Navigating the Digital Omnibus: future-proofing the GDPR

On 26 February 2026, four experts, including a European Commission representative, gathered to debate the EU’s Digital Omnibus proposal and its impact on the GDPR. Here are the highlights.

On the threshold of significant regulatory shifts within the European Union, the Center for a Digital Society (CDS), in cooperation with the University of Florence, convened the second edition of the Digital Omnibus Talks on 26 February 2026. This webinar focused on the proposed “Digital Omnibus” legislative package and its specific impact on the General Data Protection Regulation (GDPR). The discussion reached a critical juncture following the release of a leaked draft of the Council of the EU, which suggested a departure from some of the European Commission’s original proposals.

The session was moderated by Natalia Menéndez González, Research Associate at the Centre for a Digital Society and Assistant Professor of Digital Law & AI Law at CUNEF University, who framed the discussion around the tension between the Commission’s goal of “technical simplification” and concerns regarding a potential “substantive recalibration” of fundamental rights. The relevance of this debate is underscored by recent high-level reports, such as the Draghi and Letta reports, which have called for greater legal certainty and reduced fragmentation to bolster European competitiveness.

The contentious definition of personal data

A central pillar of the discussion revolved around the proposed amendments to the definition of personal data in Article 4(1) of the GDPR. There was a significant divide among participants regarding whether these changes merely codify existing case law or introduce dangerous loopholes.

Those supporting the Commission’s proposal argued that the additions are necessary to clarify the “relative approach” to personal data established by the Court of Justice of the European Union (CJEU) in the Breyer and SRB judgments. This perspective suggests that data may be personal for one entity but non-personal for another, depending on whether that entity has the realistic means to re-identify the data subject. It was argued that the current lack of clarity leads to “consent fatigue” and excessive compliance costs that do not actually improve protection. One participant noted that it would fly in the face of logic to suggest that an entity becomes a controller simply because another entity further down the data chain has the means to re-identify an individual.

Conversely, other voices expressed deep concern that shifting toward a more subjective, entity-specific definition could allow data controllers to escape the scope of the GDPR by fragmenting their activities. There was particular criticism of the proposal to use implementing acts to define the technical means of re-identification, with some arguing that such decisions should not be left to the Commission as they directly affect the scope of fundamental rights. Disagreement also surfaced regarding the CJEU’s SRB judgment; while some saw the Omnibus as a faithful reflection of the court’s findings, others pointed to specific paragraphs in the judgment that seemingly contradict the proposed text.

Innovation, AI, and the SME Perspective

The webinar also explored how the Digital Omnibus aims to support technological innovation and the development of Artificial Intelligence (AI) within the EU. The discussion highlighted the proposal’s attempt to harmonise the use of “legitimate interest” as a legal basis for processing personal data for AI training.

Participants generally agreed that legal certainty is a prerequisite for innovation, as fragmentation and unpredictable interpretation by different Data Protection Authorities (DPAs) create significant hurdles for businesses. For Small and Medium-sized Enterprises (SMEs), which are described as the backbone of the European economy, the administrative burden of the GDPR is often perceived as overwhelming. Support was voiced for efforts to simplify record-keeping and information requirements for low-risk, circumscribed relationships, such as those involving local clubs or small service providers.

However, the discussion also touched upon the risk of “watering down” protections. Some cautioned that opening the GDPR for AI training must be handled carefully to avoid exacerbating the dominance of large, non-European platforms that have already accumulated massive datasets. Instead, it was suggested that a “win-win” situation be sought, where rights are not sacrificed for innovation, but rather where European digital solutions leverage their high data protection standards as a strategic advantage. There was also debate regarding the state of the art in technology; while some industry representatives felt legislation is lagging behind technical realities like fraud detection, others emphasised that simplification alone cannot replace a robust industrial policy.

The recalibration of subject access rights and automated processing

A final area of robust debate concerned the potential impact on individual rights, specifically the right of access and protections against automated decision-making.

The Omnibus proposes allowing controllers to refuse access requests deemed “abusive” or “manifestly unfounded,” particularly when the request is for purposes other than protecting the individual’s data. While some argued this is a necessary step to curb the costs of abusive litigation that fuels a negative perception of the GDPR, others viewed it as a “dangerous” departure from the principle that access is a “purpose-agnostic” gateway right. One voice in the discussion pointed out that individuals often use access requests to verify lawfulness in other contexts, such as employment or medical negligence, and that restricting this could have “constitutional consequences”.

Regarding automated individual decision-making (Article 22), the discussion highlighted a subtle but important shift in the regulation’s structure. While the original GDPR text is framed as a general prohibition with exceptions, the Omnibus proposal moves toward a more permissive framework under certain conditions. Some participants argued this change provides clearer guidance for real-time applications like anti-fraud tools, while others insisted that maintaining the “prohibition in principle” is essential for protecting individuals from the risks of automated processing.

Furthermore, the introduction of mandatory centralized consent management at the browser level was criticized by industry representatives. They argued that such a “single point of failure” would detach consent from its specific context, potentially leaving users less informed about their choices.

Conclusion: advancing the Digital Society agenda

The webinar concluded with the recognition that the conversation regarding the Digital Omnibus is far from over. While there is a consensus on the need for simplification and the reduction of fragmentation, the path to achieving these goals without compromising the “high level of protection” guaranteed by the GDPR remains a point of intense debate.

This event is part of a broader commitment by the Center for a Digital Society to foster high-level academic and policy dialogue on the most pressing issues of the digital age. This webinar followed a previous session dedicated to the AI Act and serves as a bridge to the final instalment of the Omnibus series.

Through such initiatives, the CDS continues to lead research and training activities that aim to navigate the complex intersection of technology, law, and society, ensuring that the evolution of the EU’s digital regulatory framework is both scientifically grounded and practically viable. One participant summarised the importance of this ongoing work by noting that “lack of legal certainty does not serve anybody,” emphasising that the ultimate goal must be a framework that protects rights and advances European innovation.