[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fayEDhPE9yletwaCQNHPDhkTOTCS-VEexpI4Ufi53B6M":3,"white_papers":59},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":48,"imageUrl":49,"imageThumbUrls":50,"id":58},false,"Since a few days ago, [a leak has been making waves in Brussels: a draft of the future “Digital Omnibus” regulation,](https://noyb.eu/sites/default/files/2025-11/EU-Kommission-Digital-Omnibus-A-Data-Act-und-DSGVO.pdf) which the European Commission **is due to officially present on 19 November 2025.**\n\nThe project’s stated goal is to simplify and “harmonize” the European digital framework (GDPR, AI Act, ePrivacy, Data Act, etc.): remove overlaps, clarify obligations, and reduce the burden on certain companies, in particular SMEs.\n\nInitially, the Commission planned to carry out a **“Digital Fitness Check”** in 2026, gather solid evidence, and then propose a targeted and thoroughly prepared revision of the GDPR and other digital texts.\n\nThe current approach is quite different: an **accelerated procedure**, in which EU services have only five working days to review a draft text. This clearly moves away from an evidence-based approach.\n\nIn this article, we therefore break down what the leaked Omnibus draft actually contains, its potential impact on the GDPR and the AI Act, and what DPOs / lawyers should start anticipating — without giving in to panic.\n\nImportant: **this is only a draft**. The official text may be different and will still need to be discussed and amended by the European Parliament and the Council. In other words, nothing is set in stone.\n\n---\n\n## 1. What is the “Digital Omnibus” project?\n\nThe [“Digital Omnibus”](https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal) is a horizontal draft regulation aimed at revising, in a single text, several major European digital laws:\n\n- GDPR\n\n- ePrivacy Directive\n\n- Data Act\n\n- Certain cybersecurity and sectoral data rules\n\n- And a separate text specifically targeting the AI Act and its application timeline.\n\n> The Commission’s argument: too many texts, too much overlap, too much administrative burden, especially for SMEs. The answer: a “cleanup” of the digital acquis through “targeted adjustments.”\n\nProblem: the leaked draft does more than clarify. It touches on *structural concepts* of the GDPR (definition of personal data, sensitive data, automated decision-making, access to terminals, etc.).\n\n---\n\n## 2. What the leak would change for data protection\n\n### 2.1. A more “subjective” definition of personal data\n\nToday, personal data means any information relating to an *identified or identifiable* person, taking into account the means reasonably available to *any* actor that may process those data.\n\nThe Omnibus project would introduce a much more subjective approach:\n\n> Information would no longer be personal data for an entity that **does not itself have the reasonable means to identify the person**, even if a third party can do so.\n>\n> This interpretation was recently adopted by the CJEU in **EDPS v SRB**, which broke with the long-assumed “absolute” approach to the notion of personal data.\n>\n> To learn more about this ruling, [see our article here.](https://www.dastra.eu/fr/article/cjue-2025-donnees-pseudonymisees-toujours-personnelles/59570)\n\nPossible consequences:\n\n- Pseudonymous identifiers, cookies, marketing IDs, or logs could be classified as “non-personal” for certain actors.\n\n- Part of the ecosystem could fall outside the scope of the GDPR… even though the CJEU has, for 20 years, taken a *broad* interpretation of the notion of personal data.\n\nFor DPOs, this creates a real fragmentation risk: the same dataset could be subject to the GDPR for A, but not for B.\n\n---\n\n### 2.2. Sensitive data: protection limited to what is “directly revealed”\n\nAnother major shift concerns “special categories of data” (Article 9 GDPR).\n\nThe Omnibus project:\n\n- Narrows the definition of “health data” to data that **directly** reveal health status.\n\n- Applies the same logic to other sensitive categories (racial or ethnic origin, political opinions, religious beliefs, sexual orientation, etc.): only data that *directly* reveal them would be protected under Article 9.\n\nAnything that can be **inferred** (profiling, inferences, correlations) would fall under a much less protective regime. This is exactly the opposite of the CJEU’s consistent position and of the modernized Convention 108.\n\nIn addition, the text **adds new grounds for processing sensitive data, in particular for:**\n\n- The development of AI systems\n\n- And, in some cases, their “operation,” on the basis of legitimate interest, with “appropriate measures.”\n\nIn other words, processing highly sensitive data in AI models could become much easier as soon as innovation and a few generic “*safeguards*” are invoked.\n\n---\n\n### 2.3. Data subject rights: erosion by a thousand cuts\n\nCritics call it “death by a thousand cuts”: not necessarily isolated revolutions, but a gradual weakening of several safeguards.