The EU Just Proposed the Biggest Changes to GDPR Since 2018 – Here’s What You Need to Know

Reading Time: 10 minutes
Last Updated: November 21, 2025

If you do business in Europe or handle data from European customers, you need to know about the Digital Omnibus Package that the European Commission just released on November 19, 2025.

This isn’t a minor update—it’s the most significant proposed overhaul of EU data protection law since GDPR took effect in 2018. And unlike typical regulatory changes that take years to surface, this one appeared suddenly, with limited prior consultation, and is being fast-tracked through the legislative process.

The Commission frames it as “simplification” and promises fewer cookie banners and reduced administrative burdens. Privacy advocates call it “the biggest attack on European digital rights in years” and argue it undermines fundamental protections.

So what’s actually in these proposals? We’ve analyzed the full text, reviewed expert commentary from privacy organizations and law firms, and examined real-world implementation studies. Here’s what you need to know—without reading 150 pages of regulatory text.

What Is the Digital Omnibus Package?

Think of it as a comprehensive update to Europe’s digital rulebook. The package proposes changes to:

The GDPR (General Data Protection Regulation)
The ePrivacy Directive (cookie rules)
The NIS2 Directive (cybersecurity)
The Data Act (data sharing rules)

The stated goal is making European businesses more competitive while maintaining strong privacy protections. The Commission argues that current rules are too burdensome and that Europe is falling behind in areas like AI development.

Critics counter that the proposals weaken protections that have defined European privacy law for over 40 years, primarily benefiting large tech companies rather than the small and medium businesses the Commission claims to help.

How Did We Get Here?

Here’s where it gets interesting—and controversial.

Most EU Member States explicitly asked the Commission not to reopen the GDPR. Major political groups in the European Parliament (Social Democrats, Renew, and Greens) publicly called on the Commission to stop these changes before they were officially released. Over 127 civil society organizations signed letters opposing the proposals.

The Commission went ahead anyway.

Some point to pressure from Germany, which has been pushing for specific changes. Others reference reports that Commission Vice-President Henna Virkkunen told US businesses directly that the EU would become more “business-friendly.” There are also reports of increasing pressure from the incoming Trump administration for the EU to cut back on regulations to avoid tariffs.

Whatever the political backstory, the result is the same: major proposed changes to how your business handles personal data, pushed through without the usual impact assessments or extended consultation periods.

The Major Changes You Need to Understand

1. What Counts as “Personal Data” Is Being Narrowed

Current Rule:
Data is “personal” if it relates to an identifiable person, either directly or indirectly. This is an objective test—it doesn’t matter whether you personally can identify someone; it matters whether identification is reasonably possible.

Proposed Change:
Data would only be “personal” for your organization if you have “means reasonably likely to be used” to identify someone. If identification would be legally prohibited or require “disproportionate effort,” the data isn’t personal data for you.

Why This Matters:

This shifts from an objective to a subjective standard. Whether GDPR applies would depend on:

Your organization’s internal capabilities and intentions
Your specific circumstances at a specific time
Case-by-case assessments

Real-World Example:
A data broker processing millions of pseudonymized profiles could claim they don’t “intend” to identify individuals and don’t have “means reasonably likely” to do so—even if the data could easily be combined with other datasets to identify people. Under current rules, this is clearly personal data. Under proposed rules, it might not be.

The Controversy:
Privacy advocate Max Schrems compares this to “a gun law that only applies to guns when the owner confirms he is able to handle a gun and intends to shoot someone.”

Data protection authorities and courts would face endless debates about a company’s “true intentions” rather than objective technical assessments.

2. AI Training Gets a Green Light (With Conditions)

What’s Changing:
AI development and training would be explicitly recognized as a “legitimate interest” under GDPR. This includes using personal data to train AI models and operate AI systems.

There’s even a new exemption allowing companies to process “special category data” (sensitive information like health, race, political views) if it appears residually in training datasets—as long as they take technical measures to minimize and remove it.

