On November 19, 2025, the European Commission presented the so-called Digital Omnibus, a legislative package aimed at simplifying, consolidating, and adjusting the European Union's digital regulatory framework, with a special focus on personal data protection, privacy, cybersecurity, and artificial intelligence regimes.

The initiative comes at a time of strategic inflection in European regulatory policy, marked by a growing perception that the high degree of regulatory sophistication achieved over the last decade has come to coexist with significant regulatory costs, interpretative uncertainties, and practical implementation difficulties, especially in technology- and data-intensive sectors.

The Digital Omnibus is part of the so-called competitiveness compass, the European Commission's new strategy aimed at restoring the bloc's economic dynamism, strengthening global competitiveness, and reducing regulatory barriers considered disproportionate.

It is thus a direct political response to criticism of the European model of digital regulation, often described as overly fragmented, costly, and incompatible with the speed of technological innovation, particularly with regard to the development and adoption of artificial intelligence systems.

From a regulatory standpoint, the package consists of two distinct but interrelated legislative proposals. On the one hand, the Digital Legislation Omnibus, aimed at simplifying and streamlining rules on data, privacy, and cybersecurity, with a direct impact on the application of the GDPR and related legislation. On the other hand, the Digital Omnibus on AI promotes specific adjustments to the application of the Artificial Intelligence Act, seeking greater regulatory consistency and operational viability for the sector. Together, these proposals reveal an attempt to reorient European digital governance based on criteria of proportionality, risk analysis, and regulatory pragmatism.

Although still subject to the European Union's ordinary legislative process, the Digital Omnibus already signals a significant change in the bloc's regulatory philosophy, indicating a gradual shift from a predominantly precautionary model to a more functional and implementation-oriented approach.

In this context, this article aims to analyze the extent to which the Digital Omnibus represents a mere incremental adaptation of the European data protection and artificial intelligence regime or, alternatively, an initial step toward a more profound recalibration of the balance between the protection of fundamental rights, legal certainty, and the promotion of technological innovation.

1. THE RECALIBRATION OF THE GDPR IN THE AGE OF ARTIFICIAL INTELLIGENCE: PROTECTIVE CONTINUITY AND FUNCTIONAL ADAPTATION BY THE DIGITAL OMNIBUS

Currently, the European Union's General Data Protection Regulation (GDPR), in force since 2018, has established itself as the main regulatory axis of European digital governance, by giving legal substance to the fundamental right to personal data protection enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.

The GDPR established a regulatory model structured around a strongly protective logic, aimed at rebalancing the informational and power asymmetries that exist between data subjects and public or private data processors.

This protective logic is particularly evident in the combination of three central elements: (i) the centrality of the data subject, with an emphasis on consent, transparency, and individual control; (ii) the normative differentiation between categories of data, with particular rigor in the processing of so-called sensitive data; and (iii) a predominantly preventive approach, geared toward ex ante risk mitigation, even if this implies significant restrictions on technological innovation. Article 9 of the GDPR is a paradigmatic expression of this regulatory design, establishing as a general rule the prohibition of the processing of sensitive data, such as biometric, genetic, health, or data relating to intimate beliefs, allowing only strictly defined exceptions that are interpreted restrictively.

This model has raised the global bar for data protection and influenced legislation in various jurisdictions. However, the rapid expansion of technologies based on massive data processing, machine learning, and artificial intelligence has exposed structural tensions in the original GDPR regime. Widespread technological practices—such as AI model training, the use of biometric authentication, and the reuse of large databases—have come to operate in legal gray areas, generating legal uncertainty, interpretative differences between national authorities, and a growing gap between the letter of the law and technological reality.

It is in this context that the so-called Digital Omnibus comes in, which does not seek to replace the GDPR or relativize its normative centrality, but rather to adjust legal instruments without abandoning the structuring principles of the European regime. The Omnibus starts from the recognition that effective protection of personal data does not depend solely on abstract and uniform prohibitions, but on proportional solutions that are risk-sensitive and appropriate to contemporary technical capabilities.

2. THE DIGITAL LEGISLATION OMNIBUS: DATA, PRIVACY, AND CYBERSECURITY

Perhaps the most significant change—and also one of the most controversial—introduced by the Digital Omnibus is the revision of the concept of personal data under the GDPR. Initially, the proposal breaks with the objective, broad, and abstract approach that has prevailed since the regulation came into force in 2018, according to which the mere theoretical possibility of identification by any third party would be sufficient to characterize certain information as personal data.