\n\nAmong the notable points in the draft:\n\n- **simplifying the processing record for SMEs with fewer than 750 employees,**\n\n- **Abusive requests may be rejected if they are considered excessive or made for other purposes (e.g. preparing a better litigation file)**\n\n- **Article 13 GDPR (information)**\n\n  - Possible exemption from information duties where processing takes place within a “clear and delimited” relationship, if it can reasonably be assumed that the person already knows the purposes, legal basis and identity of the controller.\n\n  - Limits: this would not apply in the case of transfers to other recipients, transfers outside the EU, or high-risk processing.\n\n- **Automated individual decisions (Article 22)**\n\n  - The substance would remain broadly similar, but the wording would shift from a “prohibited unless…” logic to an “allowed unless…” logic. A symbolic but important shift in future interpretation.\n\n- **Personal data breach notifications (Article 33)**\n\n  - Only breaches resulting in a *high risk* to individuals would have to be notified to the authority.\n\n  - Deadline extended from 72 hours to 96 hours.\n\n- **Lists of processing operations requiring a DPIA**\n\n  - These would be established directly by the EDPB, no longer by each national authority (CNIL, etc.), and then sent up to the EDPB.\n\nEach time, the logic is the same: fewer notifications, less paperwork… but also less visibility for individuals and less local oversight.\n\n---\n\n### 2.4. Terminal access, cookies and ePrivacy: toward a browser-based “super-consent”?\n\nThe Omnibus project partially merges the ePrivacy logic into the GDPR through new Articles 88a, 88b, 88c on:\n\n- Access to data stored on terminals (computer, smartphone, connected devices).\n\n- The possibility of expressing consent via *automated* signals (a “Do Not Track” / Privacy Signal type of mechanism).\n\nConcretely:\n\n- Some access to terminals would “always” be possible without consent (routing a communication, providing a requested service, measuring audience, ensuring security).\n\n- For other uses (ads, tracking, AI training…), Article 6 GDPR legal bases would apply, **including legitimate interest** in some cases, whereas today the ePrivacy Directive effectively requires consent for most cookies.\n\n- Browsers would have to implement a standardized consent/objection signal, machine-readable by websites; controllers would have to respect it for at least 6 months.\n\n- Media outlets could benefit from exceptions given their dependence on advertising revenue.\n\n---\n\n## 3. And what about the AI Act?\n\nThe [Digital Omnibus on AI Regulation Proposal ](https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal)does not rewrite the AI Act, but it **adjusts** it along two main lines:\n\n1. **Relieve certain procedural obligations**\n\n   - Possible exemption from registration in the database of high-risk AI systems when they are used only for narrow or procedural tasks.\n\n2. **Relax the implementation timeline**\n\n   - Introduction of a **one-year grace period** during which authorities could not impose sanctions before August 2027.\n\n   - Obligations to label AI-generated content (deepfakes, disinformation) would also benefit from transitional periods.\n\nIn addition, the project provides for a second specific AI Act text in the digital package, more focused on interpretation and implementation than on a deep rewriting of the substantive rules.\n\n👉 In short: the AI Act is not being “stopped,” but its **curve is being softened** and friction reduced for certain use cases, in a context where the aim is clearly to give AI players in Europe some breathing room.\n\n---\n\n## 4. Is the project compatible with the Charter and CJEU case law?\n\nFrom the perspective of data protection law practice, several issues arise:\n\n### 4.1. Notion of personal data\n\n- The CJEU has consistently adopted a broad interpretation (Breyer, Nowak, etc.), considering not only the means of a given actor, but also those of a reasonable third party.\n\n- The shift toward a “purely subjective” approach seems difficult to reconcile with Article 8 of the Charter of Fundamental Rights and modernized Convention 108.\n\n### 4.2. Sensitive data and inferences\n\n- Limiting protection to data that “directly reveal” a health condition, sexual orientation, political opinion, etc., would leave the entire field of **inferences** without enhanced protection — even though these are precisely what most often drive discrimination.\n\n### 4.3. AI training & legitimate interest\n\n- Making **training and operation of AI systems** a kind of standalone, preferred basis grounded in legitimate interest runs counter to the principle of technological neutrality in the GDPR: same processing, regardless of the technology.\n\nSeveral NGOs (noyb, EDRi, Amnesty, etc.), as well as around a hundred civil society organizations, have already called on the Commission to revise its copy, speaking of a “GDPR stripped of its substance.”