27.02.2026
Practice Areas: Intellectual Property and Information Technology
Services: Data Protection and Cybersecurity
EDPB-EDPS joint opinion on the Digital Omnibus proposal
- Subject matter and scope
The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted, on 10 February 2026, a Joint Opinion on the European Commission’s proposal for a regulation on the simplification of the European digital legislative framework (“Digital Omnibus Proposal” or “Proposal”).
While the EDPB and EDPS support the simplification and competitiveness objectives underlying the Proposal, they regret that it has not been accompanied by a full impact assessment and consider that the potential negative impact of certain changes on the protection of fundamental rights and freedoms has not been adequately considered.
- EDPB and EDPS Reserves
- 1. Definition of personal data
The EDPB and the EDPS expressed significant reservations regarding the proposed changes to the definition of personal data in Article 4(1) of the GDPR. The Proposal aims to codify the case law of the CJEU, in particular the judgment of 4 September 2025 in case C-413/23 P (EDPS v SRB). However, according to the authorities, the proposed changes clearly go beyond this case law.[1]
The Proposal seeks the introduction of a new paragraph, according to which (i) “information relating to a natural person does not necessarily constitute personal data for any other person or entity” and (ii) “information does not become personal to that entity solely because a potential subsequent recipient has a means reasonably capable of being used to identify the natural person”.
According to the authorities, these changes:
- They go beyond a merely technical modification or a simple codification of the case-law of the CJEU;
- They would lead to a significant narrowing of the concept of personal data, with a negative impact on the fundamental right to the protection of personal data;
- They can lead to confusion and do not ensure the desired legal certainty, as a “negative” definition tends to increase uncertainty;
- They can encourage controllers to identify gaps in the data protection regime.
For these reasons, the EDPB and the EDPS urge the co-legislators not to adopt the proposed changes to the definition of personal data.
2.2. Pseudonymisation and implementing acts
The Proposal provides for the introduction of a new Article 41a in the GDPR, empowering the Commission to adopt implementing acts to define means and criteria to determine whether pseudonymised data cease to constitute personal data for certain entities.
This amendment is in the context of the recent case law of the CJEU in EDPS v SRB,[2] in which the Court established that:
- The application of the GDPR presupposes, in principle, an examination of the identified or identifiable nature of the data subject by the information in question;
- Pseudonymised data is not necessarily personal data for all entities – pseudonymisation may, depending on the circumstances of the individual case, effectively prevent persons other than the controller from identifying the data subject.
However, the EDPB and the EDPS consider that the regulation of this matter by means of an implementing act is not appropriate:
- It is the responsibility of the supervisory authorities, under judicial review, to apply the GDPR definitions independently;
- The practical impact of implementing the proposed “means and criteria” remains unclear, and may translate into greater complexity and uncertainty.
Therefore, the EDPB and the EDPS recommend the deletion of the proposed Article 41a.
It should be noted that the EDPB is currently preparing updated guidance on pseudonymisation and anonymisation, following a public consultation, which will take into account the EDPS v SRB judgment. This consultation showed that the judgment raises a number of practical and legal issues that need clarification.
3. Positive aspects of the Proposal
The EDPB and EDPS welcome several aspects of the Proposal, but suggest certain improvements:
3.1. Scientific research
The Proposal introduces a harmonised definition of “scientific research”, according to which scientific research “shall contribute to existing scientific knowledge or apply existing knowledge in innovative ways, be conducted with the aim of contributing to the growth of general knowledge and societal well-being, and respect ethical standards in the relevant research area”. The EDPB and the EDPS welcome this harmonisation, which could reduce the current fragmentation between Member States. However, they recommend that the essential criteria should be included in the standards (and not only in the recitals), namely:
- research should be conducted in a methodological, systematic, autonomous and independent manner; e
- it should lead to verifiable and transparent results, and transparency may include the publication of results.
3.2. Data breach notification: Single point of entry (SEP)
The EDPB and EDPS strongly support the creation of a single-entry point (SEP) for the notification of personal data breaches, as they believe that this measure will reduce the administrative burden on organizations without compromising the level of protection of data subjects.
The authorities also express support for the following amendments:
- Raising the threshold for reporting to supervisors from “risk” to “high risk”, allowing for a more efficient allocation of resources to the most serious incidents;
- The extension of the notification period from 72 to 96 hours;
- The adoption of common notification formats and harmonised lists of circumstances that may result in a high risk to the rights and freedoms of data subjects.
Nevertheless, they recommend that the preparation and approval of these instruments be entrusted exclusively to the EDPB, rather than being subject to unilateral modification by the Commission.
3.3. Data Protection Impact Assessments (DPIAs)
The EDPB and EDPS support the harmonisation of lists of DPIA at EU level and the creation of a common model and methodology, which can simplify the implementation of this important process.
3.4. Rights of data subjects
3.4.1. Limitation of the right of access
The Proposal aims to amend Article 12(5) of the GDPR by clarifying situations of “abuse of rights” in access requests.
While the EDPB and the EDPS support the intention to enhance legal certainty, they consider the linking of the notion of abuse to the exercise of the right of access for purposes other than data protection problematic. They recall that the CJEU has already confirmed that data subjects can legitimately exercise the right of access for various purposes, without the need to provide any specific reason.
In this sense, they recommend that the classification of “abusive request” depends on the existence of an abusive intention, for example, a manifest intention to cause damage to the controller, and not on the purpose pursued by the data subject.
