EU proposes changes to its digital regulatory framework

On 19 November, the EU Commission issued its Digital Omnibus which includes proposals for changes both to the GDPR and the AI Act. While the EU’s aim is simplification, the response from industry is likely to be more enthusiastic than that from civil society which fears an erosion of rights. Some proposals, for example the narrowing of the personal data definition may well work to organisations’ benefit.

Importantly, the European Commission suggests that the processing of personal data to train AI models is a legitimate interest – an issue that the DPAs have long debated. There is also a proposal to delay obligations applicable to high-risk AI systems. The current deadline of August 2026 would be extended by six months. However, as adoption is required by the co-legislators, the European Parliament and the Council, this work may not be completed by the proposed timeline. We will return to this topic in future issues.

In this issue, our correspondents analyse an important CJEU decision on pseudonymised data and Australia’s enforcement which is stepping up – penalty procedures are underway.

I always enjoy learning about technological shifts and evolving societal challenges. One such example is robotics – read about privacy issues regarding robots and how to overcome them. Robots may collect sensitive personal information via cameras, microphones, and sensors. However, our correspondent says that in reality, well-designed autonomy platforms do not need to transmit, process, or store personal data in order to navigate safely and effectively.

Similar inspiration was provided by the Global Privacy Assembly in Korea which I attended, and we report on some of the deliberations there.

Laura Linkomies
Editor, Privacy Laws & Business

December 2025