\n\n---\n\n## 5. What should DPOs and lawyers do *now*?\n\nSpoiler: **nothing changes legally today**. The GDPR and the AI Act remain applicable in their current versions. But this is the moment to anticipate intelligently.\n\n### 5.1. Do not “loosen” compliance based on a leak\n\n- As long as the Digital Omnibus is not adopted, **any strategy anticipating a relaxation** (for example, allowing more tracking or more AI uses on sensitive data) is legally risky.\n\n- On the contrary, it is better to **document** your current constraints: if the framework really does loosen, you will be ready to reassess your risks and legal bases.\n\n### 5.2. Map your AI uses now\n\nUse this moment to:\n\n- Clearly identify:\n\n  - The AI systems used (internal / SaaS / API),\n\n  - The processing involved (training, fine-tuning, inference),\n\n  - The types of data (including sensitive or inferred data).\n\n- Check your **current** legal bases (consent, performance of contract, legitimate interest) and your DPIAs.\n\n- Anticipate AI Act obligations (risk classification, data governance obligations, documentation, logs).\n\n### 5.3. Closely follow discussions on:\n\n- The redefinition of personal data (huge impact on the qualification of your datasets, logs, IDs).\n\n- The new regime for terminals & cookies (machine-readable consent signal, potential “do not track” models).\n\n- The room for maneuver offered for training AI models on personal data.\n\nThe idea is not to rebuild your entire compliance posture every time a rumor appears, but to **include Omnibus in your structured monitoring**.\n\n---\n\n## 6. How a platform like Dastra can help you stay “Omnibus-proof”\n\nIf this project goes all the way through (even partially), complexity will not disappear — it will just *change shape*. Concretely, a governance platform like Dastra can help you to:\n\n- **Centralize your “AI” processing operations** in the register, with specific tags (training, inference, high risk / non-high risk).\n\n- **Link your processing operations to legal bases and the data used** (including pseudonymized, inferred, sensitive data), so you can quickly reassess the impact of a change in definition.\n\n- **Track DPIAs and, in the future, AI Act requirements** (documentation, mitigation measures, evidence).\n\n- **Record your compliance decisions** (for example: why you consider a given dataset personal or not, a given legal basis applicable or not).\n\n- **Automate rights management** even in a context where processing becomes more complex (especially if AI use becomes widespread).\n\n---\n\n## Key takeaways\n\n- The Omnibus project **is not yet positive law**, but it clearly signals a political will: to ease the GDPR and adjust the AI Act to support AI.\n\n- The proposed changes affect **core pillars** (definition of personal data, sensitive data, ePrivacy, automated decisions).\n\n- They are attracting **strong criticism** and will have to pass several legislative stages; the text will likely evolve.\n\n- For DPOs, the right reflex is not to ease off, but to **document**, **map AI uses**, and prepare to adapt compliance without sacrificing individuals’ rights.","\u003Cp>Since a few days ago, \u003Ca href=\"https://noyb.eu/sites/default/files/2025-11/EU-Kommission-Digital-Omnibus-A-Data-Act-und-DSGVO.pdf\" rel=\"nofollow\">a leak has been making waves in Brussels: a draft of the future “Digital Omnibus” regulation,\u003C/a> which the European Commission \u003Cstrong>is due to officially present on 19 November 2025.\u003C/strong>\u003C/p>\n\u003Cp>The project’s stated goal is to simplify and “harmonize” the European digital framework (GDPR, AI Act, ePrivacy, Data Act, etc.): remove overlaps, clarify obligations, and reduce the burden on certain companies, in particular SMEs.\u003C/p>\n\u003Cp>Initially, the Commission planned to carry out a \u003Cstrong>“Digital Fitness Check”\u003C/strong> in 2026, gather solid evidence, and then propose a targeted and thoroughly prepared revision of the GDPR and other digital texts.\u003C/p>\n\u003Cp>The current approach is quite different: an \u003Cstrong>accelerated procedure\u003C/strong>, in which EU services have only five working days to review a draft text. This clearly moves away from an evidence-based approach.\u003C/p>\n\u003Cp>In this article, we therefore break down what the leaked Omnibus draft actually contains, its potential impact on the GDPR and the AI Act, and what DPOs / lawyers should start anticipating — without giving in to panic.\u003C/p>\n\u003Cp>Important: \u003Cstrong>this is only a draft\u003C/strong>. The official text may be different and will still need to be discussed and amended by the European Parliament and the Council. In other words, nothing is set in stone.\u003C/p>\n\u003Chr />\n\u003Ch2 id=\"what-is-the-digital-omnibus-project\">1. What is the “Digital Omnibus” project?