The European Commission has unveiled a significant legislative package, dubbed the "Digital Omnibus," proposing to relax certain provisions of the General Data Protection Regulation (GDPR), the AI Act, and Europe's cookie rules. This initiative aims to enhance competitiveness and simplify digital regulations across the EU.
For businesses that manage EU traffic or rely on European data for analytics, advertising, or artificial intelligence features, closely monitoring this proposal is crucial, even though no immediate legal changes have taken effect.
Key Changes Proposed by the Digital Omnibus
The Digital Omnibus seeks to revise several existing laws simultaneously.
Revisions to the AI Act
Under the proposal, the implementation of stricter rules for high-risk AI systems would be postponed from August 2026 to December 2027. Additionally, it aims to reduce documentation and reporting obligations for certain AI systems and transfer more oversight responsibilities to the newly established EU AI Office.
Clarifying Data Protection and Anonymization
Regarding data protection, the Commission intends to provide clearer guidelines on when information is no longer considered 'personal' data. This clarification is designed to facilitate the sharing and reuse of anonymized and pseudonymized datasets, particularly for AI training purposes.
However, privacy advocacy group noyb argues that this new wording goes beyond mere clarification. They contend that the proposal introduces a more subjective interpretation, dependent on a data controller's stated intentions or capabilities. Noyb warns that this shift could potentially exempt parts of the adtech and data-broker industries from essential GDPR protections.
Streamlining Cookie Consent and Browser Signals
Perhaps the most visible change for daily operations, if the proposal advances, concerns cookie consent. The Commission seeks to combat "banner fatigue" by exempting certain low-risk cookies from requiring consent pop-ups. Instead, more control would be shifted to browser-level settings, which would apply across multiple websites.
Practically, this means fewer consent banners for uses like specific analytics or strictly functional data storage, once these categories are clearly defined. The proposal also mandates that websites respect standardized, machine-readable privacy signals from browsers, provided such standards are established.
AI Training and Data Rights Under Scrutiny
One of the most contentious aspects of the Digital Omnibus is its approach to data utilized for training AI systems. The package proposes to broaden the legal basis under which companies, including tech giants like Google, Meta, and OpenAI, can use Europeans' personal data to train their AI models.
Privacy groups have consistently advocated for explicit opt-in consent for this type of data training, contrasting with the more flexible approach outlined in the proposal. Noyb specifically cautions that extensive behavioral data, such as social media histories, could be used to train AI systems based on an opt-out model that users might find difficult to effectively exercise.
Why These Changes Matter for Businesses
This proposal warrants close attention from anyone responsible for analytics, consent management, or AI-driven products targeting EU users. Over time, businesses might observe more streamlined, browser-driven consent experiences for EU traffic and a revised compliance framework for AI features that rely on behavioral data.
For now, however, no immediate changes are required for existing cookie banners, GA4 setups, or AI workflows solely due to the Digital Omnibus proposal.
Looking Ahead: Monitoring the Digital Omnibus
The Digital Omnibus signals a strategic re-evaluation by the EU, indicating a shift towards balancing its digital rulebook with both AI innovation and competitiveness, rather than solely focusing on privacy and enforcement. Key developments to monitor include Parliament's amendments concerning AI training and data language, provisions related to cookies and browser signals for Consent Management Platforms (CMPs) and browsers, and any further adjustments to AI training and consent mechanisms for EU users.
Featured Image: HJBC/Shutterstock
