The 2025 European Commission EU digital omnibus package: The e-Privacy Directive

The Digital Omnibus Regulation Proposal introduces limited and targeted amendments to the ePrivacy Directive. It does not seek to reopen the Directive’s core confidentiality framework (e.g., communications secrecy), but it would move  certain terminal-equipment access/storage compliance requirements (where that activity involves the processing of personal data relating to a natural-person subscriber or user)  from Article 5(3) ePrivacy to an express GDPR framework. In substance, it focuses on (i) removing regulatory duplication in relation to security and breach notification obligations in light of the NIS2 Directive] and Articles 32–34 GDPR, and (ii) amending the mechanics of Article 5(3) so that it would not apply where information stored in, or accessed from, terminal equipment constitutes or leads to the processing of personal data relating to a natural-person subscriber or user (with the effect that such processing would instead fall under new GDPR Articles 88a and 88b), while Article 5(3) would continue to apply to access to or storage of information on terminal equipment, where that activity does not constitute, and does not lead to, the processing of personal data relating to a natural-person subscriber or user (including, in particular, where the subscriber or user is not a natural person) . The Proposal also inserts a new Article 45a into the ePrivacy Directive, providing that the “common criteria” adopted by the Commission under proposed GDPR Article 41a (pseudonymisation / identifiability criteria) shall apply when applying the ePrivacy Directive in so far as the Directive applies in a context involving personal data.  

Proposals most likely to be adopted and rationale

This section addresses, in turn: (1) the repeal of duplicative security/breach-notification obligations; (2) the targeted narrowing of the scope of Article 5(3) of the ePrivacy Directive in terminal-equipment scenarios involving personal-data, by bringing those scenarios within an express GDPR framework; and (3) the insertion of new Article 45a (common criteria) as a cross-instrument coherence mechanism for personal data processing under the ePrivacy Directive.

1. Repeal of Article 4 ePrivacy Directive (security and breach notification)

The Proposal repeals Article 4 of the ePrivacy Directive which currently governs the security of services and notification requirements for providers of publicly available electronic communications services (including, in particular, Article 4(1)–(1a) on security measures and Article 4(3)–(4) on personal data breach notification duties in the electronic communications sector).

The Commission’s rationale is expressly grounded in regulatory duplication, on the basis that:

• The NIS2 Directive now imposes horizontal cybersecurity risk-management and incident-reporting obligations on in-scope entities; and
• Articles 32, 33 and 34 GDPR already provide a comprehensive and directly applicable framework governing security of processing and personal data breach notification for personal data incidents.

These changes have therefore been presented as a de-duplication measure, rather than a reduction in underlying security expectations.

This amendment is likely to be adopted because it is framed as a de-duplication measure addressing clearly overlapping compliance layers (sector cybersecurity reporting under NIS2 and personal data breach reporting under the GDPR), rather than as a substantive change to data protection rights.

In practice, providers would still need to map the post-repeal of Article 4 position against any parallel sector security/incident obligations that continue to apply under the EU electronic communications framework (including the European Electronic Communications Code), but that is a downstream compliance exercise rather than a reason, in itself, to expect the repeal to fall away in negotiations.

2. Targeted amendment to Article 5(3) ePrivacy Directive (terminal equipment)

The Proposal amends Article 5(3) ePrivacy Directive by inserting an express carve-out: Article 5(3) would be expressly disapplied where a natural-person subscriber or user is concerned and the information stored in, or accessed from, terminal equipment constitutes or leads to the processing of personal data (with such processing instead subject to new GDPR Articles 88a and 88b). This is implemented by adding a new subparagraph after Article 5(3) stating that Article 5(3) does not apply where the subscriber or user is a natural person and the information stored in, or accessed from, terminal equipment constitutes or leads to the processing of personal data).

Under the amended framework:

• Article 5(3) would continue to apply where the storage of, or access to, information does not constitute, and does not lead to, the processing of personal data relating to a natural-person subscriber or user, and/or where the subscriber or user is not a natural person.
• Conversely, where the storage or access activity constitutes or leads to the processing of personal data relating to a natural-person subscriber or user, the applicable legal framework is the GDPR as supplemented by proposed Articles 88a and 88b (including mechanisms intended to reduce repetitive prompts, such as browser-/software-mediated preference signalling).
• The practical impact is that, for scenarios involving processing of personal data via storage/access on terminal equipment, controllers will need to analyse compliance primarily under the GDPR (including proposed Articles 88a–88b and the GDPR’s general requirements), while ePrivacy Article 5(3) continues to apply for non-personal-data terminal equipment access/storage, subject to the final legislative text. The final boundary will be particularly sensitive where identifiers are pseudonymous and identifiability depends on context.