\u003C/h2>\n\u003Cp>The \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal\" rel=\"nofollow\">“Digital Omnibus”\u003C/a> is a horizontal draft regulation aimed at revising, in a single text, several major European digital laws:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>GDPR\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>ePrivacy Directive\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Data Act\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Certain cybersecurity and sectoral data rules\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>And a separate text specifically targeting the AI Act and its application timeline.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cblockquote>\n\u003Cp>The Commission’s argument: too many texts, too much overlap, too much administrative burden, especially for SMEs. The answer: a “cleanup” of the digital acquis through “targeted adjustments.”\u003C/p>\n\u003C/blockquote>\n\u003Cp>Problem: the leaked draft does more than clarify. It touches on \u003Cem>structural concepts\u003C/em> of the GDPR (definition of personal data, sensitive data, automated decision-making, access to terminals, etc.).\u003C/p>\n\u003Chr />\n\u003Ch2 id=\"what-the-leak-would-change-for-data-protection\">2. What the leak would change for data protection\u003C/h2>\n\u003Ch3 id=\"a-more-subjective-definition-of-personal-data\">2.1. A more “subjective” definition of personal data\u003C/h3>\n\u003Cp>Today, personal data means any information relating to an \u003Cem>identified or identifiable\u003C/em> person, taking into account the means reasonably available to \u003Cem>any\u003C/em> actor that may process those data.\u003C/p>\n\u003Cp>The Omnibus project would introduce a much more subjective approach:\u003C/p>\n\u003Cblockquote>\n\u003Cp>Information would no longer be personal data for an entity that \u003Cstrong>does not itself have the reasonable means to identify the person\u003C/strong>, even if a third party can do so.\u003C/p>\n\u003Cp>This interpretation was recently adopted by the CJEU in \u003Cstrong>EDPS v SRB\u003C/strong>, which broke with the long-assumed “absolute” approach to the notion of personal data.\u003C/p>\n\u003Cp>To learn more about this ruling, \u003Ca href=\"https://www.dastra.eu/fr/article/cjue-2025-donnees-pseudonymisees-toujours-personnelles/59570\">see our article here.\u003C/a>\u003C/p>\n\u003C/blockquote>\n\u003Cp>Possible consequences:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Pseudonymous identifiers, cookies, marketing IDs, or logs could be classified as “non-personal” for certain actors.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Part of the ecosystem could fall outside the scope of the GDPR… even though the CJEU has, for 20 years, taken a \u003Cem>broad\u003C/em> interpretation of the notion of personal data.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>For DPOs, this creates a real fragmentation risk: the same dataset could be subject to the GDPR for A, but not for B.\u003C/p>\n\u003Chr />\n\u003Ch3 id=\"sensitive-data-protection-limited-to-what-is-directly-revealed\">2.2. Sensitive data: protection limited to what is “directly revealed”\u003C/h3>\n\u003Cp>Another major shift concerns “special categories of data” (Article 9 GDPR).\u003C/p>\n\u003Cp>The Omnibus project:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Narrows the definition of “health data” to data that \u003Cstrong>directly\u003C/strong> reveal health status.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Applies the same logic to other sensitive categories (racial or ethnic origin, political opinions, religious beliefs, sexual orientation, etc.): only data that \u003Cem>directly\u003C/em> reveal them would be protected under Article 9.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>Anything that can be \u003Cstrong>inferred\u003C/strong> (profiling, inferences, correlations) would fall under a much less protective regime. This is exactly the opposite of the CJEU’s consistent position and of the modernized Convention 108.\u003C/p>\n\u003Cp>In addition, the text \u003Cstrong>adds new grounds for processing sensitive data, in particular for:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>The development of AI systems\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>And, in some cases, their “operation,” on the basis of legitimate interest, with “appropriate measures.”\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>In other words, processing highly sensitive data in AI models could become much easier as soon as innovation and a few generic “\u003Cem>safeguards\u003C/em>” are invoked.\u003C/p>\n\u003Chr />\n\u003Ch3 id=\"data-subject-rights-erosion-by-a-thousand-cuts\">2.3. Data subject rights: erosion by a thousand cuts\u003C/h3>\n\u003Cp>Critics call it “death by a thousand cuts”: not necessarily isolated revolutions, but a gradual weakening of several safeguards.