EU Proposal to Simplify Data Protection Rules: What Privacy Professionals Should Know 2025
In late 2025, the European Commission presented a proposal to simplify EU digital and data protection rules as part of a broader Digital Omnibus package. The stated aim is to reduce regulatory complexity, lower compliance costs, and support innovation—particularly in areas such as artificial intelligence (AI) and cybersecurity. According to the Commission, these changes would streamline overlapping requirements while maintaining the EU’s “high standards” of data protection .
However, privacy and consumer organizations have reacted critically, arguing that the proposal risks weakening key protections under the General Data Protection Regulation (GDPR).
Context: GDPR and Enforcement
Since its entry into force in 2018, the GDPR has become a global benchmark for privacy regulation. It provides strong rights for individuals and imposes strict obligations on organizations processing personal data. Enforcement is decentralized: national Data Protection Authorities (DPAs) apply the GDPR, while consistency is coordinated through the European Data Protection Board (EDPB). Although the GDPR is praised for its principles, businesses have long complained about compliance complexity and fragmented enforcement.
What Is the Commission Proposing?
The Digital Omnibus includes several notable data protection changes:
- Single EU breach notification portal
Organizations would be able to report data breaches via one centralized EU platform instead of navigating multiple reporting regimes (GDPR, NIS2, sectoral laws). This proposal is widely seen as a practical improvement. - AI training based on opt-out instead of consent
The Commission proposes to treat AI development as a “legitimate interest,” allowing companies to train AI systems on personal data unless individuals object. This could also apply to sensitive data, subject to safeguards. Critics argue this shifts the balance away from meaningful consent. - Narrower interpretation of personal data
Following recent case law, whether data is considered “personal” would depend on whether a specific organization can actually identify individuals. Privacy groups warn this could create legal uncertainty and allow companies to avoid GDPR obligations. - Fewer cookie banners via browser-level consent
Users could set privacy preferences once in their browser or device, reducing repetitive cookie pop-ups. Even critics of the package generally support this change. - Reduced administrative burden for SMEs and mid-sized companies
Record-keeping obligations under Article 30 GDPR would apply only to organizations with more than 750 employees, unless they engage in high-risk processing. EU regulators have cautiously welcomed this limited relief.
Why Privacy Organizations Are Concerned
Groups such as EDRi, noyb, Bits of Freedom, and BEUC argue that the proposal goes beyond simplification and amounts to deregulation. They warn that expanding “legitimate interest” for AI, narrowing the definition of personal data, and weakening consent requirements could undermine fundamental rights. Several organizations describe the omnibus approach as rushed and insufficiently transparent, emphasizing that the real problem lies in enforcement, not the GDPR’s substance .
What This Means for Privacy Professionals
For CIPM and CIPP candidates, this proposal is an important reminder that privacy law is dynamic. If adopted, organizations may benefit from reduced administrative burden but face new compliance challenges—particularly around AI governance, opt-out mechanisms, and data classification. The legislative process is still ongoing, and significant changes may yet occur.
Simplification can be beneficial, but only if it preserves the GDPR’s core principles of fairness, transparency, and accountability. Privacy professionals should closely follow developments in Brussels, as the outcome will shape EU data protection practice for years to come.
