Digital Omnibus: what is at stake for data law

The European Commission presented the Digital Omnibus package as part of the Digital Package on Simplification in November 2025, with the aim of reducing regulatory burdens across the European regulatory system. The package consists of two proposals: one introduces technical amendments to the GDPR, the ePrivacy Directive, the NIS2 Directive and the Data Act, while the other addresses the AI Act, with, among other measures, a possible postponement of certain deadlines for high-risk artificial intelligence systems. On such aspects the Council adopted its position on the 13^th of March, which will be negotiated with the one adopted by the European Parliament.

The proposals respond to concerns that the expanding digital acquis risks undermining innovation, particularly for SMEs and small mid‑caps, and integrate simplification measures such as exemptions from GDPR record‑keeping obligations. Substantively, the Digital Omnibus consolidates key data‑economy instruments – such as the Data Governance Act, the Open Data Directive and the Free Flow of Non‑Personal Data Regulation – into the unified framework of the Data Act, while strengthening trade secret protections, refining rules for data  access in public emergencies and adjusting cloud switching obligations with tailored provisions for SMEs and SMCs. On the privacy front, it clarifies core GDPR concepts, including a more nuanced, entity‑specific approach to personal‑data identifiability, and introduces targeted measures to reduce administrative friction for controllers, including streamlined information and notification duties. Cybersecurity reporting will shift toward a single-entry point managed by ENISA, replacing fragmented notification processes under NIS2, GDPR, DORA and related frameworks, thereby eliminating duplicative reporting obligations and harmonizing response procedures across sectors. In relation to AI, the Omnibus adjusts compliance pathways by refining requirements for high‑risk systems, extending certain SME privileges to SMCs and creating a specific legal basis for processing special‑category data in the context of bias detection and correction, subject to safeguards highlighted by regulators. In this context, the Council has substantially endorsed the Commission’s approach while introducing targeted amendments, which notably include a new prohibition on AI practices involving the reintroduction of an obligation to register certain high-risk AI systems in the EU database even where exemptions are claimed, and the reinstatement of a strict necessity test for the processing of special categories of personal data for bias detection and mitigation. The Council position also strengthens the governance framework by enhancing the powers of the AI Office, reducing fragmentation across supervisory authorities, and introducing an obligation for the Commission to issue guidance to facilitate compliance for providers of a high-risk system. It further postpones to December 2027 the deadline for establishing regulatory sandboxes at national level, contributing to a more gradual and coordinated implementation timeline. The Members of the European Parliament are also in favor of giving providers more time to comply with rules on watermarking AI-created audio, image, video or text content to indicate its origin. However, they suggest a shorter extension, until November 2, 2026.

In parallel, recent developments in the European Parliament further confirm the emerging legislative consensus toward a phased application of the AI Act, supporting the postponement of certain obligations for high-risk systems to ensure that technical standards and compliance tools are available before enforcement becomes effective.

The legislative process is expected to evolve through trilogue negotiations, informed by the joint EDPB-EDPS opinion released in February 2026, and will likely remain highly contested given the tension between simplification, fundamental‑rights protection and innovation policy. Businesses should prepare for a more streamlined yet recalibrated compliance environment, where centralised reporting, clarified definitions and consolidated data‑governance rules can materially reduce operational friction while raising expectations for integrated digital‑risk management.

Personal data processing in corporate and M&A transactions, a view from the Italian DPA

The Italian Data Protection Authority (“IDPA”) has imposed fines totaling 1.25 million euros on two air carriers, for the unlawful processing of employees’ personal data. The measure, adopted on March 4, 2026, concerns the handling of employees’ information during the transition phase between the first air carrier (“Air Carrier 1”, currently under special administration) and the second one (“Air Carrier 2”).

According to the Authority’s findings, Air Carrier 1had made available to Air Carrier 2 the personnel files of employees in the Aviation division (containing information on salary data, family obligations, and prior labor disputes) before those employees had submitted any applications to be hired by Air Carrier 2. The IDPA found that the processing took place in the absence of an appropriate legal basis, thereby breaching the GDPR principles of lawfulness and fairness, as well as the obligation to identify a valid legal basis pursuant to Article 6 of the Regulation. The decision poses itself at the center of a complex legal dispute over the continuity between the two companies, triggered by a group of Air Carrier 1workers, who sought to obtain the recognition of the continuation of their employment relationship with Air Carrier 2, invoking the rules on workers’ protection within asset deals. While a question for a preliminary ruling is pending on the issue before the Court of Justice of the EU, the Italian Constitutional Court recently held that such protection is not due as some domestic special rules qualify the transaction at stake as a liquidation of the aviation assets of Air Carrier 1, rather than a transfer thereof. Against this background, the IDPA deemed that, as the two companies had maintained that there was no corporate continuity between them, the transfer of the personnel files lacked a legal basis under data protection rules, because there was not a succession in legal relationships between the transferee and the transferred workers. The decision is almost one of its kind by the IDPA, given that the Authority had rarely dealt with the issue of the legal implications of personal data transfers in the context of corporate and M&A transactions.

It highlights a recurring issue in corporate restructuring process: the sharing of employee information between legally distinct entities requires a careful assessment of the legal basis and the conditions of processing, in compliance with the fundamental principles of the GDPR.