What You Must Still Do:

Conduct a balancing test showing your AI development interest outweighs individual privacy rights
Implement data minimization
Give users an unconditional right to object to their data being used for AI
Put technical safeguards in place to prevent collecting sensitive data

The Controversy:

The Commission’s own consultation in October 2024 showed that only 7% of Germans wanted Meta to use their personal data to train AI. Yet the proposal would allow Big Tech to use years of social media posts, photos, and personal information for AI training—with only an opt-out mechanism.

Critics argue this opt-out approach is practically useless: users don’t know whose training datasets contain their data, and they’d have to opt out thousands of times per year as different companies train new models.

Max Schrems: “Usually more risky technologies have to meet a higher standard. The Commission proposal now opens the floodgates once AI is used—while traditional data processing would still fall under current laws. That’s insane.”

3. Cookie Rules Are Changing (But Not How You Think)

The Promise:
Fewer cookie banners, simpler consent, universal browser-based preferences.

The Reality:
It’s complicated, and the “50% of websites will lose banners” claim doesn’t match real-world data.

What’s Actually Changing:

The proposal moves cookie/tracking rules into GDPR through new Article 88a, creating a narrow “consent-free lane” for:

Pure transmission of communications
Services explicitly requested by users
Your own aggregated audience measurement (truly first-party, not shared)
Security and maintenance

New Article 88b introduces browser/OS-level consent signals that websites must honor (with one big exception—see below).

Why Most Sites Still Need Banners:

Recent scans of 36,500 Danish websites found:

73% were non-compliant with current cookie rules
55% loaded Google Tag Manager before showing any consent banner
Most use Google Analytics, Meta Pixel, TikTok, and other third-party tools

None of these fall into the “consent-free lane.” They’re third-party processing that still requires consent.

Even public sector websites aren’t doing better:

82% of Danish municipal sites non-compliant
91% of Swedish municipal sites non-compliant

Evidence-based estimate: Only about 12-18% of websites today would actually qualify to operate without banners under the new rules. The Commission’s “50%” projection appears to count websites that don’t exist in real traffic logs.

4. The Google Analytics Question Everyone’s Asking

Can Google Analytics run without consent under the new rules?

Short answer: No.

Why not:

Google Analytics (including GA4) is third-party processing. The data goes to Google, not just your own systems. The consent-free lane is only for “the controller’s own aggregated audience measurement.”

Even self-hosting Google Tag Manager doesn’t change this—if data flows to Google’s services, you’re outside the consent-free lane.

What about Google Consent Mode?

This is a common misunderstanding. Google Consent Mode is a technical tool that communicates your users’ consent state to Google tags. It is not a way to avoid getting consent in the first place.

Basic Consent Mode: Works only if nothing phones home to Google until after valid consent
Advanced Consent Mode: Sends “cookieless pings” even when users refuse—these pings are still data processing requiring consent

What qualifies as truly first-party analytics:

Self-hosted Matomo with proper configuration
Custom analytics on your own infrastructure
Server log analysis that stays in-house
No data sharing with third parties or advertising networks

Bottom line: If you use GA4, Adobe Analytics, Mixpanel, or similar tools, you’ll still need consent before they load.

5. Data Breach Reporting Gets Genuinely Simpler

This is one area where the proposals offer real simplification:

Current Rules:

Report within 72 hours
Notify for any breach “likely to result in risk to individuals”
Different reporting requirements across multiple regulations
No standardized format

Proposed Rules:

Report within 96 hours (24 hours more)
Only report “high risk” breaches (higher threshold)
Single EU-wide portal for all reports
Standardized template from European Data Protection Board
“Submit once, share widely” across multiple regulations

Why This Actually Helps:

If your organization falls under multiple EU regulations (GDPR, NIS2, DORA, Critical Entities Resilience Directive), you currently report the same incident multiple times through different channels. The new system would genuinely reduce duplicated effort.

