European Union’s Digital Omnibus Package, Part II — Changes to the GDPR and the Data Act

At a Glance

• The scope of what is considered to be personal data under the GDPR will be reduced.
• The proposals potentially limit the right to access data to instances where this is requested for data protection purposes, rather than collateral purposes such as bringing employment law claims.
• The proposals relax restrictions on the use of solely automated decisions and give greater flexibility for data controllers.
• The breach reporting deadline will be extended from 72 to 96 hours to give a more reasonable timeframe for responding through new streamlined reporting procedures. Only those breaches which are considered to be a “high risk” to individuals’ rights and freedoms will be reportable.
• Website users will be able to accept or refuse cookies with one click, and their choice must be respected for six months without a repeat request for consent.
• Under the Data Act, data holders will have the explicit right to refuse to disclose trade secrets if they determine there is a high risk of unlawful use or disclosure to third countries with lower standards of data protection.
• The legislative package enters trilogue negotiation with the European Parliament and Council. It is expected that there will likely be further amendments as it goes through the process of debate and review.

On 19 November 2025, the European Commission published its much anticipated “Digital Omnibus” of legal reforms with respect to artificial intelligence (covered in our previous alert, The European Union’s Digital Omnibus and Its Impact on Artificial Intelligence), cybersecurity, and data, alongside a Data Union Strategy covering data use in AI, and the introduction of European Business Wallets, which will streamline data into a single digital identity. We summarise below the key changes relevant to U.S. businesses relating to the General Data Protection Regulation (GDPR), ePrivacy Directive, Network and Information Security 2 (NIS2) Directive, and Data Act.

GDPR

Definition of Personal Data

The scope of what is considered to be personal data under the GDPR will be reduced. The proposal will amend the GDPR’s rules so that they may no longer apply to pseudonymised data (data which requires further information which is kept separately — e.g., a key — to be fully readable), where the holder of the data does not have the means reasonably likely to identify an individual. The Commission (in consultation with the European Data Protection Board) will assess the state of current technology and develop criteria for controllers and recipients to assess the risks of re-identification.

This provides helpful clarification for industries (including health care, life sciences and financial services) which rely on pseudonymized data sets. While providing some simplification for many businesses, privacy activists have raised concerns that this risks removing GDPR protection from much of online tracking, advertisements and data brokers, and it is likely to be challenged.

Scientific Research

A new definition of scientific research will be introduced which covers “any research which can also support innovation, such as technological development and demonstration” and includes requirements that it “contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society’s general knowledge and wellbeing and adhere to ethical standards in the relevant research area.” The proposal also expands the scope for lawful processing. Further processing of collected personal data for scientific purposes will be compatible with the initial purpose of processing and may constitute a legitimate interest if the standard balancing tests are met and the research is not contrary to EU law.

Data Subject Rights and DSARs

The proposals potentially limit the right to access, delete or correct data to instances where this is requested for data protection purposes, rather than collateral purposes such as bringing employment law claims. For example, employers may be able to refuse Data Subject Access Requests (DSARs) which have been submitted in order to elicit more information from their current or former employer or purely to frustrate the employment tribunal process. This has been a longtime criticism from employers which often have to expend significant resources to review large amounts of data to respond to DSARs which are not strictly related to protecting the privacy of the individuals involved.

Automated Decision Making

The proposals relax restrictions on the use of solely automated decisions with a legal or similarly significant effect on an individual for the purposes of entering into contracts with individuals. Such automated decisions can now be considered “necessary” even in circumstances where such a decision could have been taken in whole or part by a person. This will give greater flexibility for companies to use automated decisions and is in tune with the increased use of automation.

Privacy Notice Requirements

There will be some reduction in the requirements to provide data subjects with information about the processing of their personal data in limited circumstances where: the data is obtained directly from the data subject, it is reasonable to assume the data subject already has this information, and the controller’s activity is not considered to be data intensive. This will help to reduce some of the administrative burden on controllers, although where the controller is carrying out any automated processing (including profiling), transferring the data, or the processing is considered high risk, then this information exemption will not apply.

Breach Notification

The breach reporting deadline will be extended from 72 to 96 hours to give a more reasonable timeframe for responding. Reports will also be submitted to a new “single entry point” once this has been established (rather than multiple regimes), as discussed with respect to the broader cybersecurity reporting changes below.

Importantly, the threshold for reporting incidents will be raised. Only those breaches which are considered to be a “high risk” to individuals’ rights and freedoms will be reportable to supervisory authorities. This effectively raises the threshold for notifying regulators to the same standard as that which currently applies to notifications made to data subjects. The European Data Protection Board will be required to produce a list of circumstances considered likely to meet this threshold, to provide greater certainty to organisations when considering whether a notification is required. This may help reduce some difficult judgment calls which data controllers have to make in very tight timeframes.