\u003C/p>\n\u003Cp>Among the notable points in the draft:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>\u003Cstrong>simplifying the processing record for SMEs with fewer than 750 employees,\u003C/strong>\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Abusive requests may be rejected if they are considered excessive or made for other purposes (e.g. preparing a better litigation file)\u003C/strong>\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Article 13 GDPR (information)\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Possible exemption from information duties where processing takes place within a “clear and delimited” relationship, if it can reasonably be assumed that the person already knows the purposes, legal basis and identity of the controller.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Limits: this would not apply in the case of transfers to other recipients, transfers outside the EU, or high-risk processing.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Automated individual decisions (Article 22)\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>The substance would remain broadly similar, but the wording would shift from a “prohibited unless…” logic to an “allowed unless…” logic. A symbolic but important shift in future interpretation.\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Personal data breach notifications (Article 33)\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Only breaches resulting in a \u003Cem>high risk\u003C/em> to individuals would have to be notified to the authority.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Deadline extended from 72 hours to 96 hours.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Lists of processing operations requiring a DPIA\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>These would be established directly by the EDPB, no longer by each national authority (CNIL, etc.), and then sent up to the EDPB.\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003C/ul>\n\u003Cp>Each time, the logic is the same: fewer notifications, less paperwork… but also less visibility for individuals and less local oversight.\u003C/p>\n\u003Chr />\n\u003Ch3 id=\"terminal-access-cookies-and-eprivacy-toward-a-browser-based-super-consent\">2.4. Terminal access, cookies and ePrivacy: toward a browser-based “super-consent”?\u003C/h3>\n\u003Cp>The Omnibus project partially merges the ePrivacy logic into the GDPR through new Articles 88a, 88b, 88c on:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Access to data stored on terminals (computer, smartphone, connected devices).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The possibility of expressing consent via \u003Cem>automated\u003C/em> signals (a “Do Not Track” / Privacy Signal type of mechanism).\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>Concretely:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Some access to terminals would “always” be possible without consent (routing a communication, providing a requested service, measuring audience, ensuring security).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>For other uses (ads, tracking, AI training…), Article 6 GDPR legal bases would apply, \u003Cstrong>including legitimate interest\u003C/strong> in some cases, whereas today the ePrivacy Directive effectively requires consent for most cookies.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Browsers would have to implement a standardized consent/objection signal, machine-readable by websites; controllers would have to respect it for at least 6 months.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Media outlets could benefit from exceptions given their dependence on advertising revenue.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Chr />\n\u003Ch2 id=\"and-what-about-the-ai-act\">3. And what about the AI Act?\u003C/h2>\n\u003Cp>The \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal\" rel=\"nofollow\">Digital Omnibus on AI Regulation Proposal \u003C/a>does not rewrite the AI Act, but it \u003Cstrong>adjusts\u003C/strong> it along two main lines:\u003C/p>\n\u003Col>\n\u003Cli>\u003Cp>\u003Cstrong>Relieve certain procedural obligations\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Possible exemption from registration in the database of high-risk AI systems when they are used only for narrow or procedural tasks.\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Relax the implementation timeline\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Introduction of a \u003Cstrong>one-year grace period\u003C/strong> during which authorities could not impose sanctions before August 2027.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Obligations to label AI-generated content (deepfakes, disinformation) would also benefit from transitional periods.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003C/ol>\n\u003Cp>In addition, the project provides for a second specific AI Act text in the digital package, more focused on interpretation and implementation than on a deep rewriting of the substantive rules.\u003C/p>\n\u003Cp>👉 In short: the AI Act is not being “stopped,” but its \u003Cstrong>curve is being softened\u003C/strong> and friction reduced for certain use cases, in a context where the aim is clearly to give AI players in Europe some breathing room.