EU Digital Omnibus Regulation
Introduction
In November 2025, the European Commission ("Commission") launched the EU Digital Omnibus Regulation Proposal ("Digital Omnibus"), a wide-ranging legislative initiative aimed at streamlining the EU's existing digital regulatory framework[1].
Digital Omnibus consolidates amendments across several key instruments with the stated objective of reducing compliance burdens while preserving the essential protections afforded to individuals under EU law. The proposed amendments would, if adopted, alter fundamental compliance obligations across GDPR, cookie rules, the AI Act, Data Act, and some EU cybersecurity rules.
This article focuses on proposed amendments to GDPR and cookie rules.
Proposed Changes for the GDPR
Digital Omnibus's proposed GDPR amendments are consequential and have attracted the greatest degree of commentary[2].
The principal proposed changes are as follows:
Redefinition of Personal Data: Digital Omnibus clarifies that whether data qualifies as personal data must be assessed from the perspective of the specific entity processing it, meaning the same dataset may be personal data for one organization but not for another that has no realistic means of re-identifying the individual concerned.
AI Development and Legitimate Interests: The proposal expressly recognizes legitimate interests as a lawful basis for processing personal data in the development and operation of AI systems, subject to enhanced safeguards including strict data minimization, protection against residual disclosure, strengthened transparency, and an unconditional right to object.
Pseudonymized Data Outside GDPR for Certain Entities: Under defined conditions, such as pseudonymized health data held by a public authority with no legal or technical means of re-identification, the proposal allows pseudonymized data to fall outside the GDPR's scope for the receiving entity, subject to Commission- or EDPB-established criteria and appropriate safeguards.
Raised Threshold and Extended Deadline for Data Breach Reporting: The notification threshold for reporting breaches to supervisory authorities is raised from "risk" to "high risk" (aligning it with the existing threshold for notifying data subjects), and the reporting deadline is extended from 72 to 96 hours, with future notifications anticipated to flow through a single NIS2 entry point.
Simplified Transparency Obligations: A narrow exemption from GDPR Article 13 information obligation is introduced for routine, low-risk transactions where the individual can reasonably be assumed to be aware of the processing, though the exemption does not apply where data is shared with third parties, transferred outside the EU, or where a data protection impact assessment ("DPIA") would be required.
Harmonized Enforcement Mechanism for DPIA: The EDPB would establish unified EU-level lists of processing activities triggering or not triggering DPIA obligation, along with a standard DPIA template, superseding the current patchwork of divergent national supervisory authority lists.
Data Subject Requests - New "Abuse of Rights" Ground: Controllers may refuse or charge a reasonable fee for data subject requests where the request is being used for purposes unrelated to data protection a provision particularly relevant in the context of disputes with former employees or strategically motivated litigation.
Proposed Changes in Relation to Cookies
Digital Omnibus proposes targeted but significant amendments to rules governing cookies and other tracking technologies. In the current legal framework, the ePrivacy Directive covering the rules of consent requirement operates alongside the GDPR for the rules on processing the personal data. The consolidation motivation is welcomed by the practitioners.
Digital Omnibus proposes to revise the consent requirements for cookies and similar tracking technologies under Article 5(3) ePrivacy Directive[3]. It envisages a tiered approach under which first-party, non-intrusive cookies used for purely technical or analytical purposes would no longer require prior explicit consent.
The proposal also imposes specific operational obligations on controllers, requiring them to offer a one-click option to refuse consent and barring them from re-prompting users for consent for the same purpose for a period of six months following a refusal or for the duration of any consent already given.
Conclusion
The EU Digital Omnibus Regulation Proposal represents a significant effort by the Commission to recalibrate the balance between regulatory rigor and operational practicality within the EU's digital framework. As outlined above, the proposed amendments to the GDPR and cookie consent rules seek to address longstanding concerns regarding compliance complexity while simultaneously creating regulatory space for emerging technologies such as AI.
Key proposals, including the redefinition of personal data, the raised threshold for data breach reporting, DPIA harmonization, the new abuse of rights ground for data subject requests, and the tiered approach to cookie consent would, if adopted, materially alter the compliance landscape for organizations operating within the EU. However, these measures have already attracted robust scrutiny from data protection authorities, civil society organizations, and the EDPB[4], who caution that certain simplification measures risk diluting the fundamental rights protections that underpin the existing framework.
The final form of the Digital Omnibus will be shaped by what are expected to be complex inter-institutional negotiations in the EU. In the interim, practitioners and businesses would be well advised to monitor the legislative process closely and to undertake early assessments of how the proposed changes may affect their existing data protection and privacy compliance frameworks.
- European Commission, Digital Omnibus — Regulation Proposal (2025), for access: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal
- Loyens & Loeff, "Digital Omnibus: simplifying compliance and secure data identity management", for access: Digital Omnibus: simplifying compliance and secure data identity management | Loyens & Loeff
- Loyens & Loeff (Stephanie De Smedt, Kirill Ryabtsev and Emilia Fronczak), "Digital Omnibus: What the proposed changes mean for GDPR, privacy and cookies", Lexology (5 March 2026), for access: https://www.lexology.com/library/detail.aspx?g=7c310ec1-598a-45cb-bcbd-b3e33ba8d113
- European Data Protection Board and European Data Protection Supervisor, Joint Opinion 02/2026 on the Digital Omnibus (February 2026), for access: https://www.edpb.europa.eu/system/files/2026-02/edpb_edps_jointopinion_202602_digitalomnibus_en.pdf
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
As part of the 2020 European Data Strategy, the Regulation on harmonized rules on fair access to and use of data (Data Act or Act) aims to boost the European Union’s (EU) data economy by maximizing data access and data use in a competitive and fair environment.
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
