GDPR: What the new European ‘Digital Omnibus’ could change
The European Commission has introduced a set of major revisions to the GDPR as part of its Digital Package unveiled on November 19, 2025. The stated goal is to ease administrative burdens for businesses while maintaining a high level of data protection. However, several proposals strike at the core of the regulation and already raise a number of questions.
1. Are cookie banners coming to an end?
The main change for internet users concerns how cookie consent is managed. Under the new Article 88a, permissions would no longer have to be granted through pop-ups, but could instead be managed directly within the browser or operating system.
The proposal outlines four situations where no consent would be required:
transmission strictly necessary for providing the requested service,
functionalities explicitly requested by the user,
internal and anonymized audience measurement,
security of the website or device.
For anything involving targeted advertising or third-party analytics, consent would still be mandatory. Websites would be required to automatically recognize the signals sent by the browser (consent or refusal), which must remain valid for at least six months. Any violation could result in fines of up to 4% of global annual revenue.
2. A new approach to pseudonymization
The Commission aims to redefine what constitutes personal data. Information that has been pseudonymized may remain personal for the company processing it, but become non-personal for a third party that has no means of identifying individuals.
In other words, the “personal” nature of the data would depend on the recipient. The company remains responsible for the processing, and the concept of pseudonymization may evolve as technology advances.
3. Yes, personal data could be used to train AI systems
The proposal would allow AI training using personal data without prior consent, provided that the law and GDPR principles are respected. A right to object is included, but it leaves many questions unanswered: how can individuals prove that their data is being used? How can such data be removed from an already-trained model?
At the same time, developers could use sensitive data (such as ethnicity, health information, or political opinions) to test and verify that their systems do not discriminate — a practice that is not currently permitted. However, the safeguards surrounding the use of this highly sensitive information remain unclea
4. A single entry point for reporting cyberattacks
The Digital Package also aims to simplify procedures in the event of a cybersecurity incident. Currently, companies must navigate multiple regulations (GDPR, NIS2, DORA, CER, eIDAS). A single platform, managed by ENISA, would allow them to submit one report, which would then be automatically forwarded to the relevant authorities.
