Omnibus reform: What companies need to know for GDPR compliance

DPO Consulting
This is some text inside of a div block.
November 21, 2025

Table of contents

Example H2

A long-standing debate in the corridors of Brussels, the reform of the General Data Protection Regulation (GDPR) now seems to be taking shape. Indeed, an initial version of the “Digital Omnibus” legislative package recently leaked online, outlining what appears to be a major reform.
Why now? What concrete changes are being considered? This guide provides the key points to understand what is at stake.

Why a GDPR reform now?

The Commission identifies three main issues:

  • The disproportionate cost of GDPR compliance, particularly for SMEs;
  • The inadequacy of the text in relation to new uses of Artificial Intelligence (AI);
  • The legislative complexity created by parallel regulations, notably the AI Act and the Data Act.

The proposed amendments therefore aim to make the GDPR simpler, less burdensome, and better suited to technological developments.

In response, several digital rights organisations denounce what they see as a deregulatory effort that would undermine hard-won protections against tech giants.

So, is this a welcome simplification—or a weakening of fundamental safeguards?

Key proposed changes

Personal data: a matter of perspective?

The draft introduces a relativistic approach to identifiability: data would be considered personal only if the entity processing it has the “reasonably likely” means to identify the individual.

Thus, the possibility that a subsequent recipient could re-identify the individual would no longer be enough to classify the data as personal. This is a major shift—one that would limit GDPR applicability to very narrow scenarios and significantly reduce protection for individuals.

As a result, data such as cookies or advertising IDs could fall outside the scope of the GDPR for certain actors, contradicting the settled case law of the Court of Justice of the European Union (CJEU).

Sensitive data: restricted to the bare minimum

Under the new definition, data would be considered “special categories” only if the protected characteristic (health, sexual orientation, political opinion, etc.) is directly revealed. Data enabling inference of such characteristics—without naming them explicitly—could be used more freely.

For example:

  • deducing a health condition from online purchases,
  • or political opinions from online posts,
    would no longer trigger the GDPR’s heightened protections.

Once again, this constitutes a significant rewriting of the GDPR, diverging from Council of Europe standards and CJEU case law.

Cookies and consent: the end of consent banners?

The Commission proposes merging e-privacy rules into the GDPR, broadly relaxing consent requirements, and automating preference management through browsers or operating systems.

On the one hand, current cookie rules—now applied inconsistently across Member States—would be harmonised at the EU level.

On the other hand:

  • certain trackers, particularly for statistical or security purposes, would be fully exempt from consent;
  • other trackers—for example, marketing ones—could rely on any legal basis under the GDPR, including legitimate interest.

Finally, opt-in and opt-out would have to be configured via the browser or operating system, reducing reliance on banners and mitigating “cookie fatigue.”

Consequently, we may see more consistent rules across Europe and a progressive disappearance of cookie banners—alongside a likely resurgence of trackers with far less transparency and oversight regarding their purposes.

AI training and use: far easier than before

In the field of artificial intelligence, the reform would allow the processing of personal data by AI systems without explicit consent, relying instead on “legitimate interest.”

This legal basis would apply to any “development” or “operation” of an AI system, regardless of its purpose. This tool-based rather than purpose-based approach represents a major departure from the GDPR logic: could simply choosing an AI system over an Excel spreadsheet allow a controller to rely on legitimate interest where consent would otherwise be required?

Although the article mentions minimal safeguards—necessity, minimisation, transparency, right to object—their practical implementation raises many questions:

  • Is it realistic to inform data subjects if the system is trained on unstructured data with no contact details?
  • How can data minimisation be justified when models are trained on massive, systematic datasets?
  • How can access or erasure rights be guaranteed when current AI systems offer no technical means to ensure them?

Thus, while the simplification effort is welcome, many questions and inconsistencies must still be resolved to ensure legal certainty for organisations.

Conclusion

The GDPR reform appears to mark a strategic shift: more flexibility for businesses, but potentially at the cost of weakened fundamental rights.

However, it would be premature to draw immediate practical conclusions. The document will not be officially presented until 19 November, after which negotiations will take place between the European Parliament and the Council.

In the meantime, DPOs must continue to ensure compliance with current rules while preparing for a smooth transition once the reform is adopted.

References

[1] European Commission proposal (English)
[2] “None of Your Business” article summarising the Commission’s proposal
[3] CJEU, Breyer (C-582/14) … ; CJEU, IAB Europe (C-604/22) …
[4] Wikipedia, Facebook–Cambridge Analytica scandal
[5] Council of Europe, Convention 108, Article 6
[6] CJEU, OT (C-184/20) …

Read this next

See all

CNIL 2026 Priorities: Key GDPR Compliance Areas Organizations Must Anticipate

Each year, the CNIL defines priority areas representing around 20% of its inspections. For 2026, three major topics have been identified, find out which ones.

Read more

The AI Act Delay: What Businesses Really Need to Know

The European Parliament has proposed pushing back the AI Act's high-risk AI rules to December 2027 and August 2028. What obligations still apply now? How should you prepare?

Read more

European Health Data Space (EHDS): Opportunities, Challenges and GDPR Compliance

In the era of personalized medicine and digital transformation, health data has become a major strategic resource but also one of the most sensitive under European law.

Read more
Stay up to date on all the latest data privacy and GDPR compliance news.
Your email address will be used to send you our newsletter as well as information concerning the activity and news of DPO Consulting. You can unsubscribe at any time by clicking on the unsubscribe link in the emails. To find out more about your rights, see our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About us
Our expertise
myDPO
Contact us
contact@dpo-consulting.com
+33 (0)1 55 06 16 86
50, Avenue des Champs-Elysées, 75008, Paris, France
Outsourced DPOInternational DPODPO AssistanceEU RepresentativeUK RepresentativeData privacy training
Clinical Trial ComplianceGDPR Compliance auditPrivacy Impact Assessments (PIA)Digital transformationMulti regulatory complianceUK GDPR, UK DPA, & DUAA
Cybersecurity Compliance
CISO as a serviceCybersecurity maturity assessmentProject support
AI Act Compliance
AI Maturity assessmentAI Act training
DPO Consulting © 2026 All Rights Reserved |
Terms of Use
|
Privacy Policy
|
Cookie Policy
|
Legal Notice
Let’s create an experience as remarkable as your business
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Main pages
CMS Pages
Utility
Templates
hi@byq.studio
@byqstudio
+1 600 600 000