\u003C/p>\n\u003Chr />\n\u003Ch2 id=\"is-the-project-compatible-with-the-charter-and-cjeu-case-law\">4. Is the project compatible with the Charter and CJEU case law?\u003C/h2>\n\u003Cp>From the perspective of data protection law practice, several issues arise:\u003C/p>\n\u003Ch3 id=\"notion-of-personal-data\">4.1. Notion of personal data\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cp>The CJEU has consistently adopted a broad interpretation (Breyer, Nowak, etc.), considering not only the means of a given actor, but also those of a reasonable third party.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The shift toward a “purely subjective” approach seems difficult to reconcile with Article 8 of the Charter of Fundamental Rights and modernized Convention 108.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"sensitive-data-and-inferences\">4.2. Sensitive data and inferences\u003C/h3>\n\u003Cul>\n\u003Cli>Limiting protection to data that “directly reveal” a health condition, sexual orientation, political opinion, etc., would leave the entire field of \u003Cstrong>inferences\u003C/strong> without enhanced protection — even though these are precisely what most often drive discrimination.\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"ai-training-legitimate-interest\">4.3. AI training &amp; legitimate interest\u003C/h3>\n\u003Cul>\n\u003Cli>Making \u003Cstrong>training and operation of AI systems\u003C/strong> a kind of standalone, preferred basis grounded in legitimate interest runs counter to the principle of technological neutrality in the GDPR: same processing, regardless of the technology.\u003C/li>\n\u003C/ul>\n\u003Cp>Several NGOs (noyb, EDRi, Amnesty, etc.), as well as around a hundred civil society organizations, have already called on the Commission to revise its copy, speaking of a “GDPR stripped of its substance.”\u003C/p>\n\u003Chr />\n\u003Ch2 id=\"what-should-dpos-and-lawyers-do-now\">5. What should DPOs and lawyers do \u003Cem>now\u003C/em>?\u003C/h2>\n\u003Cp>Spoiler: \u003Cstrong>nothing changes legally today\u003C/strong>. The GDPR and the AI Act remain applicable in their current versions. But this is the moment to anticipate intelligently.\u003C/p>\n\u003Ch3 id=\"do-not-loosen-compliance-based-on-a-leak\">5.1. Do not “loosen” compliance based on a leak\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cp>As long as the Digital Omnibus is not adopted, \u003Cstrong>any strategy anticipating a relaxation\u003C/strong> (for example, allowing more tracking or more AI uses on sensitive data) is legally risky.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>On the contrary, it is better to \u003Cstrong>document\u003C/strong> your current constraints: if the framework really does loosen, you will be ready to reassess your risks and legal bases.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"map-your-ai-uses-now\">5.2. Map your AI uses now\u003C/h3>\n\u003Cp>Use this moment to:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>Clearly identify:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>The AI systems used (internal / SaaS / API),\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The processing involved (training, fine-tuning, inference),\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The types of data (including sensitive or inferred data).\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>\u003Cp>Check your \u003Cstrong>current\u003C/strong> legal bases (consent, performance of contract, legitimate interest) and your DPIAs.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>Anticipate AI Act obligations (risk classification, data governance obligations, documentation, logs).\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"closely-follow-discussions-on\">5.3. Closely follow discussions on:\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cp>The redefinition of personal data (huge impact on the qualification of your datasets, logs, IDs).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The new regime for terminals &amp; cookies (machine-readable consent signal, potential “do not track” models).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The room for maneuver offered for training AI models on personal data.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>The idea is not to rebuild your entire compliance posture every time a rumor appears, but to \u003Cstrong>include Omnibus in your structured monitoring\u003C/strong>.\u003C/p>\n\u003Chr />\n\u003Ch2 id=\"how-a-platform-like-dastra-can-help-you-stay-omnibus-proof\">6. How a platform like Dastra can help you stay “Omnibus-proof”\u003C/h2>\n\u003Cp>If this project goes all the way through (even partially), complexity will not disappear — it will just \u003Cem>change shape\u003C/em>. Concretely, a governance platform like Dastra can help you to:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>\u003Cstrong>Centralize your “AI” processing operations\u003C/strong> in the register, with specific tags (training, inference, high risk / non-high risk).