On 19th November 2025, the EU has proposed some amendments to GDPR through the “Digital omnibus Regulation” package which could be effective later in the year after necessary approval formalities.
The Digital omnibus package includes the Data Act which introduces a unified framework for data regulations. It merges and streamlines certain rules for enabling free flow of non personal data regulation.
Following proposals are meant to amend GDPR and they address simplification of compliance to smaller businesses and clarify AI development.
- Redefining “Personal Data”
he Package proposes two amendments to clarify the concept of “personal data” under the GDPR (references to the “Amended GDPR” relate to the GDPR as it would be amended under the proposals set out in the Package).
- Definition of “personal data” (Art.4(1) Amended GDPR) – The definition of “personal data” under the Amended GDPR would be amended, effectively codifying the recent decision of the CJEU.(Court of Justice of EU)
- The revised definition would clarify that information is not personal data for a given entity if that entity cannot identify the natural person to whom the information relates, taking into account “the means reasonably likely to be used” to achieve identification.
- Pseudonymisation (new Art.41a Amended GDPR) – The Package also introduces the possibility that pseudonymised data may, in certain circumstances, no longer be considered personal data for certain entities.
- The details of such circumstances would be specified through implementing acts adopted by the Commission.
2. Artificial Intelligence
Two additional proposals in the Amended GDPR addresses the processing of personal data when developing and deploying AI systems and models.
- Processing for AI development (new Art.88c Amended GDPR) –
- The Package includes a new provision to clarify that controllers can rely on legitimate interests under Art. 6(1)(f) Amended GDPR to process personal data for the development and operation of an AI system.
- Such reliance would remain subject to the usual balancing test for legitimate interests, appropriate safeguards, and any EU or Member State laws that expressly require consent for the relevant processing.
- The Package includes a new provision to clarify that controllers can rely on legitimate interests under Art. 6(1)(f) Amended GDPR to process personal data for the development and operation of an AI system.
- Special category personal data (“SCD”) and AI systems (Art.9(2) & new Art.9(5) Amended GDPR) –
- The proposed amendments would allow residual processing of SCD in the context of developing and deploying AI systems and models, provided that the controller “effectively protect[s] without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties”.
- The proposed addition of Art.9(5) in the Amended GDPR also makes clear that, as a general rule, SCD should not be used for the development or operation of AI systems.
- The proposed amendments would allow residual processing of SCD in the context of developing and deploying AI systems and models, provided that the controller “effectively protect[s] without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties”.
3. Key Operational Amendments
The Package also proposes to revise several practical data protection obligations, including data subject access requests (“DSARs“), personal data breach notifications, and data protection impact assessments (“DPIAs“).
- (a) DSARs (Art.12(5) Amended GDPR) –
- The proposed amendment introduces a new ground for refusing (or charging a reasonable fee for responding to) a DSAR where “the data subject abuses the rights conferred by [the Amended GDPR] for purposes other than the protection of their data” (emphasis added).
- The scope of this exemption remains uncertain, including whether it could assist organisations in responding to a DSAR submitted in litigation, where the purpose of the DSAR appears to be to obtain information for use in that litigation.
- The proposed amendment introduces a new ground for refusing (or charging a reasonable fee for responding to) a DSAR where “the data subject abuses the rights conferred by [the Amended GDPR] for purposes other than the protection of their data” (emphasis added).
- (b) Personal data breach notifications (Art.33 Amended GDPR) –
- The proposed amendment would:
- (i) raise the threshold for notifying data protection supervisory authorities (“SAs“) regarding personal data breaches, aligning the threshold in the Amended GDPR with the threshold for notifying data subjects (i.e., only where a breach “is likely to result in a high risk to the rights and freedoms of natural persons”);
- (ii) extend the deadline for notifying SAs from 72 to 96 hours; and
- (iii) introduce a single-entry point for incident reporting (once established), which would also act as the single-entry point for various other related notifications (e.g., under NIS2 / DORA).4
- In addition, the European Data Protection Board (“EDPB“) would be mandated to prepare a common notification template and a list of circumstances in which a breach is likely to result in a high risk to an individual’s rights and freedoms, with both instruments subject to review at least every three years and updates where necessary.
- The proposed amendment would:
- (c) DPIAs (Art.35 Amended GDPR) –
- The proposed amendment would harmonise DPIA requirements across the EU through EU-wide guidance.
- Under this approach, the EDPB would compile unified lists of processing activities that do or do not require a DPIA, and create a standard DPIA template and methodology.
- Once approved by the Commission, these EU-wide lists would supersede national lists, ensuring that organisations face the same DPIA triggers across all Member States. Any national lists already published by SAs would continue to apply until the Commission adopts the relevant implementing act.
- The proposed amendment would harmonise DPIA requirements across the EU through EU-wide guidance.
-
- (d) ROPA exemption to SMEs
-
- The omnibus package extends exemption from SMEs ( less than 250 employees) under Article 30(5) to apply only to “high risk” processing such as AI profiling or biometrics and removes disqualifiers like occasional processing or special category data (except employment-related under Article 9(2)(b))
-
- (e) Cookie Banners and ePrivacy:
-
- The package integrates ePrivacy rules into GDPR; enable one-click accept/refuse for cookies, with choices respected for 6 months
-
- (d) ROPA exemption to SMEs
It is observed from the suggested changes that EU authorities are correcting some of the stringent provisions in the earlier version .
In the DGPSI-GDPR version of the framework being developed by FDPPI, these changes will be used though they are legally effective subsequent to necessary clearances.
The changes to the definition of Personal Data to exclude data which cannot be reliably identified with a natural person is the principle already adopted under DGPSI where only a “Set of data elements” which together identify an individual is considered as “Personal Data” and not otherwise. Exclusion of “Pseudonymised Data” from the definition aligns with the definition of “Anonymisation” where the user of the data cannot identify the individual.
The changes in the DSAR are similar to the RTI regulation in India where the Right to information is denied when it is requested in support of an intended litigation.
Naavi
