EU Digital Omnibus

EU Proposes “Digital Omnibus” Package to Ease GDPR, AI Act, and Cookie Rules

The European Commission has proposed a “Digital Omnibus” to ease parts of the GDPR, AI Act, and cookie rules. The package seeks to simplify data use, delay AI obligations, and reduce consent banners, raising debate over privacy and AI training rights.

Photo by ALEXANDRE LALLEMAND / Unsplash

The European Commission has introduced a sweeping legislative proposal—dubbed the Digital Omnibus—aimed at easing parts of the General Data Protection Regulation (GDPR), the EU AI Act, and longstanding cookie consent rules. The initiative reflects a broader shift in Europe’s digital strategy as policymakers try to balance privacy protections with competitiveness and the rapid growth of artificial intelligence.

Although the proposal has not yet entered into force, it signals substantial potential changes for organizations that rely on EU user data for analytics, advertising, or AI development.

Proposed Adjustments to the AI Act

The Digital Omnibus would delay enforcement of stricter requirements for high-risk AI systems from August 2026 to December 2027, extending the transition period for businesses preparing for compliance.

The proposal also seeks to reduce documentation and reporting obligations for certain AI systems and centralize more oversight under the newly operational EU AI Office, established earlier in 2025. The shift is intended to streamline administrative burdens and create a more unified enforcement approach across member states.

Redefining Personal Data and Data Reuse

One of the most consequential components focuses on data protection rules. The Commission aims to clarify when information can no longer be considered “personal data” once properly anonymized or pseudonymized.

The update is designed to make it easier for organizations to share or reuse data for purposes such as AI training, research, and product development—areas where businesses have long described GDPR as restrictive.

Privacy organization noyb, founded by Max Schrems, argues that the proposed language does more than clarify existing rules. It warns the new framework gives companies broader discretion to define what qualifies as personal data based on their own technical capabilities. According to noyb, this shift could limit the GDPR’s reach across sectors such as adtech and data brokers, raising concerns about reduced oversight.

The Commission is also targeting what it calls Europe’s “consent fatigue.” Under the Digital Omnibus, some low-risk cookies—such as certain analytics or strictly functional storage—could be exempted from consent pop-ups, pending the definition of eligible categories.

The proposal would also place more emphasis on privacy preferences set at the browser level, requiring websites to honor standardized, machine-readable signals once technical standards are finalized. This could significantly reduce the number of on-site banner interactions EU users encounter.

AI Training and Personal Data

The most debated element concerns the use of personal data for AI training. The Digital Omnibus would expand the legal basis companies can rely on to train AI models, potentially allowing platforms such as Google, Meta, and OpenAI to use Europeans’ personal data without explicit opt-in consent.

Privacy groups argue that AI training requires stronger safeguards, citing risks that long-term behavioral information—such as social media histories—could be repurposed under an opt-out regime. They warn that such opt-out processes are often difficult for individuals to locate or complete, potentially weakening user rights.

Implications for Businesses

If adopted, the Digital Omnibus would reshape how companies manage data across analytics, advertising, AI development, and consent workflows. Organizations may ultimately see:

Fewer consent banners for EU visitors.
More browser-driven privacy controls.
Revised compliance obligations for AI systems, particularly those trained on behavioral data.

However, no immediate operational changes are required. Existing cookie consent processes, analytics configurations, and AI governance structures remain unchanged until the proposal progresses through the EU legislative process.

What Comes Next

The Digital Omnibus marks a notable pivot in EU digital policymaking, reflecting growing concern that regulatory complexity could hinder innovation and global competitiveness. The proposal now moves to the European Parliament and the Council, where amendments and negotiations are expected.

Key areas to monitor include: