The Digital Omnibus Proposal: Unlocking Responsible Health Data Use

Written by Ksenia Aleksankina

Last week, the European Commission published the Digital Omnibus Regulation Proposal, and the reaction was swift. Much of the early commentary focused on fears that the proposed updates might erode core GDPR principles. noyb, an NGO working to enforce data protection laws, for example, framed the situation as the Commission choosing speed over stability, arguing that the changes risk introducing inconsistent interpretations of what counts as personal data (“EU Commission moves fast - and breaks things”).

The proposal itself is broad, touching everything from core GDPR definitions to AI development, data reuse, cybersecurity reporting, and open data rules. But the underlying aim is simple: to streamline Europe’s digital rulebook so companies can spend more time innovating and scaling, and less time untangling contradictory requirements. This is particularly relevant for healthcare and medtech companies, which sit at the intersection of multiple regulatory regimes, each with its own requirements, timelines, and interpretations. As a result, the current compliance environment is so fragmented that even well-resourced organisations struggle to navigate it effectively. The Omnibus attempts to bring some coherence to this, and in doing so, it quietly modernises the way we think about data protection and privacy preservation.

Redefining personal information: context matters

One of the most significant changes lies in the proposed update to the definition of personal information in Article 4 GDPR. The new language acknowledges that “Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person.” Instead, identifiability becomes contextual: if an organisation cannot reasonably identify a person using the means available to it, the information need not be treated as personal data.

This adjustment does not weaken privacy. Rather, it brings European data protection closer to how risk actually works in practice. For years, regulators have recognised that absolute anonymisation is not only unrealistic but often counterproductive. As the UK ICO puts it, it is “not always possible to reduce identifiability risk to zero,” especially when an identifiable version of the data exists elsewhere or when the technological landscape changes. The Omnibus accepts this reality and shifts toward contextual anonymisation, an approach long used in the United States for de-identifying protected health information (PHI) through HIPAA’s Expert Determination approach. Under these risk-based models, anonymisation is not a static state but the output of a structured assessment grounded in statistical evidence, technical controls, and a clear understanding of the re-identification capabilities of the intended data recipient.

Critically, contextual anonymisation does not mean lowering the bar. It means replacing an impossible standard with a defensible one. It invites controllers and processors to adopt mature privacy-enhancing practices, such as k-anonymity, differential privacy techniques, and synthetic data generation, that preserve data utility while controlling disclosure risk. These methods are already widely used in health research and increasingly in AI development, but their legal status under GDPR has felt precarious until now. By clarifying that anonymisation is contextual, the Omnibus finally gives organisations a way to deploy these techniques with confidence, while still ensuring that data subjects’ privacy is rigorously protected.

The need for independent expertise and trusted partners

The Omnibus implicitly raises expectations for governance. Determining whether data falls outside GDPR because it cannot be linked to individuals in a given context is not a task for ad-hoc judgement or internal assumptions. It requires a structured assessment of risk, the kinds of tools reasonably available to the organisation, and the potential attack surface created by auxiliary datasets or advanced analytical models. These are not decisions that should be left to generalist analytics or data science teams or to the same individuals responsible for collecting the data in the first place. As with financial audits or clinical oversight, independence matters. Trusted third-party experts, equipped with the right methods, add credibility, accountability, and traceability. Additionally, solutions like trust wrappers enable control of data linking, and provenance tracking systems help ensure that even if data moves from one custodian to another, the conditions under which it can be linked back to individuals remain strictly governed.

This approach also opens the door to the responsible use of unstructured data, which has long been a sticking point in GDPR interpretation. Whether we are talking about free-text clinical notes, medical images, pathology slides, audio recordings, or sensor outputs, these data types are increasingly essential for AI model development and clinical decision support tools. Yet traditional anonymisation frameworks, designed for structured tabular data, struggle to accommodate them. Treating them as permanently and inherently personal data has forced organisations into binary choices: either strip them down to the point of loss of all utility or avoid using them altogether. Contextual anonymisation offers a way forward, allowing these modalities to be used responsibly when appropriate technical measures, governance controls, and expert assessments make the re-identification risk sufficiently low.

A pragmatic approach to risks in AI training

The Omnibus’s treatment of AI training reflects this same pragmatic recognition. Recital 30 acknowledges that developing and validating AI systems often requires large datasets and that personal data may be involved. It also recognises that legitimate interest can, in appropriate circumstances, support such processing. Recital 33 goes further by addressing a long-standing issue: residual sensitive data that persists in training datasets or model weights, even when not deliberately collected. Instead of insisting on complete erasure at any cost, the Omnibus requires controllers to remove such data when feasible and to protect it effectively when removal would require disproportionate effort. What matters is that sensitive attributes cannot be used to derive outputs or become accessible to third parties. This approach balances innovation needs with robust safeguards and does so without diluting the protections owed under Article 9 when special-category data is processed intentionally.

A path towards responsible innovation

Taken together, these changes signal an important shift. The Omnibus does not dismantle GDPR or undermine fundamental rights. Instead, it embraces a more realistic, expert-driven approach to data protection that gives organisations the tools and the responsibility to manage risk appropriately. It encourages the use of robust technical and statistical techniques, strengthens the role of independent oversight, and creates space for the medtech and broader healthcare sectors to innovate without compromising the trust that underpins their work. The Omnibus, if implemented thoughtfully, offers a path toward that balance: one where contextual understanding replaces absolutism, expert assessment replaces assumption, and responsible innovation gets the attention it deserves.