Less than a decade after the enactment of the European Union’s gold standard General Data Protection Regulation, the European Commission Wednesday released its Digital Omnibus Regulation Proposal and Digital Omnibus on AI Regulation Proposal. The draft proposals outline a course correction to Brussels’ approach to digital regulation as set out in its new European Data Union Strategy.
With the rapid rise of artificial intelligence and proliferation of digital regulations in the EU, concerns around the EU’s competitiveness as outlined in the Draghi report on EU competitiveness and geopolitical pressure from the U.S. and China, the Commission is peeling back some of what it considers are onerous rules.
At a high level, the data union strategy aims to provide the EU with high-quality data for developing AI and to strengthen the EU's approach to international data flows, according to European Commissioner for Tech Sovereignty, Security and Democracy Henna Virkkunen during a press conference at the Belraymont building in Brussels.
Virkkunen noted the Commission stands "firmly behind our high standards for privacy, fairness and security," however, she said, "regulation alone is not enough, as we know, we must also move from rule making to innovation building."
"We need immediate steps to get rid of regulatory clutter," she added. The omnibus packages therefore aim to simplify existing rules on AI, cybersecurity and data.
Virkunnen was joined at the press conference by Commissioner for Economy and Productivity Valdis Dombrovskis and Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection Michael McGrath.
During questions from the press at the European Commission press conference, McGrath said the targeted amendments "are a balanced approach" to cultivating Europe's digital economy while maintaining Europeans' fundamental rights.
Targeted amendments to the GDPR
McGrath was careful to underscore that data protection reforms are targeted amendments and "not a reopening of the GDPR." He said the measures "reflect significant judgements from the Court of Justice of the (European Union), as well as opinions from the European Data Protection Board," in addition to months of talks with stakeholders from within the EU.
"We are proposing to clarify in the GDPR that organizations may rely on legitimate interests to process personal data for AI-related purposes, provided they fully comply with all existing GDPR safeguards," said McGrath.
In the advertising technology space, the reform would also include a sea change in cookie banners "to make sure users can express real choices" by being able to "accept or refuse cookies now with one click. Organizations will need to respect users choices for six months."
For cybersecurity protection, the package proposes a single portal for organizations to provide notification of a data breach. This "single-entry point" will be "developed with robust security safeguards and undergo comprehensive testing to ensure its reliability and effectiveness." Currently, organizations have incident-reporting obligations under several regulations, including the GDPR, NIS2 Directive and the Digital Operational Resilience Act.
Proposed changes to the AI Act
The EU's world-first AI regulation is also facing several changes, notably the timelines for entry into application of the high-risk processing, which was slated to go into effect in August 2026.
Virkkunen noted the standards for implementation are behind schedule. Once the Commission confirms the needed standards and "support tools" are available, organizations will have six months to reach compliance. She said the extension will be capped at December 2027.
The AI Act also faces a number of targeted amendments, including simplifications for small and medium-sized enterprises and small mid cap companies in the form of pared back technical documentation requirements. Other measures involve sandboxes for real-world testing and to "reinforce the AI Office's powers and centralise oversight of AI systems built on general-purpose AI models, reducing governance fragmentation."
Data access and the Data Act
The package also includes provisions to improves access to data to help innovation by "consolidating four pieces of legislation into one for enhanced legal certainty." This also includes "targeted exemptions" the Data Act's cloud-switching rules for SMEs and SMCs, new guidance on Data Act compliance via "model contractual terms for data access and use, and standard contractual clauses for cloud computing contracts," and "unlocking access to high-quality and fresh datasets for AI."
Differences from the leaked proposal
Wednesday's proposals parallel somewhat closely to an earlier leaked draft proposal. However, one controversial provision that is not included in Wednesday's proposal involved special category data.
The earlier leaked version, which was summed up by Bird & Bird Partner Ruth Boardman, included a more targeted approach to special category data with more exemptions. According to Boardman's assessment of the previous leaked draft, "Data would only qualify as special category data if it 'directly revealed' information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual activity - marking a step back from the broader inference-based rule set out by the CJEU in its Lindenapotheke ruling."
EDPB Chair Anu Talus said in a forthcoming IAPP podcast interview this week that changes to the special categories provision would be "concerning" and may go too far.
Stakeholder reaction is strong
In a column widely published in various EU media outlets and on LinkedIn, former European Commissioner Thierry Breton warned against backing down from protecting the EU’s digital market.
“We can’t let ourselves be intimidated," he wrote a day before the official release. "We should resist any attempt to unravel these laws, through 'omnibus' bills or otherwise, mere months after they have entered into force, under the pretext of simplification or remedying an alleged 'anti-innovation' bias. No one is fooled over the transatlantic origin of these attempts. So let’s not be useful idiots. The second expression of our digital sovereignty must involve protecting, at all costs, the integrity of our digital legal pillars, including at the geopolitical level.”
NOYB's Max Schrems said the proposal "massively lowers protections for Europeans" and that they are "a gift to US Big Tech as they open up many loopholes for the law departments to exploit."
Schrems added that it is "the biggest attack on Europeans' digital rights in years."
On the other side of the spectrum, the Computer and Communications Industry Association said the amendments require "bolder action." Though the organization said the package "is a welcome step towards simplifying the EU's complex regulatory landscape," its "narrow focus - mainly limited to AI, cybersecurity, data rules and privacy - means further and bolder action is still needed."
What's next?
Both omnibus packages now have a long road ahead as they enter into the trilogue process with the European Parliament and European Council. It is expected to take at least several months until negotiations are finalized.
Jedidiah Bracy is the the editorial director for the IAPP.
