Omnibus reform: What companies need to know for GDPR compliance

A long-standing debate in the corridors of Brussels, the reform of the General Data Protection Regulation (GDPR) now seems to be taking shape. Indeed, an initial version of the “Digital Omnibus” legislative package recently leaked online, outlining what appears to be a major reform.
Why now? What concrete changes are being considered? This guide provides the key points to understand what is at stake.

Why a GDPR reform now?

The Commission identifies three main issues:

• The disproportionate cost of GDPR compliance, particularly for SMEs;
• The inadequacy of the text in relation to new uses of Artificial Intelligence (AI);
• The legislative complexity created by parallel regulations, notably the AI Act and the Data Act.

The proposed amendments therefore aim to make the GDPR simpler, less burdensome, and better suited to technological developments.

In response, several digital rights organisations denounce what they see as a deregulatory effort that would undermine hard-won protections against tech giants.

So, is this a welcome simplification—or a weakening of fundamental safeguards?

Key proposed changes

Personal data: a matter of perspective?

The draft introduces a relativistic approach to identifiability: data would be considered personal only if the entity processing it has the “reasonably likely” means to identify the individual.

Thus, the possibility that a subsequent recipient could re-identify the individual would no longer be enough to classify the data as personal. This is a major shift—one that would limit GDPR applicability to very narrow scenarios and significantly reduce protection for individuals.

As a result, data such as cookies or advertising IDs could fall outside the scope of the GDPR for certain actors, contradicting the settled case law of the Court of Justice of the European Union (CJEU).

Sensitive data: restricted to the bare minimum

Under the new definition, data would be considered “special categories” only if the protected characteristic (health, sexual orientation, political opinion, etc.) is directly revealed. Data enabling inference of such characteristics—without naming them explicitly—could be used more freely.

For example:

• deducing a health condition from online purchases,
• or political opinions from online posts,
  would no longer trigger the GDPR’s heightened protections.

Once again, this constitutes a significant rewriting of the GDPR, diverging from Council of Europe standards and CJEU case law.

Cookies and consent: the end of consent banners?

The Commission proposes merging e-privacy rules into the GDPR, broadly relaxing consent requirements, and automating preference management through browsers or operating systems.

On the one hand, current cookie rules—now applied inconsistently across Member States—would be harmonised at the EU level.

On the other hand:

• certain trackers, particularly for statistical or security purposes, would be fully exempt from consent;
• other trackers—for example, marketing ones—could rely on any legal basis under the GDPR, including legitimate interest.

Finally, opt-in and opt-out would have to be configured via the browser or operating system, reducing reliance on banners and mitigating “cookie fatigue.”

Consequently, we may see more consistent rules across Europe and a progressive disappearance of cookie banners—alongside a likely resurgence of trackers with far less transparency and oversight regarding their purposes.

AI training and use: far easier than before

In the field of artificial intelligence, the reform would allow the processing of personal data by AI systems without explicit consent, relying instead on “legitimate interest.”

This legal basis would apply to any “development” or “operation” of an AI system, regardless of its purpose. This tool-based rather than purpose-based approach represents a major departure from the GDPR logic: could simply choosing an AI system over an Excel spreadsheet allow a controller to rely on legitimate interest where consent would otherwise be required?

Although the article mentions minimal safeguards—necessity, minimisation, transparency, right to object—their practical implementation raises many questions:

• Is it realistic to inform data subjects if the system is trained on unstructured data with no contact details?
• How can data minimisation be justified when models are trained on massive, systematic datasets?
• How can access or erasure rights be guaranteed when current AI systems offer no technical means to ensure them?

Thus, while the simplification effort is welcome, many questions and inconsistencies must still be resolved to ensure legal certainty for organisations.

Conclusion

The GDPR reform appears to mark a strategic shift: more flexibility for businesses, but potentially at the cost of weakened fundamental rights.

However, it would be premature to draw immediate practical conclusions. The document will not be officially presented until 19 November, after which negotiations will take place between the European Parliament and the Council.

In the meantime, DPOs must continue to ensure compliance with current rules while preparing for a smooth transition once the reform is adopted.

References

[1] European Commission proposal (English)
[2] “None of Your Business” article summarising the Commission’s proposal
[3] CJEU, Breyer (C-582/14) … ; CJEU, IAB Europe (C-604/22) …
[4] Wikipedia, Facebook–Cambridge Analytica scandal
[5] Council of Europe, Convention 108, Article 6
[6] CJEU, OT (C-184/20) …