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Link your processing operations to legal bases and the data used\u003C/strong> (including pseudonymized, inferred, sensitive data), so you can quickly reassess the impact of a change in definition.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Track DPIAs and, in the future, AI Act requirements\u003C/strong> (documentation, mitigation measures, evidence).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Record your compliance decisions\u003C/strong> (for example: why you consider a given dataset personal or not, a given legal basis applicable or not).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>Automate rights management\u003C/strong> even in a context where processing becomes more complex (especially if AI use becomes widespread).\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Chr />\n\u003Ch2 id=\"key-takeaways\">Key takeaways\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cp>The Omnibus project \u003Cstrong>is not yet positive law\u003C/strong>, but it clearly signals a political will: to ease the GDPR and adjust the AI Act to support AI.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>The proposed changes affect \u003Cstrong>core pillars\u003C/strong> (definition of personal data, sensitive data, ePrivacy, automated decisions).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>They are attracting \u003Cstrong>strong criticism\u003C/strong> and will have to pass several legislative stages; the text will likely evolve.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>For DPOs, the right reflex is not to ease off, but to \u003Cstrong>document\u003C/strong>, \u003Cstrong>map AI uses\u003C/strong>, and prepare to adapt compliance without sacrificing individuals’ rights.\u003C/p>\n\u003C/li>\n\u003C/ul>\n","Omnibus: everything you need to know about the leak!","Omnibus Project: What does the leak reveal about the future of the GDPR and the AI Act? A clear analysis of the stakes for data protection and DPOs.",1959,11,"Omnibus, GDPR, AI Act: what does the leak reveal?",0,null,"en","omnibus-gdpr-ai-act-what-does-the-leak-reveal","Omnibus Project leak: discover what this text could change for the GDPR, the AI Act, and the work of DPOs, between simplification and risks for privacy.","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-11-14T09:00:00","2026-05-07T16:15:01.0312461","2026-05-11T09:04:42.1026379",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},[],"https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-original.jpg",[51,52,53,54,55,56,57],"https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-1000.webp","https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5.webp","https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-1500.webp","https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-800.webp","https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-600.webp","https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-300.webp","https://static.dastra.eu/content/84f1ce4e-ed98-40d0-b89d-b4a44fff1775/visuel-article-5-100.webp",60026,{"items":60,"total":100,"size":101,"page":101},[61],{"title":62,"nbDownloads":63,"excerpt":13,"lang":14,"url":64,"intro":65,"featured":4,"state":17,"author":66,"authorId":19,"datePublication":67,"dateCreation":68,"dateUpdate":69,"mainCategory":70,"categories":77,"metaDatas":85,"imageUrl":90,"imageThumbUrls":91,"id":99},"Your Checklist to Multi-State Privacy Impact Assessments ",7,"your-checklist-to-multi-state-privacy-impact-assessment-compliance","Master multi-state Privacy Impact Assessments by downloading this checklist.",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},"2026-02-23T10:07:00","2026-02-23T10:07:01.6114712","2026-02-24T15:38:38.0037058",{"id":71,"name":72,"description":13,"url":73,"color":74,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":75,"translations":76},70,"Livre blanc","white-papers","#1795d3",3,[],[78,83],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":79},[80,81,82],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},{"id":71,"name":72,"description":13,"url":73,"color":74,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":75,"translations":84},[],[86],{"typeMetaDataId":87,"value":88,"id":89},4,"https://static.dastra.eu/backofficefilescontainer/6c9c6770-09f5-44d2-ac35-466a87c40426/US PIA Cross State Checklist Best Practices.pdf",117305,"https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-original.jpg",[92,93,94,95,96,97,98],"https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-1000.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-1500.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-800.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-600.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-300.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-100.webp",59886,12,1]