The Commission justifies this reallocation by reference to persistent divergence in national enforcement by Member States of Article 5(3), structural consent fatigue, and the absence of a functioning one-stop-shop mechanism under the ePrivacy Directive, contrasting this with the GDPR’s cross-border enforcement and consistency architecture. That policy framing sits against established consent and “terminal equipment” interpretation under EU law (including CJEU cookie/consent jurisprudence and the EDPB’s Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive, which has historically treated Article 5(3) as a technology-neutral end user protection that can apply irrespective of whether the information is personal data under the GDPR. The final  wording and scope of the proposed GDPR Articles 88a–88b (as well as the associated implementing/standardisation acts) are therefore likely to be a particular focus during negotiations, given that they determine whether the reallocation is perceived as an enforcement simplification or as a substantive change in end-user protection.

These measures are likely to be adopted as the Commission positions them as a clarified allocation rule intended to address divergent enforcement practices and consent duplication while presenting the end-user experience as shifting from repeated site-by-site banners toward simplified choices and (longer-term) browser-level preference controls.

3. New Article 45a ePrivacy Directive (common criteria for personal data processing under the ePrivacy Directive and GDPR)

The Proposal inserts a new Article 45a into the ePrivacy Directive, providing that the “common criteria” adopted by the Commission under proposed GDPR Article 41a apply to personal data processing under the ePrivacy Directive. Operationally, this is positioned as a coherence tool. Where the ePrivacy Directive continues to apply in contexts involving personal data (e.g., confidentiality of communications contexts), the classification criteria adopted under the GDPR framework are intended to apply consistently under the ePrivacy framework as well.

In practical terms, this is intended to ensure that the Proposal’s ‘relative identifiability’ and pseudonymisation criteria do not operate inconsistently across instruments where ePrivacy-regulated activities (for example, communications confidentiality contexts) intersect with GDPR concepts of identifiability.

Proposals more likely to be challenged, or rejected and rationale

This Section addresses, in turn: (1) boundary and scope issues arising from the amendment to Article 5(3) of the ePrivacy Directive; (2) transitional and interpretative issues created by reallocating certain personal data processing on terminal equipment from the ePrivacy framework to GDPR; and (3) issues of legal certainty and enforceability arising from the drafting technique adopted by the Proposal.

1. Boundary issues arising from the narrowing of Article 5(3) of the ePrivacy Directive

The principal negotiation pressure point is not the objective of reducing regulatory duplication, but the precision with which the Proposal delineates the boundary between the continued application of Article 5(3) of the ePrivacy Directive and the application of the GDPR.

As amended, Article 5(3) would continue to apply where the storage of, or access to, information on end user terminal equipment does not constitute, and does not result in, personal data processing (and/or where the subscriber or user is not a natural person). By contrast, where such storage or access involves processing of personal data “on or from” terminal equipment under Article 88a GDPR, the applicable legal framework would be the GDPR (as supplemented) because Article 5(3) is expressly disapplied where the subscriber or user is a natural person and the information stored/accessed constitutes or leads to personal data processing.

This re-scoping necessarily narrows the practical field of application of Article 5(3) and is therefore likely to attract scrutiny in legislative negotiations. In particular, borderline scenarios, such as the use of pseudonymous identifiers, device-level identifiers, or datasets whose character as personal data depends on contextual linkage, can create interpretative uncertainty as to which regime applies at the point of collection and/or at the point the data becomes linkable to an individual, especially given the Proposal’s “constitutes or leads to” formulation, which is capable of capturing downstream linkability rather than only immediate identifiability at the point of storage/access.

As a result, this aspect of the Proposal is likely to be narrowed or supplemented through more explicit statutory or recital-level criteria clarifying that the amendment does not reduce the level of protection afforded to end users under Union law. Consistent with the GDPR chapter analysis, negotiation focus is likely to fall on the final wording and safeguards in Articles 88a–88b and on drafting that supports consistent interpretation and enforcement in borderline and mixed processing scenarios, including by clarifying when information stored in, or accessed from, terminal equipment constitutes or leads to personal data processing for these purposes.

As a result, this aspect of the Proposal is likely to be narrowed or supplemented through more explicit statutory or recital-level criteria clarifying that the amendment does not reduce the level of protection afforded to end users under Union law. Consistent with the GDPR chapter analysis, negotiation focus is likely to fall on the final the final wording and safeguards in Articles 88a–88b and on drafting that supports consistent interpretation and enforcement in borderline and mixed processing scenarios, including by clarifying when information stored in, or accessed from, terminal equipment constitutes or leads to personal data processing for these purposes.

