The 2025 European Commission EU digital omnibus package: Data Protection Regulation

The Digital Omnibus Regulation Proposal introduces targeted amendments to Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by Union institutions, bodies, offices and agencies (EU Institutions’ Data Protection Regulation). While the amendments are framed as alignment and operational simplification, the Proposal mirrors a number of the GDPR-facing amendments (including the “relative identifiability” approach to the definition of personal data, the purpose-limitation rule for scientific research, limits on handling of manifestly unfounded or excessive requests (with a specific abuse concept limited to erasure requests), ADM “necessity” clarification, breach-notification recalibration, DPIA standardisation, and terminal-equipment consent mechanics) so that broadly equivalent rules apply in relation to the EU institutions.

Proposals most likely to be adopted and rationale

This section addresses, in turn:

1. Alignment with the changes to GDPR across core operational provisions (including personal data definition, purpose limitation, rights-request handling, ADM and breach reporting); 
2. The introduction of a parallel “terminal equipment” framework within the EU Institutions’ Data Protection Regulation; and 
3. Consequential standardisation measures (DPIAs and pseudonymisation criteria).

1. Alignment of procedural obligations with the GDPR

The Proposal introduces amendments to the EU Institutions’ Data Protection Regulation aimed at aligning selected procedural and operational provisions with those applicable under the GDPR, in particular where EU institutions interact with external controllers or processors subject to GDPR.

These amendments concern, in particular:

• The definition of 'personal data' (Article 3), by importing the same “relative/entity-specific identifiability” framing proposed for Article 4(1) GDPR (i.e., information is not necessarily personal data for every entity merely because another entity can identify the person), thereby aligning the EU-institutions regime with the Recital 26 “means reasonably likely” approach as implemented in the Proposal; 
• Purpose limitation/further processing (Article 4), by aligning the EU-institutions compatibility route so that further processing for scientific research purposes is treated as compatible where it is in accordance with Article 13, and expressly “independent of” the conditions in Article 6 of Regulation (EU) 2018/1725;  
• AI-related processing clarifications and special category data handling (Article 10), including (i) an express route to rely on legitimate interests for development/training/testing/operation of AI models (subject to the standard necessity/balancing framework and safeguards), and (ii) targeted special-category permissions for “residual” special-category processing in an AI context (subject to strict conditions and state-of-the-art measures) and certain on-device biometric uses where the biometric data remains under the user’s control; 
• Handling of rights requests (Article 14(5)), including an express ability to refuse requests that are manifestly unfounded or excessive and - for requests under Article 17 (erasure) only - where the data subject abuses the rights conferred by the Regulation for purposes other than data protection, coupled with an explicit burden-of-proof statement on the controller; 
• A scientific-research limitation to the right of access (new Article 15(5)), where providing information proves impossible or would involve disproportionate effort (or would seriously impair the research objectives), coupled with a duty to take appropriate protective measures including making information publicly available;
• Automated decision-making (Article 24), by clarifying that contractual “necessity” applies regardless of whether the decision could, in theory, be taken otherwise than by solely automated means, while keeping the existing safeguards architecture;  
• Personal data breach notification (Article 34(1)), by (i) extending the deadline to 96 hours and (ii) aligning the supervisory-notification trigger to “high risk” (in line with the Proposal’s GDPR approach), while retaining the underlying breach-response framework; 
• DPIA standardisation (Article 39), by applying the Union-level lists/template/methodology adopted under the amended GDPR DPIA provisions to processing under the EU Institutions’ Data Protection Regulation and deleting the existing Article 39(5)–(6) mechanism; and 
• A new “pseudonymisation criteria” alignment provision (new Article 45a), applying the common criteria adopted under the GDPR’s new mechanism to processing under the EU Institutions’ Data Protection Regulation.

These measures are likely to be adopted because they are positioned as maintaining consistency between the GDPR and the EU institutions regime and reducing friction in mixed processing chains, rather than creating a divergent EU-institutions-only rulebook that would be difficult to implement where EU bodies interact with GDPR-regulated entities.

2. Supervisory cooperation and enforcement alignment

The Proposal further introduces technical amendments intended to facilitate cooperation and consistency between the European Data Protection Supervisor (EDPS) and national supervisory authorities where processing operations involve both EU institutions and entities subject to the GDPR.

