Digital Omnibus: EDPB and EDPS support simplification and competitiveness while raising key concerns

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal.* This proposal aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations.

The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.** More specifically, they assess whether the proposal 1) leads to real simplification and facilitates compliance, 2) brings more legal certainty and 3) affects individuals’ fundamental rights.

Changes to the GDPR and the EUDPR

Changes raising significant concerns

Some proposed changes raise significant concerns as they can adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply.

The EDPB and the EDPS strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a targeted or technical amendment of the GDPR. In addition, they do not accurately reflect and clearly go beyond the CJEU jurisprudence, and they would result in significantly narrowing the concept of personal data. The European Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law.  

“Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights. We welcome the Commission’s steps toward greater harmonisation, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection.” EDPB Chair, Anu Talus

“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data.  We must make sure that any changes to the GDPR and EUDPR actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms." European Data Protection Supervisor, Wojciech Wiewiórowski

Steps in the right direction

The EDPB and the EDPS are in favour of the increase of the threshold of risk leading to the obligation to notify a data breach to the competent Data Protection Authority (DPA) and the extension of the deadline to submit such a notification. This would significantly reduce the administrative burden for organisations without affecting the protection of individuals’ personal data. In addition, the proposed common templates and lists for data breaches and data protection impact assessments are positive.

The EDPB and the EDPS also welcome the proposed introduction of a new derogation to process special categories of data for biometric authentication, where the verification means are under the individual’s sole control.

Lastly, they support the harmonisation of the notion of ‘scientific research’ and other related changes, since they enhance legal certainty and help to bring more harmonisation.

Changes that need fine-tuning

As stated in the EDPB Opinion 28/2024 on AI models, legitimate interest may be used, in some cases, as a legal basis in the context of the development and deployment of AI models or systems. Therefore, the EDPB and the EDPS do not consider it necessary to include a specific provision on this in the GDPR.

The EDPB and the EDPS welcome the proposal’s aim to introduce a specific derogation to the prohibition to process sensitive data, subject to conditions, covering the incidental and residual processing of such data in the context of the development and operation of AI systems or models. However, they recommend several improvements, such as clarifying the scope of the derogation and ensuring safeguards throughout the whole lifecycle.

The EDPB and the EDPS agree with the Commission’s aim to provide legal clarity to controllers where they face abuse of rights by data subjects. However, they consider that the exercise of the right to access for purposes other than the protection of personal data should not be an element defining what an abuse is. Concerning the new derogation for transparency, the EDPB and the EDPS support simplifying information requirements and reducing administrative burden, in particular for SMEs, but suggest clarifications to ensure legal certainty and ensure that individuals may still receive relevant information about their data when necessary.

Lastly, changes brought to the provision on automated individual decision-making should be clarified to make these changes meaningful and legally sound.

Changes to the ePrivacy Directive

The EDPB and the EDPS strongly support the objective of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners. This relates, for instance, to the proposed requirements on the use of automated and machine-readable indications of individuals’ choices regarding the processing of their data. The use of technical means can simplify compliance by controllers and support individuals in making their online choices effective.

The EDPB and the EDPS also welcome the limited additional derogations to the general prohibition to store or gain access to personal data in the terminal equipment and further invite the co-legislators to incentivise contextual advertising rather than behavioural advertising, by adding a specific exception surrounded by some safeguards.

The EDPB and the EDPS welcome the fact that the oversight of such matters will be entrusted to DPAs. 
At the same time, the EDPB and the EDPS highlight the legal and technical difficulties raised by the co-existence of two different regimes for personal and non-personal data. They also provide additional recommendations to enhance legal certainty, minimise the risk and foster responsible innovation.

Changes to the Data Acquis

The EDPB and the EDPS support the simplification of the Data Acquis through the integration into the Data Act of the Data Governance Act and Open Data Directive rules on the re-use of data and documents held by public sector bodies.

In relation to access granted by public bodies for re-use, they recommend maintaining the clarity offered by the current legal framework, namely that it does not oblige public sector bodies to allow re-use, nor does it provide a legal basis for granting access.

Regarding public emergencies, the EDPB and the EDPS recommend affirming that personal data can be shared only in pseudonymised form with public sector bodies, in cases where anonymous data is insufficient to respond to the public emergency.

Concerning data intermediation services and data altruism organisations, the EDPB and the EDPS highlight the importance of trustworthy and responsible data sharing. They recommend maintaining specific safeguards, favouring transparency and oversight.

The EDPB and the EDPS recommend streamlining further the provisions on enforcement (e.g. by enabling cross-regulatory exchange of information on enforcement including with DPAs and clarifying the role of DPAs in enforcing the Data Act).

The EDPB and the EDPS welcome the proposal’s confirmation of the European Data Innovation Board (EDIB)’s role in supporting the consistent application of the Data Act. On the development of guidelines, they recommend empowering the Commission to issue guidelines on any topic concerning the Data Act and clarifying the EDIB’s role in assisting the Commission in this process. This would enable the Commission to develop joint guidelines with the EDPB and allow the EDIB to advise and assist the Commission in the development of such guidelines.

Note to editors:

* On 19 November 2025, the Commission adopted a Digital Omnibus proposal amending a large corpus of the EU’s digital legislation, including the GDPR, the EUDPR, the Data Act, the ePrivacy Directive, the NIS 2 Directive.

On 25 November 2025, the Commission formally consulted the EDPB and the EDPS in accordance with Article
42(2) EUDPR and requested an opinion on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.

On 20 January 2026, at the request of the Commission, the EDPB and EDPS have also adopted a  Joint Opinion on the Digital Omnibus on AI.

** The “data acquis”, part of the Digital Omnibus proposal, aims to repeal the Data Governance Act (“DGA”), Open Data Directive (“ODD”) and the Free Flow of Non-Personal Data Regulation (“FFNPR”) and integrates amended relevant provisions of those acts into the Data Act.