Written by: Shaked Feldman Yiftah
In a series of far-reaching proposals aimed at reducing bureaucratic burden on businesses, the
European Union Commission is introducing steps to ease AI and privacy regulation. These include
extending the implementation period for rules governing high-risk AI systems by 16 months and
expanding simplifications granted to small and medium-sized companies. Additional measures include
minimizing the scope of “personal data,” reducing the scope of the obligation to inform data subjects,
replacing the right to object to automated decision-making with a prohibition on using such
mechanisms except in certain cases, and easing the obligation to report personal data breaches. The
proposal, published on November 19, is intended to allow businesses to spend less time on
administrative work and compliance and more time on innovation.
The package comprises three components:
• A Digital Omnibus to harmonize rules on artificial intelligence (AI), cybersecurity, and data
through amendments to central regulations and directives.
• A Data Union Strategy for high-quality data for AI.
• New regulation on European Business Wallets, allowing companies to manage a single digital
identity and simplify their operations across EU Member States.
The Commission estimates that the package will save businesses up to €5 billion in administrative
costs by 2029, and additional €150 billion each year for businesses who manage a European Business
Wallet.
The new digital package has sparked significant push-back from digital-rights groups, policy analysts,
and civil-society organizations. They argue that the Commission’s proposals are not mere “simplifications” but rather a major step backwards for data protection. Critics warn that the proposed
changes would undermine core safeguards and expand companies’ discretionary powers, consequently weakening individuals’ control over their personal data.
The Digital Omnibus
The Digital Omnibus aims to simplify compliance with AI and data regulation.Innovation-friendly AI rules. The Commission acknowledges the need for standards and support for
the efficient implementation of the law. Therefore, it proposes to adjust the entry into application of
the rules governing high-risk AI systems to a maximum of 16 months, so the rules start applying only
once such standards and support tools are available.
The Commission also proposes certain amendments to the AI Act. These include:
• Extending some of the simplifications granted to Small and Medium-sized Enterprises (SMEs)
and Small Mid-Caps (SMCs), such as simplified technical documentation requirements;
• Adding certain safeguards to enable the processing of special categories of data for the
purpose of bias detection and mitigation, such as imposing technical limitations on the re-use
of data;
• Expanding compliance tools, including an EU-level sandbox (starting 2028) and real-world
testing, especially in core industries;
• Reinforcing the EU AI Office’s powers and centralizing oversight of General-Purpose AI (GPAI)
systems.
Simple cybersecurity reporting. The Digital Omnibus also introduces a single-entry interface for allincident-reporting obligations, which will be developed with robust security safeguards and undergo
comprehensive testing to ensure reliability and effectiveness.
Innovation-friendly privacy framework. The Digital Omnibus proposes targeted amendments to theGDPR to harmonize, clarify, and simplify it to promote innovation while aiming to maintain a high levelof personal data protection. The amendments include, among other things:
• Minimizing the scope of “personal data,” such that information will not be considered personal
for a certain entity merely because a potential subsequent recipient may be able to identify
the natural person to whom it relates;
• The addition of two special categories of data: (i) processing in the context of the development
and operation of an AI system or model; and (ii) processing of biometric data necessary to
verify the identity of a data subject, where the biometric data or meansfor verification is under
the sole control of the data subject;
• Minimizing the scope of the obligation to inform data subjects about the collection and
processing of their personal data;
• Removing data subjects’ right to object to automated decision-making, replacing it with a
prohibition on the use of such mechanisms, unless necessary to perform a contract, authorized
by a competent authority, or based on the data subject’s consent;
• Minimizing the scope of the obligation to report a personal data breach to apply only when
the breach is likely to result in a high risk to the rights and freedoms of individuals, and
extending the reporting period from 72 hours to 96 hours;
• The addition of provisions concerning processing in the context of AI systems.
Modernizing cookie rules to improve users’ online experience. The Commission acknowledges the
prevalence of “consent fatigue” associated with cookie banners. Accordingly, it suggests amending
the e-Privacy Directive (Directive 2002/58/EC) and the GDPR to address the storing of personal data orgaining access to data already stored in the user’s terminal equipment (e.g., their phone). Under the
proposed change, the storing, accessing, and subsequent processing of such data will be permitted
without the user’s consent if they are required for the transmission of a service.
Data Union Strategy
The Data Union Strategy outlines additional measures to achieve high-quality data for AI, based on
three main pillars:
• Scaling up access to data for AI, based on initiatives like data labs that offer trusted
pseudonymization services and serve as a centralized source for data across public and private
actors.
• Streamlining data rules to ease data sharing between businesses and researchers.
• Strengthening the EU’s global position on international data flows by reducing trade barriers
to boost the competitiveness of European companies that operate globally.
European Business Wallet
The proposed European Business Wallet regulations are intended to provide both the private and
public sectors in Europe with a unified tool to digitalize their operations.
The Business Wallet will allow businesses to digitally create, sign, timestamp, and store documents,
and securely communicate with other businesses or public administrations in their country, including
by exchanging documents. The aim of the regulation is to reduce regulatory burden when extending a
business to another EU Member State, when paying taxes, and more. It is estimated to save businesses
up to €150 billion a year.
What’s next?
The Digital Omnibus legislative proposals were submitted to the European Parliament and the EU
Council for adoption. This marks the first step in the Commission’s strategy to simplify legislation in
the EU.
The Commission has also launched the second step of its strategy with a wide consultation on the
Digital Fitness Check, which will assess how certain legislation delivers on its promise for
competitiveness and examine its coherence and impact.
