What Is Actually Happening
On November 19, 2025, the European Commission released the Digital Omnibus Regulation Proposal — a package amending parts of the EU digital rulebook, including GDPR and the AI Act. This is not a GDPR rewrite. It is a recalibration toward regulatory clarity for AI development.
Why Now?
- Competitive gap: European AI development lagged behind US and Chinese competitors
- EDPB signal: December 2024 guidance confirmed legitimate interest can apply to AI training
- Startup feedback: The EU Startup Strategy identified GDPR complexity as a top barrier
- AI Act coordination: Aligning GDPR interpretation with AI Act obligations
Change 1: AI Training as Explicit Legitimate Interest
The most significant proposed change. A new provision would explicitly recognize that processing personal data for AI development can rely on Article 6(1)(f) legitimate interest, subject to safeguards.
| Aspect | Current GDPR | Proposed Change |
|---|---|---|
| Legal basis for AI training | Legitimate interest (case-by-case) | Explicitly recognized in text |
| Legal certainty | Guidance-based | Regulation-based |
| Three-part test | Required | Still required |
| Right to object | Yes | Strengthened to "unconditional" |
What stays the same: You still must conduct legitimate interest assessments, minimize data, implement safeguards, and respect the right to object. The change is clarity, not deregulation.
Change 2: Sensitive Data Exemption for AI
A new Article 9 derogation for AI development/operation, subject to conditions and safeguards. This addresses the practical problem that large training datasets inevitably contain some sensitive data.
| Scenario | Current Treatment | Proposed Treatment |
|---|---|---|
| Training on text corpus with health mentions | Potential Article 9 violation | Permitted if minimized and safeguarded |
| Facial recognition training data | Requires explicit consent | Still requires explicit consent |
| Social media data with political content | Uncertain legal basis | Permitted if residual and safeguarded |
Important limit: This is not a blank check. The exemption is for residual sensitive data — not purposeful collection. If your AI specifically needs health or biometric data, you still need explicit consent.
Change 3: Data Breach Notification Relaxation
The proposal aims to reduce over-reporting by raising the threshold for mandatory notification and providing clearer criteria for what constitutes "risk to rights and freedoms."
| Impact | Before | After (Proposed) |
|---|---|---|
| Minor breaches | Often reported "just in case" | Clearer exemption for low-risk |
| Administrative burden | High | Reduced |
| 72-hour deadline | Stressful for edge cases | Same deadline, fewer cases |
| Documentation | Everything documented | Still required for all breaches |
Change 4: Broader "Anonymous" Data Definition
The proposal broadens what qualifies as anonymous data, potentially moving more data processing outside GDPR scope. But poorly anonymized data can still identify individuals through re-identification attacks.
What Is NOT Changing
| Requirement | Status |
|---|---|
| Lawful basis for processing | Required |
| Data minimization | Required |
| Purpose limitation | Required |
| Data subject rights | Required |
| DPIAs for high-risk processing | Required |
| Cross-border transfer rules | Required |
| Penalties | Unchanged (up to €20M or 4%) |
The Legislative Path Forward
| Phase | Timing |
|---|---|
| Commission proposal | November 2025 (done) |
| Parliament review | 2026 |
| Council negotiations | 2026 |
| Final adoption | Late 2026 or 2027 |
| Entry into force | 2027 or 2028 |
The Bottom Line
The GDPR reform proposals are good news for AI startups — but they do not change your immediate obligations. Build as if current rules apply (because they do). Document everything.
Related: AI Act High-Risk preparation guide | €5.65B in GDPR fines: SME lessons