The higher threshold also means fewer mandatory reports for minor incidents with limited impact.

6. Your Rights to Access Your Data Are Being Restricted

This is one of the most controversial proposals.

Current Rules:
You have the right to access your personal data for any reason. Companies must respond to legitimate requests. The CJEU (EU’s highest court) has repeatedly confirmed you can use these rights for any purpose—including gathering evidence for employment disputes, lawsuits, or to correct errors affecting you financially.

Proposed Changes:
Companies could refuse your access request or charge fees if:

The request is deemed “abusive”
You’re using it for purposes other than “data protection”

Examples of what might be refused:

An employee requesting work hour records for an unpaid wages dispute
Someone requesting credit rating data to challenge incorrect information affecting their loan rates
A journalist seeking information for an investigation
A researcher gathering data for a study

Why This Is Controversial:

This appears to directly violate:

Article 8 of the EU Charter of Fundamental Rights
Multiple CJEU court decisions
The fundamental principle of “informational self-determination”

Critics argue the reality isn’t that citizens abuse their rights—it’s that companies don’t comply. Cutting back user rights when enforcement is already inadequate seems backwards.

Expected Outcome: Legal challenges if this provision survives the legislative process.

7. Cookie Banners and the “Six-Month Rule”

New Requirement:
If a user refuses consent for a specific purpose, you cannot ask again for at least six months. If they grant consent, you cannot keep prompting while that consent is valid.

What You Need to Implement:

Store refusal state on the user’s device (typically a first-party cookie)
Track this per purpose, not just globally
Ensure suppression works before anything else loads
Note: This is device-specific—refusing on a phone doesn’t carry over to a laptop

UX Requirements:

“Reject All” must be as prominent and easy as “Accept All”
One-click refusal must be possible
No dark patterns or hidden refusal options

The Goal: Stop “consent fatigue” from endless pop-ups and manipulative banner designs.

8. Machine-Readable Consent Signals (And a Big Exception)

The Proposal:
Users can set privacy preferences once at the browser or operating system level, and websites must respect these settings automatically.

How It Works:

Set “refuse tracking” in your browser
Websites detect this and don’t show banners
Processing stops at the point of origin

Sounds Great, Right?

The Massive Exception:
Media service providers are exempt from honoring these signals. News sites, streaming platforms, and media publishers can ignore your browser preference and show their own consent flows anyway.

Why This Undermines Everything:

If the largest trackers (media companies) can ignore universal signals, then:

The signal stops being a right and becomes a suggestion
Dark patterns return through the front door
Small publishers who respect signals are disadvantaged
Users learn that privacy controls are theater

The Irony: California and Colorado are making similar signals binding for everyone. The EU would create a major industry exception for the sector where tracking is most entrenched.

9. DPIAs Finally Get Harmonized

This is another genuine improvement.

Current Situation:
Data Protection Impact Assessments (DPIAs) require checking 27 different national lists to know when they’re mandatory. Each EU country has slightly different requirements.

Proposed Change:

European Data Protection Board creates one EU-wide list
Standardized template and methodology
Reviewed and updated every three years

Who Benefits:
Any organization operating in multiple EU countries. Instead of navigating 27 different frameworks, you’d have one clear standard.

10. Scientific Research Gets Clearer (and More Commercial)

New Definition:
“Scientific research” explicitly includes “any research which can also support innovation, such as technological development and demonstration.”

Importantly: Research may aim to further a commercial interest as long as it:

Contributes to scientific knowledge or applies it in novel ways
Aims to contribute to society’s general knowledge and wellbeing
Adheres to ethical standards

What This Means:
Commercial R&D, product development research, and innovation projects get clearer recognition and associated GDPR flexibilities.

What It Doesn’t Mean:
Pure market research or competitive intelligence likely still won’t qualify—there must be a societal benefit component.

