noyb publishes first analysis of the EU’s Digital Omnibus proposals

noyb has released a detailed examination of the European Commission’s Digital Omnibus package, which introduces wide-ranging amendments to the GDPR and ePrivacy framework. The report highlights how several proposed changes would reconfigure core definitions, alter long-standing safeguards, and create new legal bases for data processing, particularly in areas related to artificial intelligence and scientific research. While the Commission frames the reform as a technical update intended to simplify compliance, noyb argues that many provisions represent substantive departures from settled GDPR logic, CJEU case law, and Charter-level protections.

The analysis draws attention to structural issues across the draft, including newly introduced subjective tests for determining what constitutes personal data, expansive reinterpretations of scientific research, and broad allowances enabling AI developers to process sensitive data under reduced safeguards. According to the report, these proposals risk weakening rights that have been central to the EU’s data-protection model, while also creating operational uncertainty for regulators and controllers. Several sections raise concerns about enforceability given the technical opacity of AI systems and the already limited resources of supervisory authorities.

Across more than 70 pages, noyb illustrates the potential impact on data subjects, controllers, SMEs, and regulators, emphasising how certain provisions could complicate compliance rather than simplify it. The organisation underlines the need for further clarification, evidence-based proportionality assessments, and alignment with CJEU jurisprudence before the reforms advance. The report is presented as a first edition, with updated versions to follow.

Main takeaways
• The proposal introduces a subjective definition of personal data, allowing data to be non-personal for one entity but personal for another, contradicting settled CJEU case law and risking major enforcement gaps.
• The new definition of scientific research is extremely broad and could be used to justify wide-ranging processing, including commercial activities, undermining purpose limitation and safeguards under Article 89 GDPR.
• A new legal basis for AI allows processing of sensitive data during both development and operation of AI systems, even when not necessary, without a documented proportionality test under the EU Charter.
• Several terms such as ‘appropriate measures,’ ‘disproportionate effort,’ and ‘operation of an AI system’ lack clarity, increasing legal uncertainty and opportunities for misuse.
• Supervisory authorities would face heavy investigatory burdens, particularly around opaque AI-training datasets, despite limited resources.
• Data subjects’ ability to exercise rights could be severely constrained, especially where controllers claim data is non-personal or protected by broad research or AI exemptions.