The European Commission has proposed a new Digital Omnibus regulation that would revise EU rules on data protection, artificial intelligence, and cookies. The draft originates in Brussels and targets organizations that process personal data or deploy AI systems across the European Union.
Key Details on the EU Digital Omnibus Proposal
The Digital Omnibus package would amend parts of the General Data Protection Regulation and the EU AI Act. It would also adjust consent requirements under EU rules governing electronic communications and online tracking technologies. The proposal remains at the legislative draft stage and is not yet law.
Key measures in the current draft include:
- Extending the application date of certain high-risk AI obligations from August 2026 to December 2027.
- Reducing documentation and reporting requirements for specified AI systems, while concentrating more supervisory tasks in the EU AI Office.
- Clarifying when information is considered anonymous or pseudonymous, affecting how organizations share and reuse datasets.
- Introducing conditions for processing personal data in AI training, allowing legal bases other than explicit consent in some cases.
- Changing cookie consent rules so that some low-risk uses would not require individual banner prompts.
The proposal would also encourage standardized, machine-readable privacy signals from browsers or devices. Once relevant standards are recognized, websites would need to respect such signals as an expression of user choice.
The regulation would apply directly in all EU member states once adopted and in force. National data protection authorities and the planned EU AI Office would oversee compliance within their respective mandates.
Background Context on GDPR, the AI Act, and Cookie Rules
The General Data Protection Regulation (GDPR) has applied across the European Union since May 2018. It sets rules for how organizations collect, process, and store personal data of individuals in the EU. GDPR works alongside national laws implementing the ePrivacy Directive, which regulates cookies and similar tracking tools.
The EU AI Act establishes a risk-based framework for artificial intelligence systems deployed in the European market. The European Parliament approved the Act in March 2024, followed by formal adoption by the Council in May 2024. The regulation introduces duties for providers and users of high-risk AI, with staggered compliance deadlines.
Existing EU cookie rules generally require user consent before most information is stored or accessed on a device. This approach has led to frequent consent banners across websites targeting EU users. The Digital Omnibus proposal identifies categories of cookies that would not require individual consent banners.
Source Citations and Stakeholder Responses
The European Commission outlined the Digital Omnibus initiative on its official Digital Strategy portal. The published material includes the draft regulation text and documents describing proposed amendments to existing legislation.
Privacy group noyb has released a public statement criticizing the Digital Omnibus proposal's changes to GDPR concepts of personal data. The group argues that the new wording would weaken protections by relying on controllers' stated capabilities. Noyb's statement describes a conflict between the proposal and earlier interpretations by data protection authorities.
.svg)
.svg)
.svg)