Change is in the Winds: The European Commission’s proposed changes to the GDPR

Published at 11:50 on 27 Nov 2025

In November 2025, EU’s European Commission issued a Digital Omnibus Package (see here and here) that included changes to the GDPR as well as to the cookie rules (under the ePrivacy Directive), cybersecurity regulations and the EU AI Act. Although there has been talk of simplification prior to this release, the extent and impact of some of the proposed changes in the Digital Omnibus caught many privacy practitioners by surprise.

The Digital Omnibus Package is made up of two proposed regulations:

  • a “Digital Omnibus” that would amend the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and 
  • a “Digital Omnibus on AI” that would amend the EU AI Act. Refer to our separate post on proposed changes to the EU AI Act for further discussion of these proposals.

In this post, we focus on the key proposals from the Digital Omnibus relevant to the GDPR, and in particular changes relevant to Australian organisations that might have to comply with the GDPR. We have published a separate post on proposed changes to EU’s AI Act.

Table of Contents

Why changes are being proposed to the GDPR

In our separate post on changes to the EU’s AI Act, we cover the change in direction towards AI regulation in particular by the Trump Administration. This change is also relevant to other EU digital technology laws including the GDPR. Plus, consideration was already being given to how the GDPR might be simplified particularly as it applied to Small and Medium Enterprises (SMEs). 

A key driver for the Digital Omnibus package was to clarify, simplify, and harmonise GDPR provisions to reduce administrative burdens and make compliance more predictable and business-friendly, especially for small and medium-sized enterprises.

Another important direction was to facilitate the use of personal data for AI training and innovation by adjusting definitions and legal bases for data processing, such as: 

  • refining the definition of “personal data” and 
  • explicitly allowing processing under “legitimate interest” for AI development (aligned to increasing support for use of AI with reduced regulatory safeguards).

The changes strive to maintain the GDPR’s effectiveness and fundamental protections while enabling businesses to innovate and compete globally, addressing concerns about regulatory complexity that may hinder growth.

However, privacy advocates have not been completely supportive of the proposed changes.  They describe the changes as a “massive downgrade” or “death by a thousand cuts” to EU privacy protections.

Some of the criticisms include:

  • Expanded exemptions to consent requirements, especially for AI training data, raises concerns that personal data could be processed more freely without explicit user consent (e.g. where there is a new purpose of processing).
  • The lifting of bans on processing certain special categories of protected data for AI purposes is seen as weakening protections for sensitive data.
  • The proposed merger of the ePrivacy Directive (covering cookie consent) with the GDPR is feared to severely weaken cookie and tracking consent rules.
  • Amendments allowing companies to treat pseudonymised data as not being personal information raise concerns about reduced safeguards.
  • Limiting user rights to access their data only for correction or deletion is viewed as restricting transparency and control.

Overall, privacy advocates see the Digital Omnibus proposals as concessions to industry pressures that risk weakening fundamental digital rights protections in the EU, shifting the power balance too far away from individuals and in favour of large tech and AI firms.

Key Proposed Changes to the GPDR

Revised definition to Personal Information

The GDPR’s definition of “personal data” would be updated to exclude information where the entity holding it does not have “means reasonably likely to be used” to identify the individual. Reflecting the Court of Justice of the European Union’s (CJEU) decision in SRB (Case C-413/23), information would not be considered personal data for that entity—and thus would fall outside the GDPR’s scope—if identification is legally prohibited or would require a disproportionate effort.

The proposal also empowers the Commission to adopt further implementing acts specifying when pseudonymised data constitutes personal data, based on the state of the art of available techniques.

The proposal does not propose to amend the definition of “data concerning health”, which was included in an earlier draft leaked on November 10, 2025, however. The leaked draft sought to limit the scope of the definition to data directly revealing information about an individual’s health status.

Allowances for AI Development and Deployment

Two key amendments to the GDPR are proposed to clarify rules for controllers processing personal data to develop and deploy AI systems and models. 

Processing for that purpose would be recognised as a legitimate interest use under the GDPR. Controllers would still need to demonstrate necessity and proportionality through a balancing test and implement appropriate safeguards, including minimising data used for AI training and granting data subjects an unconditional right to object to the processing of their personal data. 

Additionally, a new exemption from the prohibition on processing “special categories of personal data” is proposed to cover cases in which a dataset contains residual sensitive data. The exemption would allow the processing of such data for the development and operation of an AI system or model, provided controllers implement certain technical measures to minimise collection of sensitive data and to ensure removal of any identified sensitive data.

Clearer rules for “scientific research” activities

The concept of “scientific research” would be explicitly defined as “any research which can also support innovation, such as technological development and demonstration.” 

Such research may “aim to further a commercial interest” and must “contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society’s general knowledge and wellbeing and adhere to ethical standards in the relevant research area.”

The proposal also specifies that further processing for scientific purposes is compatible with the initial purpose of processing and that scientific research constitutes a legitimate interest.

Expanded exemptions to data subjects’ rights

The proposal extends the existing exceptions to transparency requirements, in particular where processing is conducted for scientific research purposes.  It also clarifies the circumstances in which controllers may either refuse to act on an access request under Article 15 GDPR or charge a reasonable fee for responding to such requests. These include, in particular, situations where the data subject “abuses the rights conferred by [the GDPR] for purposes other than the protection of their data”. 

Cookie “consent fatigue” and the proliferation of cookie banners has been an issue.  In response, it is proposed to permit the storing of personal data, or gaining access to personal data stored in terminal equipment, without consent (i.e. placing pixels or tracking software on browsers), in a range of circumstances e.g. to measure audience size for own use to maintain or restore security. 

Looking ahead, the Commission foresees the introduction of universal settings-based preference mechanisms that allow users to express consent or opt out consistently across websites and applications, with website and app operators needing to implement them following a six-month transition period.

EU-wide data breach template and notification platform

The Commission plans to introduce a single-entry EU portal for reporting data breaches, following a “submit once, share widely” model to streamline obligations under GDPR, the NIS2 Directive, the Digital Operational Resilience Act, the Critical Entities Resilience Directive and the upcoming Cyber Resilience Act. Australian organisations can sympathise with the multiple data breach notification requirements currently in play.

The bar for notification to regulators would be lifted: controllers would only be required to notify data breaches that present a high risk to individuals, and the reporting deadline would be extended to 96 hours (from 72 hours). The European Data Protection Board (EDPB) would also be tasked with preparing a standardised breach notification template for the Commission to adopt through an implementing act.

Harmonised Data Protection Impact Assessment (DPIA) guidance and template

Another proposed task for the EDPB would be the creation of EU-wide lists of processing activities that do and do not require a DPIA, replacing the current national lists. The EDPB would also develop a standardised template and methodology for conducting DPIAs (updated every three years), which the Commission could adopt through an implementing act. 

What happens next?

The final text of the Digital Omnibus is likely to evolve during negotiations with the European Parliament and the Council of the EU. Definitely keep an eye on this space for further developments.

If you want to receive updates in your inbox, join our newsletter. We share privacy updates each month.

Sign Up to our Newsletter

  • This field is for validation purposes and should be left unchanged.

  • We collect and handle all personal information in accordance with our Privacy Policy.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.