The Political Fight Ahead

This is still a proposal, not law. It must go through:

European Parliament review and amendments
Council of the EU review and amendments
Negotiation between Parliament and Council
Final adoption

This process typically takes 18-24 months and often results in significant changes from the original proposal.

Current Political Opposition:

Most EU Member States opposed reopening GDPR
Major Parliament groups (S&D, Renew, Greens) called for the Commission to stop
127 civil society organizations signed opposition letters
Privacy advocates are mobilizing against key provisions

However:

The Commission is pushing a “fast track” procedure
There’s reported pressure from German government and US administration
The “competitiveness” narrative is politically powerful
Some Parliament groups may support weakening privacy protections

Prediction: Expect significant amendments, but some version of these changes will likely pass. The question is which provisions survive and in what form.

Why The Controversy Is So Intense

Argument For: Europe Needs to Compete

Supporters argue:

Current rules are too complex and burdensome
European businesses are disadvantaged vs. US/Chinese competitors
AI development requires clearer legal frameworks
Harmonization reduces compliance costs
Small businesses need simpler rules

Argument Against: This Weakens Fundamental Rights

Critics argue:

Changes primarily benefit Big Tech, not small businesses
Subjective definitions make enforcement impossible
User rights are being sacrificed for corporate convenience
The process was rushed without proper impact assessment
40+ years of European privacy protection is being undermined
“Simplification” claims don’t match technical reality

What The Data Shows

Actual website scans reveal the “simplification” promises don’t match reality:

73% of sites would still need consent mechanisms
Popular tools like GA4 remain consent-bound
Most Cookie Consent Platforms still track before consent
Public sector sites are largely non-compliant despite having fewer commercial pressures

The Commission’s cost-saving calculations appear based on an idealized web that doesn’t exist in practice.

What Should You Do Right Now?

For Any Business Operating in the EU

Immediate (Next 3 Months):

Don’t Panic, But Pay Attention
These are proposals that will take months to finalize and longer to implement. Don’t overhaul everything based on draft text that may change significantly.
Audit Your Current Compliance
- What data do you process and why?
- Where does it go? (Really trace the network calls)
- Do you currently need consent for your processing activities?
- Are you actually blocking non-essential processing until after consent?
Monitor the Legislative Process
Subscribe to updates from:
- Your national data protection authority
- Industry associations you belong to
- Privacy law firms or consultants you work with
Document Everything
Good documentation helps under current rules and will help under whatever final rules emerge:
- What data you process and why
- Legal basis for each processing activity
- Data minimization measures
- User rights response procedures

Medium-Term (6-12 Months):

Evaluate Your Analytics Stack
If you use third-party analytics (GA4, Adobe, etc.), understand these will remain consent-bound. Consider:
- Is truly first-party analytics feasible for your needs?
- What’s the investment required?
- What’s the risk of your current setup?
Review Your Consent Infrastructure
Whether using a Consent Management Platform or custom solution:
- Does it make third-party calls before consent? (This is non-compliant)
- Can it support purpose-level tracking with six-month suppression?
- Does it offer clear “Reject All” at the same level as “Accept All”?
Prepare for Machine-Readable Signals
Standards aren’t finalized yet, but start thinking about:
- How your site would detect and respect browser preferences
- How to integrate this with existing consent flows
- What happens during the transition period
Plan for Breach Reporting Changes
When the new portal launches:
- Update your incident response procedures
- Train teams on the “high risk” threshold
- Prepare for the standardized template format

Long-Term Strategic Decisions:

First-Party Infrastructure
Consider whether investing in truly first-party analytics, consent management, and data processing makes strategic sense beyond just compliance.
Privacy as Competitive Advantage
Even if regulations relax, strong privacy practices can differentiate you—particularly in B2B markets and with privacy-conscious consumers.
Flexible Compliance Architecture
Build systems that can adapt to different regulatory scenarios. The final law may differ significantly from current proposals, or may face legal challenges after adoption.

