As Europe looks to encourage artificial intelligence innovation in the region, proposed changes to GDPR could reshape how companies handle customer data, with implications for transparency and customer privacy.
On November 19, the European Commission presented the Digital Omnibus Regulation Proposal, a package of measures to streamline the EU’s entire digital regulatory framework across data access, privacy, and cybersecurity, as well as a Digital Omnibus on AI Regulation Proposal, which focuses specifically on amending parts of the EU AI Act. Taken together, the proposals are referred to as the Digital Omnibus.
The package aims to reduce the administrative burden on businesses. The Commission estimates that simplifying compliance will save businesses up to €5BN in admin costs by 2029.
The proposals would amend rules on consent and AI training, modify the definition of personal data and special category data, abolish the Platform-to-Business (P2B) Regulation, and introduce a single reporting point for incidents under GDPR, NIS2, DORA and the Critical Entities Resilience Directive. This could adjust how customer-facing enterprises report incidents and communicate accountability to users.
The changes reflect concerns within EU institutions that the current timeline for high-risk AI obligations could outpace the availability of practical compliance guidance, potentially creating legal uncertainty for companies deploying AI systems that affect customers.
But Belgian consumer organization Testaankoop has warned that the reforms could weaken core protections in GDPR and the AI Act, safeguards that underpin customer trust across digital touchpoints.
“Officially, the goal is laudable: to reduce the administrative burden, strengthen European competitiveness, and close the EU’s gap with the United States and China in the field of artificial intelligence. But behind that promise of simplification, an uncomfortable question arises: are the rights of European citizens now taking second place?”
From Explicit Consent to Opt-Out
The Digital Omnibus represents a “real shift in thinking towards the GDPR, which for many years has been considered the global reference in terms of protection,” according to Testaankoop.
One of the most controversial elements of the proposed change is the use of personal data to train AI systems. Under the current GDPR framework, companies are required to obtain explicit consent before using personal data. The Digital Omnibus would allow organizations to rely instead on “legitimate interest,” shifting customers from an opt-in to an opt-out model.
“Tech companies can now invoke a ‘legitimate interest’ and use your data without asking for your permission first [provided that] there is a possibility to refuse (opt-out).”
Testaankoop highlights the risk to customer experience embedded in this approach, noting that “research shows that far fewer people take action to refuse than if they were actively asked for permission.” This raises questions about informed choice and whether passive consent can sustain long-term trust.
The proposal also affects so-called high-risk AI systems, including facial recognition, automated recruitment and credit assessment tools, technologies that increasingly shape customer and citizen journeys. The planned changes would introduce a transition period extending to 2028 for high-risk AI certain categories, while also removing key transparency requirements, including the obligation to register these systems in a European database.
The result, according to the consumer group, would be less visibility European citizens, “and potentially fewer safeguards against technologies that have a very real impact on your daily life.”
For customer-facing teams, reduced transparency could translate into higher friction when customers question automated decisions.
The Commission also wants to reduce the flood of consent pop-ups by allowing users to express preferences once and store them at the browser or operating system level.
Smoother online journeys are appealing, but Testaankoop warns that “the lack of a refusal could be interpreted as consent, weakening your real control over your data.” That risks replacing visible annoyance with invisible loss of real control for customers.
Although the European Commission frames the Digital Omnibus as a technical adjustment, the context is highly political. Testaankoop notes:
“Throughout 2025, the tech giants (Meta, Alphabet, SAP, Siemens…) have been increasing pressure to postpone or relax European rules on AI, because they consider them too restrictive for innovation.”
Consumer organizations counter that “economic competitiveness should not come at the expense of your fundamental rights.”
Despite the concerns raised by consumer groups, the Digital Omnibus could deliver benefits for businesses operating in Europe’s increasingly complex regulatory environment. Streamlining overlapping obligations could reduce compliance costs, clarify reporting processes and support faster decision-making. Enterprises would be able to shift resources from legal administration toward product innovation and customer service, provided the maintain trust and transparency.
What’s Next for Customer Experience as Regulators Rethink Data Protection?
Nothing has been decided yet. The Digital Omnibus is still just a proposal for now, with votes expected later this year.
If it is adopted in its current form, Testaankoop warns that European consumers “may have less control over the use of your data, may be less informed about the AI systems that influence important decisions” and could face “a situation… in which silence is considered consent.”
Law firm Bird & Bird noted that the package is a starting point for negotiations. “Whilst these proposals are subject to the outcome of months of institutional discussions to come, they should be considered as the Commission’s viewpoint at the start of what is likely to be a lively debate and intense negotiation.”
Multiple European Parliament committees, including ITRE, LIBE and IMCO, are expected to play central roles, with intensive negotiations anticipated throughout the year. Final adoption could come under political pressure by mid to late 2026, particularly because the original deadline for full application of high-risk AI rules under the AI Act is 2 August 2026.
“If the AI Omnibus is not adopted by this date, the original ‘high-risk’- rules could kick in anyway, before the support infrastructure to guide compliance is in place. This could lead to incomplete compliance guidance and legal uncertainty for businesses,” the law firm stated.
The Digital Omnibus could also bring long-awaited clarity to one of the GDPR’s most debated foundations: the definition of personal data. According to Ulrich Baumgartner, Partner at Baumgartner Baumann, the reforms “now constitute the final nail in the coffin of the absolute concept of personal data — even if the proposed wording will see some changes in the legislative process ahead.”
This shift could reduce legal uncertainty around data use, narrow the scope of what qualifies as personal data, and make compliance more predictable. As Baumgartner put it:
“This is good news for companies and organizations.”
That is especially the case for those building data-driven and AI-enabled services.
For businesses focused on customer experience, the debate goes beyond compliance. It affects how customers perceive fairness and transparency in an AI-driven economy, and whether Europe’s digital future strengthens or strains the trust that customer relationships depend on.
