On November 19, 2025, the European Commission introduced the Digital Omnibus Regulation Proposal (hereafter “Omnibus”) to simplify the EU digital legal framework, including revisions to data governance regulations such as the Data Governance Act (DGA) and the Data Act. The proposal responds to the 2024 Draghi report’s goal of narrowing the technological gap with the US and China by enhancing European competitiveness.
The Omnibus caused shockwaves within the data protection community, facing strong opposition from Data Protection Authorities, NGOs, and numerous academics, particularly over the proposed changes to the GDPR. However, the proposal also includes significant modifications to data governance regulations that have been overlooked in discussions.
This contribution focuses on the Omnibus proposed changes to the DGA and Data Act, summarizing them and analyzing their impact.
The Omnibus’ proposed modifications to data governance laws in a nutshell
Similar to the GDPR proposed modifications, the modifications to data governance regulations are substantive. In sum, the Omnibus proposes to completely repeal the Data Governance Act (DGA), the Open Data Directive (ODD), and the Free Flow of Non-Personal Data Regulation, and to transfer these legal instruments into the Data Act. Additionally, it makes targeted modifications to the Data Act.
First, when it comes to the DGA, despite its complete deletion, the framework for data intermediation services and data altruism organizations is imported into the Data Act with targeted modifications. Particularly concerning data intermediation services, the proposal makes registration voluntary, unlike the current version of the DGA, which makes it obligatory at the Member State level. In contrast, the proposal maintains the voluntary registration for data altruism organizations.
As a part of these modifications, Chapter II of the DGA, regarding the re-use of certain categories of protected data held by public sector bodies, is also merged with the provisions of the ODD, which aim to enhance data access to public sector data. This unification creates a single system for public-sector data reuse, including both protected and non-protected data, resolving questions about overlap between the two regulations, raised by academics. It must be noted that the proposal does not transpose a section that makes the reuse of public sector data optional, while making the reuse of public sector protected data obligatory, in line with the ODD requirements.
One notable addition is the creation of “certain categories of protected data,” which establishes a regulatory category for “sensitive non-personal data” that did not previously exist. The category includes non-personal data that is legally or economically protected and cannot be publicly disclosed without breaching confidentiality, intellectual property, or other rights. This sensitive non-personal data would have limited access, controlled use, security measures, and should be accessed through a secure processing environment. This new definition, along with Article 32 of the Data Act, creates rules for international governmental access and transfer of non-personal data, and establishes a GDPR-like protection scheme for non-personal data.
Moreover, in addition to transposing regulations into the Data Act, the Omnibus also makes targeted, relevant modifications to the Data Act itself. First, it introduced a risk-based approach as a basis for data holders to deny data access by public sector bodies and other businesses. While in the original Data Act, the holder could refuse only if disclosure itself caused serious economic damage, under the Omnibus proposal, a data holder may refuse if there is a likely economic harm or if there is a high risk of unlawful acquisition, unlawful use, or onward disclosure, lowering the bar for refusal in comparison to the current text.
The Omnibus also delays the application of the cloud-switching-related obligations in Chapter VI by introducing broad transitional exemptions for data processing service providers. Under the new Article 31(1a) and 1b, cloud providers offering customized services and all SME or small mid-cap providers are exempt from nearly all Chapter VI obligations for contracts concluded before 12 September 2025. Although they are not required to renegotiate those contracts, providers may now also impose (proportionate) early-termination penalties, softening restrictions meant to facilitate switching.
Additionally, the proposal to the Data Act introduces another change: a restriction on the scope of Chapter V, which concerns public sector access to privately held data. In the original text, the Data Act allows the public sector to request access to private-sector-held data in two situations: when carrying out a specific task in the public interest, or mitigation or recovery from a public emergency. The Omnibus removes the “exceptional need” hypothesis, keeping only “public emergency”. In practice, this removal narrows the scope of Chapter V to cover only situations related to public emergencies such as disasters, pandemics, disruptions, and other threats to safety, health, and the environment. In practice, while the current Data Act allows public sector bodies to access private sector data under specific circumstances for evidence-based policymaking, the Omnibus removes this option, constraining public authorities’ ability to use privately held data while reinforcing the power of data holders.
The Good, the Bad, and the Ugly of the modifications
As the title suggests, this section aims to explore the good, the bad, and the ugly from the previously outlined modifications.
The good
A positive factor brought by the Omnibus is the unification of the framework that regulates public sector-held data reuse. Indeed, since the DGA’s implementation, much has been said about the overlap between the ODD and Chapter II of the DGA. This unification creates a single system for public-sector data reuse, including both protected and non-protected data, making both hypotheses obligatory.
From a civil-law perspective, the immediate removal of the obligation to apply Chapter VI of the Data Act to cloud contracts is coherent. Civil-law systems are based on the principles of legal certainty and non-retroactivity of obligations. Thus, imposing new statutory duties, such as cloud-switching requirements, on pre-existing contractual relationships would fundamentally create legal uncertainty.
Another (seemingly) beneficial outcome is the expansion of the scope of Chapter VII of the Data Act, which creates rules on unlawful international governmental access and transfer of non-personal data to the other five categories of stakeholders. This significantly extends a cloud sovereignty clause beyond cloud providers, considerably expanding the protection of non-personal data outside the EU. This, along with the creation of “sensitive non-personal data,” seems to shift the EU’s focus from the protection of personal data to the protection of both personal and non-personal data (in theory).
