The EU Omnibus Package, as proposed by the European Commission, represents a sweeping regulatory reform aimed at simplifying, reducing bureaucracy, and harmonising a range of legal acts across the EU. The Commission intends to publish draft legislation for this omnibus package, which will significantly overhaul current digital-regulation frameworks. 

The package is driven by three principal goals: 

1. Enhancing competitiveness
2. Boosting efficiency
3. Cutting red tape for businesses

These aims align with the broader push coming out of the Draghi Report, which emphasized streamlining EU regulation to bolster economic growth.

Key Changes to Data Protection Law

Perhaps most striking for legal, compliance, and data protection teams are the proposed amendments to the GDPR, especially to Articles 4 and 9, which redefine “personal data” and “special categories” of data. 

Amendments to GDPR Definitions

The draft redefines personal data such that data is no longer considered “personal” for a controller if another entity could reasonably identify the person. In effect, this blurs responsibility, giving controllers without re-identification capacity an argument that GDPR simply doesn’t apply.

For special categories of data (currently protected under Article 9), the proposal narrows the definition so that only data that directly reveals sensitive attributes qualifies.

Impact on Identifiability

This redefinition of identifiability has profound implications:

• Controllers may claim that pseudonymized data is outside the GDPR’s scope if they lack means to re-identify individuals.
  
  
• Such argumentation could erode data subject rights. Without GDPR’s applicability, principles like purpose limitation, controller responsibility, and transparency may no longer bind certain actors.
  
  
• Data subjects may be left in the dark. If a controller claims GDPR doesn’t apply, individuals may not even know their data is being processed, limiting their ability to exercise their rights.

Narrowing of Special Categories

By limiting “special categories” to only what directly reveals sensitive traits:

• Inferences made via AI systems (e.g., predicting health status, political views) may fall outside GDPR protections, because the data does not directly reveal sensitive attributes.
  
  
• The proposal introduces a new exception. Under the AI Act, processing of sensitive data for AI training and operation could be permitted.
  
  
• The package suggests “appropriate” organisational and technical measures, but omits a proportionality assessment. This could favour large players (who can more easily claim they have safeguards), while smaller firms may struggle to define or demonstrate adequacy.
  
  
• To add, a new Article 88c is proposed, grounding AI training on “legitimate interests,” which is a potentially very broad basis.

Simplification and Harmonisation

The EU Omnibus simplification package goes beyond data protection. A key objective is to ease compliance burdens, particularly for smaller enterprises.

Reduction of Compliance Burdens

The package is explicitly pitched as a way to cut red tape, aiming to make regulatory obligations more manageable.
By lowering thresholds and narrowing scope in certain laws, it seeks to relieve administrative burdens on SMEs, which often struggle with compliance costs.

Harmonization of Legal Acts

It bundles reforms across multiple legal acts, enabling harmonization rather than isolated tweaks. By aligning different legislative regimes (e.g., GDPR changes with AI Act permissiveness), it consolidates regulatory shifts into a cohesive reform.

Risk-Based Approach Debate

While a risk-based approach to GDPR compliance (tailoring obligations based on risk level) could have been a natural fit, critics argue the omnibus proposal does not sufficiently adopt a nuanced risk-based model. Instead, the draft applies changes uniformly, without differentiating between large tech players and smaller controllers, which may undercut the goal of simplification.

Practical Implications for Legal Teams

For in-house legal teams, compliance officers, and DPOs, the proposed package has concrete operational implications.

Compliance Strategies

Risk Assessments: Legal teams should promptly assess which of their data processing activities might be affected, especially those involving re-identification risk or special categories.

Scenario Planning: Given the uncertainty, in-house counsel should prepare for multiple legislative outcomes (worst, moderate, best case) and align compliance plans accordingly.

Policy Revisions: Internal data protection policies may need to be revisited, especially around pseudonymization, purpose limitation, and data-sharing practices.

Data Subject Rights

With the potential erosion of GDPR protections, legal teams must proactively monitor the legislative process. They should also educate stakeholders (business units, product teams) about the risk to data subject rights, and possibly maintain higher standards voluntarily to preserve trust. Where feasible, set up transparency measures even if controllers argue GDPR doesn’t apply, providing information to individuals can help preserve reputation and mitigate risk.

Enforcement and Monitoring

Enforcement mechanisms may become more challenging under the new regime. Legal ops teams should build continuous monitoring frameworks to track changes in the law.

Compliance teams should coordinate with regulators and stay attuned to guidance around how “appropriate measures” will be assessed, especially for AI-based sensitive data processing.

It may also be wise to invest in audit trails and documentation now, so that if obligations tighten later, the organization is prepared.

‍

Political and Economic Implications

From a broader perspective, the EU Omnibus Package has significant political and economic ramifications.

Competitiveness and Efficiency

The Commission frames the package primarily through the lens of competitiveness and efficiency, suggesting a deregulatory turn to foster European industry. However, this focus on speed and deregulation raises concerns. Some argue that fundamental rights protections may be sacrificed in the pursuit of economic goals.

Impact on Big Tech vs. SMEs

The reforms may disproportionately benefit large tech companies. For instance, those with sophisticated AI infrastructures may navigate the relaxed restrictions on sensitive data more easily.

Smaller enterprises, especially those without re-identification capacity, may be marginalized or pressured. On one hand, they could claim GDPR doesn’t apply; on the other, they may struggle with the uncertainty of compliance responsibilities.

Legal Certainty and Digital Sovereignty

Critics warn that loosening data protection rules undermines legal certainty. Vague definitions and shifting obligations may make it harder for organizations to forecast compliance risk. Moreover, Europe’s digital sovereignty could be at stake. The package could renegotiate the balance of power between regulators and big digital players, with the latter gaining more operational freedom.

The Way Forward

Given the magnitude of changes, legal teams must take a forward-looking and strategic approach.

Evidence-Based Assessment

Stakeholders should push for evidence-based debate: the normative consequences of redefining personal data or lowering protection for special categories deserve scrutiny, especially beyond metrics of “competitiveness.” Normative externalities and long-term risks (e.g., to fundamental rights) must be weighed, not just economic gains.

Balanced Legislative Choice

Legal professionals, compliance officers, and DPOs should engage proactively in the legislative process: advocate for a balanced approach that preserves rights while enabling efficiency.

Industry associations, in-house legal networks, and civil society can contribute to the debate to ensure that simplification does not come at the cost of public-interest safeguards.

Investment in Infrastructure and SMEs

To realize the package’s goals sustainably, investment is needed especially in SMEs and digital infrastructure. Legal teams should advise their business leadership on the importance of such investments not just to comply with stripped-down regulation, but to build resilient, rights-respecting data practices.

What You Can do Now

1. Stay Informed: Monitor the progress of the legislative process (e.g., via Verfassungsblog, EU Parliament updates, and legal newsletters).
   
   
2. Prepare Scenarios: Run internal risk-assessment exercises to model the impacts of various eventualities.
   
   
3. Advocate: Engage with policymaking through industry associations or public consultations to champion balanced, rights-protective regulation.
   
   

Build Resiliency: Use this window to strengthen privacy governance, documentation, and transparency so your organization is ready, regardless of the final form of the package.