Cyprus Opens GDPR Consultation as Digital Omnibus Sparks Privacy Debate

All CCS and Cross-sectoral EU response All Europe Countries Cyprus Artificial Intelligence

The new Cypriot EU presidency has begun canvassing member states on proposed changes to data protection rules that the Commission frames as simplification but critics describe as erosion of significant safeguards.

By Matthaios Tsimitakis
January 14, 2026
Save as PDF
You can download this article in PDF format here!

Cyprus has started gathering member state views on proposed amendments to the General Data Protection Regulation (GDPR), moving quickly to map political positions on a package that has divided the Commission, industry groups, and privacy advocates.

The Council presidency, which Cyprus assumed on 1 January 2026, circulated a discussion document to national capitals on 9 January requesting early feedback on GDPR-related elements of the Commission's Digital Omnibus proposal. The outreach was reported by MLex on 13 January.

The Commission published the Digital Omnibus package on 19 November 2025 as part of a broader digital legislative initiative aiming to streamline compliance across data, cybersecurity, and AI rules. The Digital Omnibus includes several targeted GDPR amendments. Key provisions would:

-Clarify the definition of personal data to align with Court of Justice of the European Union (CJEU) case law. The proposal emphasises that data is not personal for a recipient if re-identification is not "reasonably likely" using means available to them.

-Allow processing of personal data for AI training under the "legitimate interest" legal basis, with required safeguards including balancing tests and the right to object.

-And mandate a single entry point for breach notifications under multiple laws, including GDPR, NIS2, and DORA. Also, it would harmonise Data Protection Impact Assessment (DPIA) guidance through EU-wide lists from the European Data Protection Board (EDPB).


Criticism from Privacy Groups

Digital rights organisations have challenged the Commission's framing. Privacy advocacy group noyb published an analysis arguing the package amounts to substantive deregulation. They contend that narrowing the definition of personal data would exempt significant processing from transparency requirements. An open letter from over 127 civil society groups echoed warnings about "deregulation, not simplification."

Some states prioritise lighter compliance for SMEs, aligned with the Draghi Report. Others view reopening the GDPR as risky. A public consultation on the Digital Fitness Check runs until 11 March 2026.

The package now enters the Ordinary Legislative Procedure, requiring negotiations between the Council and European Parliament before any final adoption—likely in 2027.

Analysis:



Related articles

EU Reaches Deal on Sweeping Rules for Artificial Intelligence

Copyright uses for AI training go beyond the scope of the text and data mining exception: Several EU member states agree

We’re criticising GDPR for all the wrong reasons

EU Orders X to Preserve Data Amid Sexualised Deepfakes Furore