. 

However, the draft would have given AI companies a potential privilege by treating compliance with the Cyber Resilience Act (CRA) as automatic proof that the AI Act’s cybersecurity rules have been met, avoiding the need for a separate assessment. That provision has now been dropped. 

“Notably for the digital industry, the privileged effect of CRA compliance as a means to demonstrate conformity with cybersecurity requirements under the AI Act, which was included in the leaked version, has been removed in the final version,” Werkmeister said.  

Covington & Burlington partner Daniel Cooper said the omnibus is “very similar” to the leaked draft and that the commission will play a larger role in overseeing certain AI systems. He added there are “no real changes in the intersection with data privacy.”

The omnibus will add a year-long grace period to give companies more time to meet the labelling obligations for content produced by high-risk generative AI systems that were already on the market before the August 2026 start date.

"The postponement of the applicability of the high risk AI system rules came as a bit of a surprise to me,” A&O Shearman partner Peter Van Dyck told Lexology PRO. “Not so much that there would be a postponement, as this was already quite clearly in the cards, but I didn't expect that the postponement would be for a period up to 16 months." 

Van Dyck added this will give AI companies “some breathing room” before required to implement the rules. 

“The proposed grace period for the watermarking provision, to label AI-generated content, will be welcome,” Norton Rose Fulbright partner Marcus Evans said. 

This is likely to apply to downstream providers, such as companies which have created their own chatbots or tech companies providing the models, who Evans said “will be unable to comply” with the labelling obligations until “an effective method” for labelling is made available. 

Small and medium-sized AI companies can also expect to benefit as they will be spared from some documentation obligations and have a reduction to their potential liability for fines.

As floated in the leaked draft, the commission will also create a GDPR legal basis to allow for certain AI system providers to process sensitive category data in the interest of detecting and correcting bias, subject to strict safeguards such as access controls. Record-keeping and a requirement to delete all data once the bias is detected.  

Additionally, the omnibus will see the commission’s AI Office gain centralised oversight with new powers to regulate and enforce against AI systems deployed by Large Online Platforms (VLOPs) and Very Large Search Engines (VLOSEs), as defined in the Digital Services Act, including an ability to impose fines. The AI Office currently operates in coordination with other national authorities which handle enforcement in their own countries. 

“I still consider the proposal to be a laudable attempt from the EU to alleviate some of the regulatory burden,” Morrison Foerster partner Alex van der Wolk told Lexology PRO. 

Van der Wolk noted it will be interesting to see how much of the proposal will “withstand the scrutiny of further legislative negotiations”. The draft amendments will now be subject to negotiation before the European Parliament and Council.

MEP Michael McNamara told an IAPP conference in Brussels today that the MEPs’ view on the omnibus is "far from unanimous". He noted that some groups will have "considerable concerns" that the package introduces new uncertainty, including due to the proposed definition of personal data that would make prosecuting data breaches more complex.

"Is that part of simplification or is that an attempt at deregulation? I would have thought very clearly it’s the latter," McNamara said.