In its place, the Digital Omnibus proposes the adoption of a contextual, functional, and subjective criterion, centered on the specific position of the controller, so that information will not be considered personal data when the controller does not have, nor can reasonably have, the means to identify the data subject.

In practice, this redefinition shifts the focus of legal analysis to the specific context of the processing, implying that (i) the assessment of identifiability must be carried out from the controller's point of view and at the time of data collection or processing; (ii) data that could only theoretically be re-identified by third parties through external combinations or disproportionate efforts is no longer automatically classified as personal data; and (iii) the GDPR no longer applies to data sets that are functionally unidentifiable for a given organization, even if they may be identifiable in other contexts or by other economic agents.

The Omnibus also seeks to resolve a certain legal uncertainty: the distinction between pseudonymized and anonymized data. The proposal authorizes the European Commission and the European Data Protection Board to establish uniform criteria at the European level to determine when pseudonymized data should still be considered personal and to measure the actual risk of re-identification. This is a significant change because it replaces divergent national interpretations with a common, risk-based model, reducing the cost of compliance for companies operating in multiple Member States.

This shift brings the European model closer to approaches already established in the United Kingdom, notably in the interpretation adopted by the Information Commissioner's Office (ICO), and is supported by recent case law of the Court of Justice of the European Union, such as in the case EDPS v SRB (C-413/23 P), in which the Court held that pseudonymized data is not automatically considered personal data for all agents, and that a contextual assessment of the "actual identifiability" of individuals by the recipients of the data must be made, considering the means reasonably available to the recipient.

In summary, the classification of data as personal can no longer be understood in an absolute and abstract way: the analysis depends on the factual context and the re-identification capabilities of the recipient. By reducing the scope of application of the GDPR in certain contexts, especially those involving big data, advanced analytics, and artificial intelligence model training, the Digital Omnibus tends to lower compliance costs, increase regulatory predictability, and expand the possibilities for legitimate use of data in innovation-intensive activities, without, at least in theory, compromising the substantial level of protection afforded to data subjects.

Another relevant point of the recalibration promoted by the Digital Omnibus is the express codification of legitimate interest as the legal basis for training AI models, including when it involves personal data. This regulatory option resolves differences that previously existed between data protection authorities in member states, provides legal certainty to practices already established in the technology sector, and preserves the rights of data subjects, such as the possibility of opposition and the requirement for adequate safeguards. Particularly significant is the recognition that personal data publicly available on social networks may be used for AI training, provided that effective opt-out mechanisms are respected.

Finally, the Digital Omnibus introduces relevant adjustments to the rights of data subjects and the obligations of controlling entities, adopting a more proportional and operational approach. Among these measures, we highlight the possibility of rejecting manifestly abusive requests for access to data, the relaxation of the duty to inform when the data subject already has reasonable knowledge of the processing, and the rationalization of security incident notifications, with more realistic deadlines and mandatory communication only in high-risk cases.

CONCLUSION: REAL SIMPLIFICATION OR INCREMENTAL ADJUSTMENT?

The Digital Omnibus constitutes a significant shift in European regulatory discourse by more explicitly recognizing the operational limits of the model originally enshrined in the GDPR in light of the consolidation of the data economy and the spread of artificial intelligence systems. Without breaking with the axiological matrix based on the protection of fundamental rights, the Omnibus signals a greater openness to technological innovation, risk management, and regulatory proportionality, shifting the focus from abstract prohibitions to more contextual and functionally appropriate solutions.

The effects of this initiative, however, are predominantly incremental rather than transformative. By simplifying procedures, reducing practical friction, and increasing legal predictability on sensitive issues, the Digital Omnibus contributes to the rationalization of the European data protection regime without substantially altering its structural foundations.

On the other hand, central dilemmas of European data and artificial intelligence regulation remain untouched, especially those related to economic concentration, large-scale data governance, and the European Union's institutional capacity to respond in a timely manner to increasingly accelerated technological cycles. The persistence of a complex and highly precautionary regulatory framework continues to strain European competitiveness in strategic sectors, revealing the limits of a regulation that, although sophisticated, does not always keep pace with the dynamics of the innovation it seeks to regulate.