EU Commission Digital Omnibus streamlines GDPR, ePrivacy and AI Act rules

On Wednesday, 19 November, the European Commission unveiled its new digital package, including a Digital Omnibus designed to ease the regulatory burden on the European economy by simplifying existing rules on artificial intelligence (AI), cybersecurity, and data.

To ensure innovation-friendly AI rules, the Commission proposes to link the application of high-risk AI system rules to the availability of necessary standards and support tools. The timeline for applying these rules will be adjusted to a maximum of 16 months. Targeted amendments to the Artificial Intelligence Act (AI Act) will extend simplified rules on technical documentation to SMEs and SMCs, potentially saving €225 million per year. The package also broadens compliance measures, allowing more organisations to use regulatory sandboxes, and reinforces the AI Office's powers to centralise oversight of general-purpose AI models, thereby reducing governance fragmentation.  

On cybersecurity, the omnibus introduces a single-entry point for companies to meet all incident-reporting obligations, consolidating requirements under the EU General Data Protection Regulation (GDPR), the NIS2 Directive, and the Digital Operational Resilience Act (DORA). 

Targeted amendments to the GDPR aim to harmonise, clarify, and simplify specific rules to support compliance and boost innovation while maintaining the core of the regulation. A LinkedIn post by data protection specialist Robert Bateman provides a summary of the key changes. 

The amendments also seek to modernise cookie rules by reducing the frequency of banner notifications and allowing users to give consent with a single click or through central preference settings in browsers and operating systems.

Finally, the package aims to improve access to data as a driver of innovation. It consolidates EU data rules by merging four pieces of legislation into the Data Act for enhanced legal clarity. 

In a statement responding to the announcement, Executive Vice-President Henna Virkkunen was clear to point out that "simplification does not mean softening our safeguards. We stand firmly behind our high standards for privacy, fairness and security.

"Because EU regulation is a trustmark for businesses. We are the one place on the planet that has framed the rules of the game in this way, to protect our values and fundamental rights.

"However, regulation alone is not enough. We must move from rulemaking to innovation-building. Our rules should not be a burden, but an added value."

On the GDPR, Commissioner Michael McGrath emphasised the words "targeted" and "amendments" rather than a full reopening of the GDPR. He went on to say that the "proposed changes are based on continuous dialogue with stakeholders during this last year," and also reflect "significant judgments from the Court of Justice of the European Union as well as opinions from the European Data Protection Board."

However, not all stakeholder feedback was positive. A press release by European Digital Rights (EDRi) called the plans “a major rollback of EU digital protections.” Meanwhile, a statement by NOYB described the package as "the biggest attack on European’s digital rights in years. When the Commission states that it ‘maintains the highest standards’, it clearly is incorrect. It proposes to undermine these standards." 

Ahead of its more detailed analysis, NOYB has published a video of its Omnibus first analysis. 

Training Announcement: Find out more about our range of independent accredited data protection and AI governance qualifications from IAPP and BCS.