Without altering the supervisory competence of the EDPS under Articles 52 to 59 of EU Institutions’ Data Protection Regulation, the Proposal clarifies:

• Information-sharing arrangements between the EDPS and national authorities;
• Coordination mechanisms in cross-regime investigations; and
• Procedural sequencing where parallel supervisory action is required.

These amendments are likely to be adopted because they:

• Preserve the institutional autonomy of the EDPS;
• Address practical coordination issues identified in mixed processing scenarios; and
• Are framed as procedural clarifications rather than reallocations of competence.

3. Terminal-equipment personal-data processing “re-homing” within the EU institutions’ Data Protection Regulation

In parallel to the GDPR/ePrivacy reallocations, the Proposal inserts new “terminal equipment” provisions into the EU Institutions’ Data Protection Regulation (new Article 37(2)–(10)), introducing: (i) a consent default for storing/accessing personal data in terminal equipment; (ii) a limited set of necessity purposes exempt from the requirement for consent (transmission, explicitly requested service, first-party audience measurement, and security); (iii) “single-click refusal” and repeat-prompt constraints (including a minimum six-month bar after refusal); and (iv) a staged move toward automated, machine-readable preference signalling, with a presumption of compliance where online interfaces comply with harmonised standards referenced via the GDPR standardisation mechanism. 

This aspect is likely to be adopted insofar as it is structurally paired with the GDPR terminal equipment reforms (and is staged by delayed application dates in the Proposal text), but it remains politically sensitive and is therefore exposed to negotiation risk as to scope, legal basis and the practical balance between consent default and “necessary” exemptions.

Proposals more likely to be challenged, or rejected and rationale

This section addresses, in turn:

1. Boundary issues between the EU Institutions’ Data Protection Regulation and the GDPR; and 
2. Issues of legal certainty arising from procedural convergence without full institutional symmetry.

1. Boundary issues between the EU Institutions’ Data Protection Regulation and the GDPR

Elements of the Proposal aligning procedural obligations between the EU Institutions’ Data Protection Regulation and the GDPR are more likely to attract scrutiny where they are perceived as blurring the distinction between the institutional data protection regime and the general GDPR framework.

In particular, concerns may arise as to:

• Whether procedural alignment could be read as importing GDPR concepts into EU Institutions’ Data Protection Regulation without full contextual adaptation;
• The treatment of joint or interconnected processing operations involving EU institutions and external actors; and
• The risk of inconsistent application where similar concepts are interpreted differently by the EDPS and national supervisory authorities.

In addition, the “mirroring” technique used in the Proposal (i.e., applying the same substantive-operational changes to the EU institutions regime as to the GDPR) is likely to attract closer scrutiny here than in purely private-sector contexts, because it directly affects (i) institutional processing expectations and (ii) EDPS enforcement posture, including on  refusals of rights requests, ADM reliance and breach-notification thresholds.

For these reasons, this aspect of the Proposal is more likely to be narrowed through clarifications confirming that procedural alignment does not affect the autonomous interpretation of the EU Institutions’ Data Protection Regulation.

2. Legal certainty and enforceability

The Proposal’s reliance on procedural convergence gives rise to issues of legal certainty where it does not fully specify how aligned provisions are to operate in practice across different supervisory contexts.

In particular, uncertainty may arise as to:

• The allocation of responsibility in cross-regime enforcement scenarios;
• The evidential standards applicable where coordinated supervisory action is undertaken; and
• The legal effect of guidance or decisions issued in parallel under the EU Institutions’ Data Protection Regulation and the GDPR.

A further pressure point on specific legal certainty is the “terminal equipment” insertion in Article 37. Its operation depends in part on staged application dates and standardisation and harmonised standards arrangements that cross-refer to the GDPR provisions, raising practical questions about transition, legacy consent and enforcement sequencing in EU-institution-facing online interfaces during the staged rollout.

Given that EU Institutions’ Data Protection Regulation establishes directly applicable obligations for Union institutions, these uncertainties are material. As a result, this aspect of the Proposal is more likely to be refined during negotiations through drafting clarifications or recitals addressing the interaction between institutional and non-institutional enforcement pathways.