The EU Commission recently held a call for evidence on “simplification” of legislation in the data, cybersecurity, and AI space, ahead of a “Digital Omnibus” Act. These changes look to make the EU’s digital rulebook more innovation-friendly, supporting the Commission’s Competitiveness Compass.
The Commission is due to present its simplification proposals on 19 November. Ahead of that date, two draft proposals have been leaked, setting out the Commission’s planned changes across data and cyber laws in one proposal and the AI Act in the other.
A range of changes are proposed across the Data Act (including building out a trade secrets exemption), cybersecurity laws (creating a single-entry point for incident notification across regimes), and the AI Act. This post focuses on the draft proposed changes to the GDPR.
These changes could be very impactful, and include:
- amending the Article 9 restrictions on processing special category data to only apply where the processing directly reveals the characteristic (e.g. health status), as well as new exemptions for training AI models and biometric identification;
- changing the personal data breach notification threshold, and amending the timeline for notification to no later than 96 hours; and
- amendments to the e-privacy rules on cookies and trackers that appear to allow the possibility of processing personal data on or from terminal equipment based on legitimate interests.
We include a high-level overview of the changes below.
Comparison with the UK position
The UK has recently made some changes to the UK GDPR, alongside its implementation of the e-Privacy Directive (the Privacy and Electronic Communications Regulations), under the Data (Use and Access) Act (DUAA). Some of these changes are already in force; most will likely be brought into force around the end of 2025. These changes also looked to make the law more innovation-friendly.
However, the EU is proposing a different set of pro-innovation changes to the UK. The EU’s draft changes cover some areas that the DUAA did not touch, such as exemptions for processing special category data and breach notification. In other areas, such as the right of access, information obligations under Article 13, and cookies and trackers, the draft proposal would see the EU making slightly different changes to those made by the UK.
The table below compares the draft EU proposal with the UK position following the changes made under the DUAA. Note that this table does not cover all changes made or to be made to the UK’s data protection and e-Privacy framework, only the comparison with areas with proposed changes under the Commission’s draft proposal. See https://www.dataprotectionreport.com/2025/07/uk-data-protection-reform-what-you-need-to-know-and-do for a fuller summary of changes under the DUAA.
| Topic | Commission draft simplification proposal | UK position following changes made under the DUAA |
| Definition of personal data | Incorporating “means reasonably likely” test from recital 26 (and recent CJEU case law, e.g. EDPS v SRB) into Article 4 | No change |
| Special category data | Default prohibition to apply only where the processing directly reveals information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sex life or sexual orientation New derogation for processing biometric data where necessary for confirming the identity of the data subject and where data and means for verification are under sole control of the data subject New derogation for residual processing of special category data for development and operation of an AI system or AI model (the controller must take organisational and technical measures to avoid collecting and processing special category data, delete it where identified unless removal requires disproportionate effort, and protect the data from being used to produce outputs or being disclosed to third parties) (Under the AI Act proposal:) providing a legal basis for providers of AI systems and AI models to process special category data for the purpose of ensuring bias detection and correction | No substantive change |
| Right of access | Where data subjects use the right of access for purposes other than the protection of their personal data, controller could refuse to comply or charge a reasonable fee Clarifying the conditions to demonstrate that an access request was excessive | The data subject is only entitled to information the controller is able to provide based on a reasonable and proportionate search Clock is stopped where the controller awaits further information from the data subject |
| Obligation to inform data subjects under Article 13 | Removing the Article 13 obligation where there are reasonable grounds to suspect the data subject already has the information (with some exceptions) | New “impossible or would involve a disproportionate effort” exemption for further processing for research, archiving, and statistical purposes |
| Article 22 and automated decision-making | In the context of entering into or performing a contract between the data subject and data controller, requirement of “necessity” is regardless of whether the decision could be taken otherwise than by solely automated means | Default prohibition on solely automated decision with legal or similarly significant effects lifted where data is not special category data, restructured right with emphasis on safeguards |
| Breach notification | Aligning the notification threshold with obligation to notify data subjects (likely to result in a high risk – raised from the current requirement to notify unless the breach is unlikely to result in a risk to rights and freedoms) and extending the deadline to 96 hours, use the single-entry point | No change (for GDPR notification) |
| DPIAs | Single lists of processing requiring and not requiring DPIAs to be produced at EU level | No change, UK GDPR requirement for the ICO to produce lists of processing requiring and not requiring a DPIA remains |
| ePrivacy – cookies and trackers | Article 5(3) ePrivacy Directive does not apply where personal data is processed on or from terminal equipment – new provisions are proposed to be included in the GDPR Specific list of purposes now included where processing of personal data on or from terminal equipment is permitted, now including: – creating aggregated information for audience measurement – security of the service requested by the data subject (or terminal equipment used for the provision of the service) Processing of personal data or from terminal equipment for any other purposes must comply with Article 6 (so consent may not be required?) and, where appropriate, Article 9 Where processing based on consent, data subject must be able to refuse with a single click and choices respected for 6 months Where processing based on legitimate interests, data subject must be allowed to object under Article 21(2) with a single click The data subject must be able to give and refuse consent via automated and machine-readable means | Codification of additional purposes considered strictly necessary, including preventing or detecting fraud in connection with the provision of the service New types of trackers that can be used without consent where the user is provided with clear information and a simple means of objecting (where they are ONLY used for the relevant purpose): – collection of information solely for statistical purposes, with a view to making improvements to the service; and – website appearance or functionality |
| Legitimate interests – training AI models | Explicit provision added into the GDPR text clarifying that processing for the development and operation of an AI system or AI model can be based on legitimate interests (subject to the balancing test), with appropriate safeguards, including data minimisation | No equivalent on training AI models, though Article 6 will include clarification that direct marketing, intra-group transmission, and processing necessary to ensure the security of network and information systems are capable of being legitimate interests (incorporating points from recitals 47-49) |
Our take
At this stage, there is no certainty the proposal will become law – it could change before even being presented by the Commission on 19 November, and would need to go through the EU’s legislative process before becoming law.
If some of these changes were to make it through the legislative process, we are facing the possibility that the EU GDPR may no longer be the high-water mark. In some areas, the EU position would represent more of a relaxation than the UK’s, in others it will be the UK position that is more relaxed. In yet others, the changes are simply different – controllers tweaking their compliance decisions to take advantage of innovation-friendly changes on one side of the channel might find themselves out of sync with the requirements of the GDPR regime on the other side.
It would, of course, be open to the UK to make further changes to its regime if the EU’s proposed changes go ahead. If it does not, the simplest approach to navigating this may be to keep compliance programmes aligned with the current EU GDPR. That should generally satisfy both regimes (though controllers will need to note the new complaints process in the UK). For projects where controllers were looking to take advantage of pro-innovation amendments, more analysis would be needed on whether the data is in-scope for the EU GDPR, UK GDPR, or both, and which change