Digital Omnibus: Regulatory Simplification or a Redefinition of Digital Rights in the EU?
On November 19, 2025, the European Commission officially presented the proposal for the “Digital Omnibus” regulation, a legislative package aimed at simplifying, harmonizing, and making the European Union’s complex framework of digital rules more consistent. The proposal, currently under review by the European Parliament and the Council, has a cross-cutting impact on several key pieces of legislation, including the GDPR, the ePrivacy Directive, the Data Act, the NIS2 Directive, and the AI Act, with the stated goal of reducing regulatory overlap, compliance costs, and uncertainty regarding application for businesses and public administrations.
The Digital Omnibus comprises at least two main proposals:
■ Digital Omnibus Regulation Proposal — technical provisions to amend and streamline digital regulations, with impacts on the GDPR, ePrivacy, Data Governance, Data Act, NIS2, and other acts.
■ Digital Omnibus on AI Regulation Proposal — more specific measures designed to refine the AI Act and coordinate it with the rest of the digital regulatory framework.
Key Issues and Critical Points in Personal Data Regulation
Among the most significant and critical aspects of the Digital Omnibus proposal is the issue of the definition of “personal data”. The initiative aims to redefine and contextualize this concept for the purposes of the GDPR, introducing criteria that are more functional and tied to the concrete context of identifying the data subject, emphasizing “means reasonably likely to be used.” Such an approach, if adopted, could affect the subjective scope of application of the GDPR, influencing the classification of certain information as protected personal data.
The proposal also addresses certain specific obligations, particularly regarding automated decision-making and cookie management, with the aim of reducing administrative burdens and simplifying compliance. However, these changes raise interpretative doubts, especially regarding the preservation of the protection standards enshrined in the Charter of Fundamental Rights of the European Union.
The package has sparked a wide-ranging debate: some fear a weakening of the GDPR’s safeguards, while others, on the contrary, see an opportunity for a more coherent and certain digital framework. The proposal is still under review by the European Parliament and the Council and remains subject to significant changes.
EDPB: Recommendations for More Privacy-Friendly Online Shopping.
The European Data Protection Board (EDPB), at its plenary session on December 4, 2025, adopted Recommendations for the creation of user accounts on e-commerce websites. The goal is to make online shopping more respectful of users’ privacy by allowing transactions to be carried out without the need to register, favoring a “guest” mode. Registration may be mandatory only in specific cases, such as subscriptions or exclusive offers. These guidelines aim to reduce the collection and processing of personal data, in line with the GDPR’s principles of data protection by design and by default.
The EDPB has also launched a preliminary discussion on the “Digital Omnibus” proposal, expressing concern over the proposed change to the definition of personal data, which could go beyond the case law of the Court of Justice of the EU and undermine the fundamental right to data protection. This change, in fact, risks weakening the protection of data subjects and reducing transparency and accountability of companies in the management of personal data.
United Kingdom: ICO fines British password manager £1.2 million for a data breach.
The UK’s Information Commissioner’s Office (ICO), in a decision dated December 11, 2025, imposed a fine of £1.2 million (approximately €1.375 million) on a British company that provides password management services for a serious data breach that occurred in 2022.
The case involves two separate incidents which, combined, allowed a hacker to access the company’s backup database and steal personal information from up to 1.6 million customers, including names, email addresses, phone numbers, and stored website URLs.
Although the “zero-knowledge” encryption system prevented the decryption of passwords, the failure to implement adequate security measures left personal data exposed. The unauthorized access was made possible by the compromise first of the company’s laptop and then of an employee’s personal device, which contained the decryption key. The breach was deemed severe due to its scope, the categories of data involved, and the failure to adopt sufficiently adequate security controls.