Summary
The European Commission’s proposed Digital Omnibus package could significantly reshape how the GDPR applies to medical device manufacturers, particularly those developing Software as a Medical Device (SaMD), Software in a Medical Device (SiMD), and AI-enabled medical technologies.
As connected devices and AI systems increasingly rely on operational and health-related data for development, validation, and post-market activities, manufacturers face growing challenges in balancing innovation with strict privacy obligations. The proposal aims to simplify digital legislation while reducing unnecessary regulatory burdens across several EU digital laws, including the GDPR.
One of the most significant proposed changes is a refined definition of personal data. Under the new wording, information may no longer automatically qualify as personal data if the organisation processing it has no reasonable means of identifying the individual. If adopted, this clarification could allow manufacturers to process certain datasets as non-personal data under specific conditions, reducing some GDPR obligations while still requiring compliance with other frameworks such as the European Health Data Space (EHDS).
The proposal also introduces a new legal basis under Article 9(k), specifically addressing the development and operation of AI systems. This could make it easier for organisations to process certain categories of health data when training, validating, and testing AI models, provided appropriate technical and organisational safeguards are implemented. Combined with existing GDPR provisions such as legitimate interest under Article 6, these changes may create a more practical regulatory pathway for AI development in healthcare.
Despite these potential benefits, considerable uncertainty remains. Key concepts, including “reasonable means” for re-identification, the interaction between GDPR and EHDS requirements, and the practical interpretation by the European Data Protection Board (EDPB) and Member States, are still subject to future guidance and legislative negotiations. The proposal must also pass through the European Parliament and Council before becoming law.
For medical device manufacturers, the proposal represents an opportunity to improve access to data for AI innovation while maintaining appropriate privacy safeguards. However, organisations should avoid assuming immediate regulatory relief. Existing data protection obligations remain in force, and manufacturers should continue monitoring legislative developments, prepare for evolving EHDS requirements, and assess how future changes may affect their AI and software development strategies.
While the final outcome remains uncertain, the Digital Omnibus proposal signals a broader shift toward modernising Europe’s digital regulatory landscape. If implemented carefully, it could help reduce barriers to innovation without compromising the fundamental privacy protections that underpin healthcare regulation.
Read the complete analysis on how Leon explores the proposed GDPR changes in greater detail, including their impact on AI training, EHDS, legal bases for processing health data, and what medical device manufacturers should prepare for next.
Read the full LinkedIn article here: GDPR’s new direction: What MedTech needs to know


