Importantly, the proposal does not seek to “re-open” the GDPR as a whole. Instead, it focuses on specific areas where the Commission considers that compliance costs are high, enforcement is fragmented, and the user experience has degraded. This is why the proposal combines a series of targeted reforms across core GDPR concepts and daily compliance obligations, including the regulatory approach to tracking technologies, transparency requirements, incident reporting, and areas increasingly shaped by new technologies such as AI.
This article is the first in a series in which we take a closer look at the Digital Omnibus Proposal, following the high-level introduction set out in our pilot article. Across the series, we will explore the proposed changes in more detail and assess their practical implications for organisations.
Below, we set out the most relevant changes for organisations and what these changes may mean in practice.
Conclusion
The Digital Omnibus Proposal does not change the fundamentals of GDPR compliance, but it introduces meaningful operational and conceptual shifts in areas where compliance has been most burdensome, fragmented or uncertain, for example with respect to cookie consent, data breach reporting and certain AI-related processing activities.
For organisations, the proposal’s clearest message is that the EU is moving toward:
- Fewer consent prompts but more meaningful and enforceable consent choices.
- More standardisation and automation in consent and compliance mechanisms.
- Closer alignment between privacy, cybersecurity and emerging technology regulation.
For compliance officers, it means that they will be very busy during the next compliance review cycle.
This article is the second in our Digital Omnibus Proposal series. Stay tuned for the next publication, in which we will focus on the proposal’s targeted adjustments to the AI Act and their implications for organisations developing and deploying AI systems.