The Real Questions Worth Asking

Beyond the technical details, this situation raises fundamental questions:

1. Who is this really for?

The Commission says it’s for small businesses. Critics point out that legal loopholes benefit companies with sophisticated legal departments more than small organizations. Real scans show the “simplified” web the Commission describes doesn’t match how actual businesses operate.

2. What happened to evidence-based policy?

Major EU legislation typically undergoes extensive impact assessment. This appeared suddenly, pushed through a “fast track” process, with cost-savings calculations that don’t match real-world data. Why the rush?

3. Is privacy a fundamental right or an economic burden?

Article 8 of the EU Charter of Fundamental Rights guarantees data protection. When economic competitiveness arguments override fundamental rights, what does that say about EU values?

4. Can you simplify by adding subjectivity?

Making core definitions depend on case-by-case, company-by-company assessments of “intent” and “reasonable means” doesn’t simplify—it creates endless litigation and uncertainty.

The Bottom Line

The Digital Omnibus Package represents the most significant proposed changes to EU data protection law in over a decade. Some provisions offer genuine improvements:

✅ Real Simplifications:

Unified breach reporting with extended timelines
Harmonized DPIA frameworks
Clearer AI development rules
Explicit recognition of commercial research

❌ Controversial Changes:

Narrowing personal data definition with subjective elements
Restricting data subject rights in ways that may violate fundamental rights
Media services exemption from universal consent signals
Claims of “simplification” that don’t match technical reality

⚠️ Key Uncertainties:

Final text may differ significantly after Parliament/Council review
Implementation timelines depend on standards that don’t yet exist
National law transitions will create complexity, not simplify it
Legal challenges to key provisions are expected

Our View:

Focus on building solid, documented, honest privacy practices now. Those won’t become obsolete regardless of which version of these proposals ultimately becomes law. The fundamentals remain:

Be transparent about what you do with people’s data
Give genuine control and choices
Minimize what you collect and retain
Take security seriously
Respect when people say no

These principles survive regulatory changes because they’re rooted in respect for individuals, not just legal compliance.

How Mosaiku Can Help

Navigating regulatory uncertainty requires expertise, perspective, and practical experience. Whether you’re:

Assessing how these proposals might affect your operations
Auditing your current compliance status
Planning for multiple regulatory scenarios
Implementing technical changes to consent infrastructure
Updating policies and procedures

Mosaiku provides practical, business-focused privacy guidance that balances legal compliance with operational reality.

Our Services:

GDPR compliance assessments and gap analysis
Technical audits of tracking, analytics, and consent implementations
DPO-as-a-Service for ongoing compliance management
Regulatory monitoring and strategic advisory
Incident response planning and support

Schedule a Consultation to discuss how the Digital Omnibus might affect your business and what you should be doing now.

Sources:

European Commission, Digital Omnibus Package proposal, November 19, 2025
noyb (European Center for Digital Rights), “Digital Omnibus: EU Commission wants to wreck core GDPR principles,” November 19, 2025
Covington & Burling LLP, Inside Privacy analysis, November 20, 2025
Ronni K. Gothard Christiansen, “The Omnibus & Consent: What Actually Changes,” November 20, 2025
AesirX Privacy Scanner data, Danish and Swedish website compliance scans, July-September 2025

About Mosaiku:
We’re a team of privacy professionals, legal experts, and technical specialists who help organizations navigate complex data protection requirements with practical, business-focused guidance. We believe privacy should be accessible, implementable, and integrated into how businesses operate—not just a compliance checkbox.

Disclaimer: This article provides general information about proposed regulatory changes and should not be construed as legal advice. These are proposals, not final law. Data protection requirements are complex and fact-specific. Consult with qualified legal counsel for guidance on your specific situation.

Tags: #DigitalOmnibus #GDPR #EUPrivacy #DataProtection #GDPR2025 #PrivacyLaw #CookieConsent #DataRights #EURegulation #PrivacyCompliance