Europe Presents a Comprehensive Digital and AI Reform Proposal: What Does It Mean for Businesses?

The European Commission recently published a comprehensive legislative proposal, known as the Digital Omnibus, aimed at simplifying data regulation within the European Union by amending key legislation governing digital data. While there is still a way to go to finalize the amendments’ wording, this is a substantial move designed to remove barriers to data processing, particularly for technology companies, and especially artificial intelligence companies operating in the EU, and to boost competitiveness against the United States and China.

In this update, we summarize the proposal’s key aspects.

Which Laws Are Expected to Change?

The proposal includes a broad amendments package affecting four central instruments: the GDPR, the AI Act, the Data Act, and the ePrivacy Directive.

Proposed Changes to Personal Data Processing and Privacy (GDPR)

Narrowing the scope of personal data: The proposal seeks to determine that encrypted or pseudonymized data held by a company will not be considered “personal data,” provided the company does not have the means to decrypt or re-identify it. This change is likely to facilitate easier data transfers and data sharing between companies compared to the current situation.

Expanding scope of scientific research: The proposal seeks to broaden the term “scientific research” to explicitly include research that supports innovation, such as technological development and demonstration, even for commercial purposes. In addition, the proposal seeks to clarify that further processing of lawfully collected data for research purposes is compatible with the initial purpose of processing and may constitute a legitimate interest. This will enable and facilitate commercial companies to conduct R&D based on personal data.

Significant relief in data breach reporting: The proposal introduces a dual easing in the handling of data breach incidents. First, the obligation to report to authorities will be limited to cases posing a significant risk to data subjects’ rights, thus reducing the regulatory reporting burden while maintaining the duty to notify affected individuals. Second, the reporting window will be extended to 96 hours (instead of 72). In practice, this represents substantial relief for organizations, eliminating the need to report minor incidents and providing crucial additional time to assess the situation accurately and decide on appropriate actions.

In addition, the proposal establishes a single entry point for reporting incidents under all EU data-related laws (DORA, GDPR, NIS2, and more), using a unified reporting template and system.

Discretion in responding to user requests (DSRs): The proposal expands the grounds for companies to refuse data subject requests. Specifically, companies may refuse requests not aimed at protecting privacy. Examples include requests intended to bypass discovery rules, create an excessive burden on the company, and more.

Removing Barriers for AI Development and Training

Centralization of supervision: The proposal suggests a centralized supervision of general-purpose AI models (GPAI) under a single body: the AI Office. The AI Office will have comprehensive supervisory powers over these systems, minimizing the involvement of national bodies. This applies particularly to GPAI and systems embedded in very large online platforms (VLOP) or very large online search engines (VLOSE).

Postponement of the AI Act application date: The proposal includes a potential freeze on the obligations applicable to organizations developing or using high-risk AI systems. These obligations, set to apply in August 2026, may be postponed until harmonized standards are technically formulated and available for companies to implement.

New legal basis for data processing: The proposal explicitly states that companies may rely on legitimate interest when processing personal data for the development, training, and operation of AI systems. Consequently, data controllers may use personal data when necessary for operation and accuracy, bias detection and mitigation, or safety and security. If adopted, this will remove the requirement to obtain consent from individuals for the processing of their personal data as part of a dataset. However, reliance on legitimate interest is conditional on appropriate safeguards and granting data subjects an unconditional right to object (opt-out). This constitutes a significant easing of consent collection requirements for companies operating in this space.

Flexibility in processing sensitive data: The proposal introduces flexibility regarding special categories of data aimed at addressing technical limitations in AI model training and the complexity of filtering sensitive data out of datasets used to train large models. It allows the processing of sensitive data when necessary for bias mitigation, or when removing such data from the dataset would require a disproportionate effort.

Biometric data: The proposal includes a new exemption from the general prohibition on biometric data processing, when the purpose is user identity verification and the biometric data remains under the sole and complete control of the data subject.

Significant Relief in Digital Marketing

Reduced cookie consent requirements: Under the proposal, data collection for audience measurement, analytics, and statistical purposes, as well as cookies used for security and technical maintenance, will not require explicit consent (e.g., via cookie banners), provided the data is used solely by the company placing the cookies and is not shared with third parties. This will significantly ease data collection for service improvement.

Automated consent mechanism: The proposal mandates the implementation of a mechanism that respects automated consent signals sent by browsers, as pre-defined by users. This process effectively replaces the need for individual consent banners on every website.

Six-month rule: The proposal requires preserving user preferences for six months. This means that users who reject a cookie consent request cannot be asked to update their preferences again during this period.

“Reject all” button: The proposal codifies in law the obligation to display a “reject all” button with the same level of accessibility and prominence as the “accept all” button, in order to address dark patterns.

Protection of Trade Secrets: The Data Act

As part of the proposed changes, companies may refuse data sharing requests from users or clients if there is a concern that doing so would compromise trade secrets. This will allow companies to protect data, particularly when it might be transferred to countries outside the EU. Furthermore, the proposal introduces relief for cloud service providers categorized as small and medium-sized enterprises (SMEs) and small- to mid-cap companies, exempting them from the harshest Data Act requirements to boost market competitiveness.

Legislative Process

The European Commission has submitted the proposal, and a public consultation process is underway until March 2026. In parallel, the European Parliament is expected to begin discussing the proposal and shaping its position. Following these stages, around mid-2026, negotiations will take place among the various legislative bodies. The legislative process is expected to conclude toward the end of 2026.

Impact on Israeli Companies

As a rule, EU legislation often applies not only to European companies, but also to non-EU companies operating in Europe. For example, the legislation may apply to Israeli companies developing AI systems marketed in the EU, companies marketing products that involve data collection, or companies processing personal data in the course of providing services, tracking users, or conducting business activity in Europe. 

The legislative package offers a certain easing of the compliance burden on companies. However, this relief is not expected to eliminate the obligation to implement internal compliance processes. We recommend that companies conduct a risk assessment process, including a compliance risk assessment for each component of the legislative package.

This includes performing a risk assessment of the company’s data processing activities, with an emphasis on personal and sensitive data, and ensuring the existence of documentation evidencing internal governance processes. We recommend undertaking the following steps: 

• Map data processing activities and data flows within the company.
• Map the company’s AI uses.
• Establish an orderly data management and processing policy.
• Establish policies on incident response and compliance with reporting obligations to authorities.
• Document control processes and AI risk assessments.
• Establish an organizational AI policy.

The proposal signals a strategic shift in Europe that may ease stringent regulation in the fields of privacy and data protection, reflecting concerns that such regulation constitutes a significant commercial barrier. It marks a move toward encouraging development of the local market and enhancing competitiveness vis-a-vis leading AI powers like the US and China. We will continue to update you on progress in the legislative process and its implications for Israeli companies.

***

Dr. Avishay Klein is a partner and head of the firm’s Privacy, Cyber and AI Department.

Adv. Masha Yudashkin is an associate in the firm’s Privacy, Cyber and AI Department.

Barnea Jaffa Lande’s Privacy, Cyber and AI Department is at your service to provide legal assistance with data protection compliance, the development and implementation of AI systems, and the design of internal governance frameworks for such systems, tailored to regulatory requirements in Israel and abroad.