Sadly, that is the extent of the good.
The list of the bad, unfortunately, is longer.
While the unification of public-sector data reuse is beneficial, the Omnibus does not provide guidance on how to implement it in practice. Empirical findings from a paper I contributed to as a first author, currently under review, demonstrate that the Omnibus does not bring any guidance on how public sector bodies should allow access to protected data in practice, leaving these bodies in the dark despite making the reuse of public sector protected data obligatory, in line with the ODD requirements.
Regarding the expansion of protection for non-personal data from unlawful international governmental access and transfer, it remains unclear how these rules would interact with Chapter V of the GDPR, which aims to ensure adequate data protection through various mechanisms, such as adequacy decisions and international agreements, as Gianclaudio Malgieri and I explore here.
Even if the non-retroactivity principle justifies exempting existing cloud contracts from most Chapter VI obligations under the Data Act, allowing legacy switching or termination fees to remain enforceable is not equally defensible. They do not form part of the core “economic equilibrium” of the contract. Thus, their preservation serves only to protect cloud providers’ interests, enabling contractual lock-in. This case operates in a similar fashion to mobile phone long-term contracts and consumer lock-in issues, which require strong regulatory intervention.
Moreover, the empirical findings of a forthcoming paper (see preprint here), which I contributed to, also demonstrate that, despite the transfer of the framework for data intermediation services and data altruism organizations into the Data Act, the Omnibus does not address the problems that hinder their business models and flourishing in the EU economy. This is due to the lack of structural support from stakeholders, particularly Member States and the Commission, which is not featured in the modifications introduced by the Omnibus. Instead, it focuses on making these entities’ registration voluntary, which was not identified as a key hindering factor in the empirical findings. This shows the Commission’s lack of focus on these figures, which could be essential pillars of the EU data governance framework.
This highlights that the Commission missed the chance to implement targeted changes that could have effectively addressed some already recognized issues.
But beyond the bad lies the ugly.
First, it is worth noting that the underlying motivations of the proposed changes reveal the influence of industry lobbying throughout this process. Here, some context is required.
The Data Act was initially developed as a sectoral regulation to enhance access to connected devices, governmental access to private data, and cloud switching. It received significant criticism due to its broad scope, which encompasses both personal and non-personal data and a wide range of connected devices, from personal-use products to industrial machinery. The Data Act was created to build on the DGA foundations, which was designed as the basis for the EU’s data governance legal framework. The DGA outlined the rules for data intermediation services and data altruism organizations, laid the foundation for Common European Data Spaces, and established the European Data Innovation Board, an expert group of representatives.
By choosing the Data Act, rather than the more governance-oriented Data Governance Act, as the central regulatory instrument for reshaping EU data governance, the Omnibus sends a clear political signal: it privileges an industry-driven, market-facilitating approach over the DGA’s more institutional, stewardship-based model. Even the choice of name “Data Act” reinforces this orientation, evoking a focus on data as an economic asset rather than on the governance structures, norms, and safeguards that the DGA was designed to foreground.
This political message is further reinforced by the practical consequences of the modifications outlined previously, which collectively shift the balance away from public-interest governance mechanisms and toward frameworks that primarily serve industry. This is clearly evident in the narrowing of Chapter V’s scope to public-interest data access, in the broader, more facilitative grounds for data access refusal, and in the exemption from all obligations under cloud-switching rules. These two measures alone already put in jeopardy the overall objective of the 2020 Data Strategy of enhancing data access.
These choices, in conjunction with the proposed Omnibus modifications to the GDPR, reinforce this interpretation, particularly the changes regarding the definition of personal data and data subject rights. The proposed text introduces a ‘subjective’ approach to defining ‘personal data’, stating that information is not considered personal data for a given entity if that entity cannot reasonably identify the natural person to whom the information relates. The proposal further provides that the Commission may define, by implementing acts, what does not constitute ‘personal data’. This approach could potentially exclude entire industry sectors from the scope of the GDPR, and lead to massive consequences for data subjects’ rights and create legal uncertainty, especially as it deviates from the broad interpretation of personal data established by CJEU case law. Moreover, the Commission proposes a new legal basis to allow controllers to process sensitive data for the development and operation of AI systems. Critics argue that the proposal gives AI technology a privileged status, raising concerns about legal certainty and potential ‘slippery slope’ issues, where almost any processing could be deemed a ‘legitimate interest’. Finally, the proposal restricts data subjects’ right of access to personal data (Article 15 GDPR) by imposing that this right must be exercised solely for ‘data protection purposes’. The proposal also reduces the controller’s burden of proof, allowing them to refuse requests based on ‘reasonable grounds’ to believe they are excessive, leading to a significant diminution of data subjects’ ability to exercise their rights.
Taken together, the far-reaching modifications to the DGA, the Data Act, and amendments to the GDPR reveal a deeper structural shift in the Commission’s plans for EU data law. A move away from a governance- and rights-centred paradigm toward a pro-industry regulatory model. The result is not merely a softening of safeguards but a reorientation of the legal architecture itself. The narrowing of public-interest and data subjects access rules, the expanded grounds for refusing data sharing and for processing sensitive data, and the exemption from cloud-switching obligations all signal a prioritisation of industrial policy over fundamental rights and institutional stewardship. What emerges is a troubling pattern: a shift toward a market-first conception of data law that risks undermining the very foundations of the EU’s data protection model.
