GDPR and ePrivacy
The Omnibus Package proposes targeted amendments to the GDPR, some of which aim to merely clarify the existing obligations and respond to criticism from stakeholders about the impact of the GDPR on businesses, whilst preserving the same level of data protection. Examples of some of the changes include:
Updated definition of personal data
The Omnibus Package adds language to the definition of personal data that clarifies that information should not be considered personal data if an entity cannot identify the natural person, taking into account means reasonably likely to be used by that entity. While it appears that the Commission is attempting to align the definition with recent CJEU decisions, the practical impact of this change will depend on how the definition is interpreted by supervisory authorities. It appears unlikely that this change will bring substantial amounts of processing outside of the scope of the GDPR in practice.
Special category data
Two additional exceptions to the prohibition on processing special category personal data in Article 9 are proposed, being: (a) processing for the development and operation of an AI system subject to fulfilment of certain conditions; and (b) processing of biometric data to verify an individual’s identity where the means of verification are solely under the control of the data subject. While a leaked version of the Omnibus Package suggested that the prohibition on processing special category data under Article 9 of the GDPR would only apply to personal data that “directly reveals” one of the listed characteristics (e.g., racial or ethnic origin, political opinion, health status etc.), this has been dropped in the final proposal.
Data subject requests
The Omnibus Package introduces amendments to Article 12(5) and changes to the right of access, which aim to avoid the right being abused by data subjects. For example, controllers may charge a fee or reject data subject access requests (“DSAR”) where the data subject “abuses the rights conferred by this regulation for purposes other than the protection of their data”.
The practical impact of this change is speculative at this stage. Based on the current drafting, the request must still be “manifestly unfounded or excessive” with the controller bearing the burden of demonstrating this. While this has traditionally been a very high bar to meet, the Omnibus Package introduces a recital that aims to reduce this threshold by stating that controllers only need to establish the excessive / abusive nature of a request to a “reasonable level”. Despite this, the exemption would only kick in when there is an “abuse” of the right and the examples provided in the recital suggest a narrow interpretation of “abuse”. The examples given include requests that are made purely to allow the data subject to bring a claim for damages, to cause harm or damage to the controller, or where a data subject makes a request but simultaneously offers to withdraw the request in return for a benefit. The mere fact that a data subject has another purpose (e.g., ongoing litigation) when making the DSAR seems unlikely to attract the application of this exception. In most cases, and absent robust evidence to the contrary, the likelihood that a supervisory authority would broadly apply this new exception appears low.
The Omnibus Package also aims to lower the threshold for determining when a DSAR is considered “excessive”, which will include situations such as abusive behaviour by a data subject, or requests that are overly broad and lack specificity.
Transparency exemption
There appears to be an attempt to reduce the transparency burden on controllers where there is a “clear and circumscribed relationship between data subjects and a controller”. This exemption would apply where the controller is not engaging in a data-intensive activity and where the controller can reasonably assume that the data subject is aware of the identity of the controller, their contact details, the purposes of the processing and the legal basis. Examples given in the Omnibus Package include the field of employment, a craftsman and their clients or associates, and sports clubs where the data is limited to the minimum data necessary to provide the services. This exception will not apply where data is shared with other recipients of the personal data, where there are international transfers, where there is automated decision making or where the processing is high risk, which may render this exception of very limited value in practice (given the ubiquity of international transfers and sharing of personal data in the modern economy).
Single entry point
The Omnibus Package seeks to establish a single-entry point for incident reporting that will enable organisations to submit incident notifications on a single, unified platform. This is intended to apply to the Network and Information Systems Directive 2 (“NIS2”), the GDPR, the Digital Operational Resilience Act (“DORA”), the Digital Identity Framework and the Critical Entities Resilience Directive. If passed, the single-entry point would simplify and streamline the myriad of incident reporting obligations that entities are expected to comply with. It would also reduce the administrative burden on organisations that are subject to several of the legislative frameworks to which the single-entry point would apply.
Personal data breaches
The Omnibus Package increases the threshold for reporting of personal data breaches to supervisory authorities to breaches that are “likely to result in a high risk to the rights and freedoms of natural person”, aligning the reporting requirements with the threshold at which a notification must be made to affected data subjects. The timeframe for reporting a breach is also proposed to increase to 96 hours. This is one of the more impactful proposed changes in the Omnibus Package. The change would reduce the volume of personal data breach reports and ease the burden on organisations and supervisory authorities in the event of a breach. Provision is made for the introduction of a common template for notifying personal data breaches that would consolidate the reporting template across all supervisory authorities. This would streamline the reporting structure for organisations that operate across the EU and may be required to report a personal data breach in more than one jurisdiction.
Research
Certain processing activities that are in the public interest (including scientific research or statistical purposes) will be easier to conduct under the Omnibus Package. For example, the proposal states that processing for such purposes is a compatible further purpose under Article 5(1)(b) and does not require an assessment under Article 6(4). A limited exception to the transparency obligations for such processing is also proposed. Notably, the new definition of “scientific research” does not exclude research that may also aim to further a commercial interest, greatly expanding the scope of application of these exemptions. If these changes are adopted in the final text, businesses engaging in such activities will need to review the amended provisions carefully to ensure their activities are captured and they can benefit from these exceptions.
EDPB Publications
The Omnibus Package requires the EDPB to prepare and publish: (a) a list of situations where data protection impact assessments (“DPIAs”) are required; (b) a template DPIA; and (c) a list of circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person. This would be a helpful development, giving controllers proactive guidance from the EDPB on the standard expected in DPIAs.
Cookie rules
In a long-awaited amendment to the ePrivacy Directive, the Omnibus Package will update the ePrivacy rules – commonly referred to as the ‘cookie rules’ – and incorporate them into the GDPR, insofar as they relate to personal data. As one example, the Omnibus Package seeks to overhaul cookie consent rules by providing four defined scenarios where the storing of personal data, or accessing personal data already stored on terminal equipment (e.g., via cookies or other technologies) and its subsequent processing may be carried out without consent: (i) carrying out the transmission of an electronic communication; (ii) providing a service explicitly requested by the data subject; (iii) creating aggregated information about the usage of an online service to measure the audience, where this is carried out by the controller solely for its own use; and (iv) maintaining or restoring the security for the controller’s service requested by the data subject. The process for obtaining consent from data subjects will also be streamlined to make it easier for data subjects to manage their consent preferences. If the cookie rules are incorporated into the GDPR, the rules would fall within the one-stop-shop in GDPR and the DPC’s enforcement powers for breaches of the cookie rules would be aligned with the GDPR, allowing the DPC to impose significant fines.
AI development and operation
A new article is proposed to be inserted into the GDPR that would allow controllers to rely on the legal basis of legitimate interests where the processing is necessary in the context of the development and operation of an AI system, except where other EU or national laws require consent and where the legitimate interests are overridden by the interests, rights and freedoms of data subject.[1] While helpful to an extent, the proposal does not appear to alleviate the obligation of controllers to conduct a balancing assessment and, on a narrow reading, this new article simply notes that AI development and operation constitutes a legitimate interest in the first step of the assessment of Article 6(1)(f) GDPR. Other hurdles in the Article 6(1)(f) assessment such as data minimisation and reasonable expectations remain.
Pseudonymisation of data
The Omnibus Package permits the Commission to adopt implementing acts to specify means and criteria to determine whether personal data resulting from pseudonymisation no longer constitutes personal data.
[1] The current draft of the Omnibus Package appears to have accidentally left out the word “except” in this proposed article, and the authors assume this is a mistake.
© 2025 Arthur Cox LLP | All rights reserved
