The main changes and implications
The Digital Omnibus introduces several changes to existing legislation. Here, we discuss some key points that are likely to be most relevant for businesses:
• Limiting the definition of “personal data”
Information is no longer considered personal data in the Digital Omnibus when an organisation does not have “means that can reasonably be used” to identify an individual. As a result, the same data may count as personal data at one company while not at another. It also potentially allows for the use of pseudonymised personal data and ID numbers in the near future without the full AVG applying.
• AI development
The processing of personal data for the development and use of AI systems may be based on legitimate interest. This gives companies more freedom to use data for training models, without depending on data subjects’ consent or contract performance. Furthermore, companies may get more leeway to use sensitive personal data (e.g. health data) for training AI systems, provided appropriate safeguards are applied. This proposed relaxation should help organisations detect and correct bias in AI systems.
Finally, the rules on the use of high-risk AI, such as systems for biometric identification, law enforcement and access to education or employment, which were originally supposed to apply from August 2026, will be delayed.
• Cookies
Currently, consent to cookies is sought via pop-up banners, which are often complex and difficult to understand. At the same time, online providers incur significant costs to develop compliant banners.
The complexity is compounded by the fact that Article 5(3) of the ePrivacy Directive applies to the setting of cookies, while the subsequent processing of personal data is governed by the AVG.
To simplify this confluence, the European Commission proposes that the processing of personal data on and from terminal equipment (e.g. a laptop or phone) should be governed solely by the AVG. In doing so, the requirement for consent when accessing terminal equipment will remain, but there will be exceptions for low-risk purposes or when the placement of technologies is necessary for a service requested by the user.
Criticism of the Digital Omnibus
While the Digital Omnibus creates opportunities for businesses, there is also strong criticism. Civil society organisations fear that the proposals will come at the expense of citizens’ privacy. According to the Austrian organisation NOYB, led by privacy lawyer Max Schrems, this is “the biggest attack on Europeans’ digital rights in years and a gift to US Big Tech companies”. MP Barbara Kathmann, of GroenLinks-PvdA, has also raised Parliamentary questions titled “Demolishing privacy protection in new European Omnibus legislation”. In addition, the Personal Data Authority (AP) has warned that changes to fundamental rules such as the AVG and AI regulation should not be rushed, that legal certainty must be maintained and that innovation can only go hand in hand with clear safeguards for privacy and autonomy.
Next steps
The proposals are currently under discussion in the European Parliament and the Council. The final text is not yet fixed and will depend on intensive negotiations. Thus, the process may still yield significant changes. Lexence is closely following these developments. Do you have any questions or want to know more about the potential impact of the Digital Omnibus on your organisation? Feel free to contact Heleen Kleinjan and Veerle van den Boomen.