This is likely to include clarification , in operative text and/or recitals,  that the new GDPR Articles 88a and 88b are intended to deliver an equivalent level of end-user protection (including a consent default and tightly framed exemptions), and clearer rules on supervisory competence and cooperation where electronic communications and data protection regulators both have roles.

2. Transitional and interpretative issues arising from reallocation to the GDPR

The Proposal gives rise to transitional and interpretative issues by reallocating certain processing activities from the ePrivacy framework to the GDPR via new Articles 88a and 88b, without simultaneously introducing a dedicated transitional regime.

In practice, the transition risk is increased because the final form of   Articles 88a–88b (and the sequencing of associated implementing/standardisation acts) will determine how quickly controllers can move from banner-based consent patterns toward preference signalling, and how regulators treat legacy implementations during the interim.

Where practices previously assessed solely under Article 5(3) are reclassified as GDPR-governed processing activities, regulated entities may face uncertainty due to:

• the legal basis architecture and consent mechanics under new GDPR Articles 88a–88b (including consent default, exemptions, refusal mechanics and preference signalling) as compared with existing Article 5(3) enforcement practice, and the extent to which legacy consents and cookie-tool implementations can be treated as compliant under the new framework ;
• the treatment of prior consents obtained under the ePrivacy framework;
• the timing at which GDPR compliance obligations attach to ongoing processing operations; and
• the sequencing risk created by staged implementation timelines for preference signalling and harmonised standards, including how enforcement should treat interfaces during the interim period.

Although the Proposal presents this shift as a clarification of applicable law rather than a change in substance, legislators are likely to require clearer transitional safeguards to ensure continuity and legal certainty. In particular, concerns may arise where enforcement action is taken in respect of conduct that straddles the boundary between the two regimes during the transition period and during the staged implementation timeline for browser/software-level preference tooling, and where “natural person” users are involved but the personal/non-personal classification is disputed.

For these reasons, this element of the Proposal is likely to be refined through the addition of explicit transitional provisions or recital-level guidance clarifying the treatment of pre-existing consents, ongoing processing operations, and enforcement sequencing and potentially, by specifying how the “constitutes or leads to” test is to be applied in mixed or evolving datasets.

3. Issues of legal certainty and enforceability arising from the drafting of the Proposal

A further set of concerns arises from the drafting approach used to determine the applicable legal regime by reference to whether information stored in, or accessed from, terminal equipment constitutes personal data and/or results in the processing of personal data, including personal data processed “on or from” terminal equipment and, in particular, the “constitutes or leads to” formulation for natural person users.

In practice, the distinction between personal and non-personal data is not always self-evident at the point of collection, particularly where identifiers, metadata, or technical signals may become personal data only through subsequent combination or contextualisation.

In practice, this raises questions as to:

• how controllers are to assess, in advance, whether Article 5(3) of the ePrivacy Directive or the GDPR applies;
• how mixed datasets, involving both personal and non-personal information, are to be treated for compliance purposes;
• how enforcement authorities are to assess compliance where the characterisation of the data is contested; and
• how controllers, supervisory authorities and regulators are to apply the “constitutes or leads to” test where linkability arises through later combination with auxiliary data that may be held by a different actor (including across multi-party AdTech and data-sharing chains).

From an enforcement perspective, these uncertainties create a risk of divergent interpretation across Member States, particularly in cross-border cases involving terminal equipment practices deployed at scale. A further point likely to be tested is whether, in practice, the GDPR framework could be argued to permit broader reliance on non-consent bases in edge cases. That risk will turn on the final wording of Articles 88a–88b (in particular, the scope of the ‘necessary’ exemptions and the extent to which consent remains the default for personal-data terminal-equipment access/storage), and on how implementing acts / harmonised standards shape interface design and preference signalling.. The final wording and scope of the proposed GDPR Articles 88a–88b (as well as the associated implementing/standardisation acts) is likely to be a particular focus during negotiations.

Accordingly, this aspect of the Proposal is more likely to be refined during the legislative process including by:

• clearer statutory or recital-level guidance on the classification of borderline data categories;
• express clarification of the applicable regime in mixed processing scenarios; and
• drafting adjustments aimed at supporting consistent interpretation and enforcement, including, potentially, examples illustrating when information leads to personal data processing for these purposes.