3.4.2. Transparency derogations
The Proposal introduces a derogation from the obligation to provide information under Article 13(4) of the GDPR, waiving the provision of information when the data subject already has it readily available. The measure aims to simplify information requirements, in particular for Small and Medium-sized Enterprises (“SMEs”).
The EDPB and EDPS welcome this objective, but warn that the proposed wording may generate legal uncertainty. In particular, they criticise the ambiguity of the concepts and recommend the clarification of the “non-data-intensive activity” and “clear and circumscribed relationship”, as they consider these to be ambiguous, which may jeopardise their uniform application.
They also argue that it must be expressly ensured that the controller remains obliged to provide all the information provided for in Article 13 when requested by the data controller.
3.4.3. Automated individual decisions
The Proposal significantly amends the current regime of exclusively automated decisions. Instead of enshrining a “right not to be subject” to this type of decision (understood by the CJEU as a prohibition in principle with restricted exceptions), the new wording now presents an exhaustive list of situations in which such decisions are allowed.
The EDPB and the EDPS warn that this change in wording should not lead to a reversal of the logic of the standard. They argue that the idea that the rule remains prohibition should be kept clear, with exceptions only being allowed under strict conditions.
With regard to automated decisions in a contractual context, the Proposal clarifies that the “necessity” of the decision must be assessed independently of the possibility of human intervention – that is, the fact that the decision can also be taken by a human does not prevent the responsible party from taking it in an exclusively automated way. The authorities welcome the intention of clarification, but warn of the risk of this wording being interpreted as allowing automated decisions where there is a contract. They recommend that it be made clear that automated decision-making is only “necessary” if there are no alternative means that are equally effective and less intrusive.
4. Artificial Intelligence, ePrivacy and Data Governance: The Other Proposed Changes
4.1. Artificial Intelligence and Sensitive Data
The Proposal aims to clarify that legitimate interest can be used as a legal basis for the development and operation of AI systems. The EDPB and the EDPS agree with this guideline, already confirmed in EDPB Opinion 28/2024, but warn that this does not dispense with a case-by-case assessment, requiring an effective balance between the interests of the controller and the rights and freedoms of the data subjects.
The authorities also recommend that the right to object be strengthened in practice, and that data subjects should be informed sufficiently in advance to be able to exercise this right before the start of processing.
We highlight that the Proposal introduces a derogation that allows for incidental and residual processing of special categories of data (such as health data, ethnic origin or political beliefs) in the context of the development of AI systems. The EDPB and EDPS welcome this possibility, but insist on the need for robust safeguards throughout the life cycle of the systems.
In particular, they warn that this derogation should not cover sensitive data provided through prompts during the use of generative AI systems, a point with relevant practical implications for organisations that provide chatbots or virtual assistants to customers or employees.
4.2. ePrivacy Directive: Cookies and consent
The EDPB and EDPS strongly support the goal of putting an end to the proliferation of cookie banners and “consent fatigue”. They also support the entrustment of data protection supervision over this matter.
However, the EDPB and EDPS express concern about the normative fragmentation resulting from the Proposal. Currently, the ePrivacy Directive regulates in a unitary way the access and storage of information in terminal equipment (such as cookies and similar technologies). The Proposal aims to transfer part of these rules to the GDPR, creating an artificial division: the rules on personal data would be included in the GDPR and the EUDPR, while those on non-personal data would remain in the ePrivacy Directive.
According to the authorities, this separation could sow greater legal uncertainty about which regime should be applied, depending on each specific case.
Additionally, the authorities suggest introducing an exception for contextual advertising, as a [3] less intrusive alternative to behavioral advertising.[4]
4.3. Data, Governance and Altruism
The Proposal provides for the integration into the Data Act (“DA”) of the rules currently provided for in the Data Governance Regulation (“DGA”), with the consequent repeal of the latter. In this context, significant changes are made to the regime applicable to data intermediation services, data altruism organisations and the provision of data in the event of a public emergency.
With regard to data intermediation services, the EDPB and the EDPS defend the maintenance of the obligation of prior registration, at least when the planned activities involve the processing of personal data that may result in a high risk to the rights and freedoms of natural persons. This obligation is an essential safeguard to ensure that competent authorities can adequately supervise entities that play a central role in the data economy.
For data altruism organisations, while the rules will now be included in the DA, the Proposal removes the record-keeping and annual reporting obligations currently provided for in the Data Governance Regulation. The EDPB and the EDPS disagree with this approach and recommend maintaining these obligations, as they are key to ensuring that competent authorities can exercise their supervision effectively and to foster public trust in the label “recognised data altruism organisation in the Union”. In particular, the obligation to report annually regarding the categories of persons authorised to process the data and the organisation’s sources of revenue should be maintained.
Regarding the provision of data in the event of a public emergency, the EDPB and the EDPS recommend maintaining the requirement that requests should first relate to non-personal data, and only to personal data in pseudonymised format when the non-personal data is insufficient to respond to the emergency. This hierarchy of access aims to ensure that the use of personal data is always subsidiary and proportionate to the specific need.
4.4. European Data Innovation Board (EDIB)
The EDPB and the EDPS welcome the confirmation of the role of the European Data Innovation Board (EDIB) in supporting the consistent implementation of the Data Act. They recommend, however, that it be clarified that the EDIB will continue to assist the Commission in the development of guidelines and standards in the field of data governance.
5. Next steps:
Although the Proposal is still under discussion, it is recommended that organizations:
- Map most exposed areas (pseudonymization, AI and sensitive data, automated decisions, and data breaches);
- Anticipate scenarios for adapting policies and procedures;
- Monitor developments with the EU institutions and the EDPB guidelines.
