In brief: The EU is harmonizing its data protection rules through a new omnibus package and establishing the Data Act as the central European data protection regulation. New definitions, enhanced safeguards for trade secrets, and clear terminology are intended to provide greater legal certainty and practicality.
The EU is planning a comprehensive overhaul of its data protection rules. The so-called digital omnibus package is intended to establish the Data Act as the central European data protection regulation and harmonize various existing regulatory frameworks – from the GDPR to the AI Act.
The Data Act is becoming the central regulatory framework of the European data protection landscape. In this process, the European Commission is integrating several existing legal acts into the Data Act: the Open Data Directive (2019), the Data Governance Act – DGA (2022), and the Regulation on the free flow of data – FFDR (2018). The result is a unified regulatory framework for data use, data access, and interoperability, which is intended to provide greater legal certainty.
The draft of Omnibus IV, published by the European Commission on November 19, 2025, aims to adapt numerous existing regulations and harmonize them more effectively. The planned adjustments are not intended to create new obligations, but rather to simplify existing rules and make them more practical.
Key clarifications concern the definitions in the Data Act itself. The term “data owner” has been redefined: no longer are both conditions – data access and data availability – required; one of the two is now sufficient. This significantly expands the circle of affected parties. For the first time, the Data Act also contains an explicit definition of the term “anonymization”. Furthermore, the Data Act adopts key definitions from the GDPR such as “consent” and “pseudonymization” by referring directly to them.
Companies also receive additional protection mechanisms if they wish to deny access to trade secrets. In addition to the risk of serious economic harm or the data recipient’s refusal to implement appropriate technical and organizational measures, a high risk of data transmission to third countries is now intended to constitute a ground for refusal. The planned Omnibus IV package must still undergo the European legislative process and could be significantly modified in the course of it.
Source: www.activemind.legal