(AGENPARL) – Wed 11 February 2026 Digital Omnibus: EDPB and EDPS support simplification and competitiveness while raising key concerns
Brussels, 11 February – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal.* This proposal aims to simplify the EU’s digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations.
The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.** More specifically, they assess whether the proposal 1) leads to real simplification and facilitates compliance, 2) brings more legal certainty and 3) affects individuals’ fundamental rights.
Changes to the GDPR and the EUDPR
Changes raising significant concerns
Some proposed changes raise significant concerns as they can adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply.
The EDPB and the EDPS strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a targeted or technical amendment of the GDPR. In addition, they do not accurately reflect and clearly go beyond the CJEU jurisprudence, and they would result in significantly narrowing the concept of personal data. The European Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law.
“Simplification is essential to cut red tape and strengthen EU competitiveness – but not at the expense of fundamental rights. We welcome the Commission’s steps toward greater harmonisation, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection.”
EDPB Chair, Anu Talus
“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data. We must make sure that any changes to the GDPR and EUDPR actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms.”
European Data Protection Supervisor, Wojciech Wiewiórowski
Steps in the right direction
The EDPB and the EDPS are in favour of the increase of the threshold of risk leading to the obligation to notify a data breach to the competent Data Protection Authority (DPA) and the extension of the deadline to submit such a notification. This would significantly reduce the administrative burden for organisations without affecting the protection of individuals’ personal data. In addition, the proposed common templates and lists for data breaches and data protection impact assessments are positive.
The EDPB and the EDPS also welcome the proposed introduction of a new derogation to process special categories of data for biometric authentication, where the verification means are under the individual’s sole control.
Lastly, they support the harmonisation of the notion of ‘scientific research’ and other related changes, since they enhance legal certainty and help to bring more harmonisation.
Changes that need fine-tuning
As stated in the EDPB Opinion 28/2024 on AI models, legitimate interest may be used, in some cases, as a legal basis in the context of the development and deployment of AI models or systems. Therefore, the EDPB and the EDPS do not consider it necessary to include a specific provision on this in the GDPR.
The EDPB and the EDPS welcome the proposal’s aim to introduce a specific derogation to the prohibition to process sensitive data, subject to conditions, covering the incidental and residual processing of such data in the context of the development and operation of AI systems or models. However, they recommend several improvements, such as clarifying the scope of the derogation and ensuring safeguards throughout the whole lifecycle.
The EDPB and the EDPS agree with the Commission’s aim to provide legal clarity to controllers where they face abuse of rights by data subjects. However, they consider that the exercise of the right to access for purposes other than the protection of personal data should not be an element defining what an abuse is. Concerning the new derogation for transparency, the EDPB and the EDPS support simplifying information requirements and reducing administrative burden, in particular for SMEs, but suggest clarifications to ensure legal certainty and ensure that individuals may still receive relevant information about their data when necessary.
Lastly, changes brought to the provision on automated individual decision-making should be clarified to make these changes meaningful and legally sound.