GDPR and ePrivacy Directive

Cookies and Automated and Machine-Readable Consents

The proposed (and much delayed) ePrivacy Regulation is to be folded into the GDPR, effectively moving cookie regulation from a separate law into the general privacy framework.

Users will be able to accept or refuse cookies with one click, and their choice must be respected for six months without a repeat request for consent being made by the controller. This is intended to reduce banner fatigue and make for a more seamless experience for European consumers and businesses (and U.S. and global businesses which have aligned with European standards). With a few exceptions, data subjects must be given the option to give (or refuse) consent through automated and machine-readable means meeting standards that will be set by the Commission.

Alongside these changes, the proposal allows companies to collect some data initially without seeking consent for either a “low-risk” use, as set out by a defined list, or for their legitimate interests. Some concerns have been raised that this reduces protections, particularly now that this looks more like an opt-out than opt-in system, where users are required to actively request that companies stop tracking their data. For businesses, this is a welcome change, which should alleviate an unnecessary compliance burden for certain processing activities.

Cybersecurity Reporting (Including NIS2)

The current cybersecurity incident reporting rules under the GDPR, NIS2 and Digital Operational Resilience Act (DORA) are fragmented, with different thresholds, timescales and notification procedures. A single-entry point will be introduced for companies to meet all incident-reporting obligations to reduce administrative burdens and enable organisations to avoid having to make multiple (and often duplicative) submissions relating to a single incident in order to meet all their reporting requirements under the various pieces of legislation.

The European Union Agency for Cybersecurity (ENISA) will establish and maintain this single-entry notification point, and the European Data Protection Board (EDPB) will also be required to produce templates for incident reporting.

Data Act and the Data Governance Act

Consolidation of Data Laws

To simplify the regulatory landscape, the broad range of recent legislation relating to data (the Data Governance Act, Free Flow of Non-personal Data Regulation, and Open Data Directive) will be merged into the Data Act.

Exemptions and Market Access

As set out in our earlier alert, the Data Act introduces rights for customers to switch their data hosting services from one provider to another. Simplified cloud-switching obligations will apply to small and medium-sized enterprises (SMEs) and small mid-cap enterprises (SMCs), and to bespoke cloud services either custom-developed or significantly adapted which have been concluded before 12 September 2025. Cloud providers will be able to include proportionate early termination penalties in fixed-term contracts, provided these do not constitute an obstacle to switching.

Trade Secrets and Government Data

Another key change introduced by the Data Act, summarised in our previous alert, is a requirement for data holders to share both personal and non-personal data in specified circumstances. This has caused significant concerns for data holders, including device manufacturers, that they will be compelled to share data which compromises their trade secrets. Data holders will now have the explicit right to refuse to disclose trade secrets if they determine there is a high risk of unlawful use or disclosure to third countries with lower standards of protection for data. This had been raised as a particular concern for many manufacturers of internet of things (IoT) products and is an expansion of the permitted restrictions in place we discussed in our client alert summarising the impact of the Data Act on IoT products. Similarly, the requirement to share business data with public authorities will be significantly limited to only apply to public emergencies, which are separately defined under EU law, in a proportionate manner.

Contractual Terms and Smart Contracts

The Data Act mandates a range of contractual provisions which businesses have been struggling to implement. To assist with compliance, the Commission has now published model contractual terms on data access and use and standard contractual clauses for cloud computing contracts which relate to data sharing and cloud-switching, respectively.

Separately, the provisions setting out essential requirements for smart contracts, which had been an attempt to future-proof the automation of data sharing, will be repealed.

Benefits and Concerns

The European Commission has sought to address concerns that, in an increasingly complex global competitive environment, it is overregulating in the data sector and thereby hampering business in the EU.

There has already been significant criticism from privacy activists, in particular that the proposals risk watering down the existing protections under the GDPR. Similarly, there are concerns that some of the changes giving expanded exemptions and data access will disproportionately favour Big Tech, even with the targeted simplifications and exemptions drawn up to benefit SMEs and SMCs. It is ultimately the largest platforms that have the existing data scale and internal compliance teams to take advantage of these developments.

Next Steps

The legislative package enters trilogue negotiation with the European Parliament and Council. It is expected that there will likely be further amendments as it goes through the process of debate and review. The Commission will also conduct a Digital Fitness Check to assess cumulative regulatory impact which will feed into this process.