EDPB and EDPS adopt Joint Opinion on European Commission's Omnibus

On November 19th, 2025, the European Commission published the first draft of its Digital Omnibus. The European Commission intends to reduce bureaucratic burdens for businesses by both updating its cornerstone legislation to meet contemporary needs and aligning provisions and terminology across relevant legislative acts.

In a significant move toward regulatory streamlining, the EDPB and the EDPS have issued a Joint Opinion on the European Commission’s "Digital Omnibus" proposal. Adopted on 10 February 2026, this Joint Opinion provides a nuanced evaluation of the Commission’s efforts to simplify the EU’s digital legislative landscape, including the GDPR and the Data Act. 

While the authorities generally support the objective of reducing administrative burdens to foster competitiveness, their analysis reveals several critical perspectives where "simplification" might inadvertently erode fundamental rights.

Broadly, the EDPB and EDPS support the European Commission's assessment and general direction. The Joint Opinion welcomes the potential for fostering greater harmonisation, consistency, and legal certainty, and reducing unnecessary administrative burdens. At the same time, the EDPB and EDPS raise significant concerns regarding specific changes, where both recognise the intent but expect well-intended adjustments to result in negative outcomes.

Regarding the GDPR, the EDPB and EDPS expressly welcome proposals in the following areas:

• Scientific research
• A new exception for the processing of special categories of data for biometric authentication
• Data breach notifications and data protection impact assessments (DPIAs)

At the same time, regarding the GDPR, the Joint Opinion expresses significant concerns in the following areas:

• The definition of personal data
• Pseudonymisation as an implementing act

On the following aspects of the GDPR, the EDPB and EDPS support the objectives but consider further adjustments necessary to make the proposal fit for purpose:

• The use of legitimate interest in the context of AI
• An exception for incidental and residual processing of special categories of data in the context of AI
• Limitations to the right of access
• New derogations for transparency
• Automated individual decision-making

Regarding ePrivacy, the EDPB and the EDPS 

• “strongly support the aim of the Proposal to provide for a regulatory solution to address consent fatigue and proliferation of cookie banners and to simplify the rules applicable to the protection of the terminal equipment of end-users.” 
• Yet, the Joint Opinion remains critical whether, “the proposed separation of the rules on access to and storage of information in terminal equipment over different legal instruments may lead to legal uncertainty”. 
• Thus, suggestions are being provided "to enhance legal certainty, minimise the risks and foster responsible innovation, including by adding an exception for contextual advertising"

Regarding the suggested updates to the Data Act, the Data Governance Act, the Free Flow of Non-Personal Data Regulation, and the Open Data Directive (the "Data Acquis"), the Joint Opinion:

• Welcomes the streamlining of the regulatory frameworks;
• While generally emphasising the need for rigorous safeguards and suitable guardrails in implementing measures to protect data subjects' rights, specifically regarding clarifications on the need for pseudonymisation and anonymisation.

The most striking aspect of the Joint Opinion is the authorities' firm opposition to the proposed adjustments to the definition of "personal data." The Commission seeks to codify the EDPS v SRB judgment by suggesting that information is not necessarily "personal" for one entity merely because another entity can identify the individual. The EDPB and EDPS conclude that the adjustments proposed by the Commission would negatively affect data protection by narrowing the scope of the definition.

The EDPB opines that this "negative" definition - defining what data is not rather than what it is - could create dangerous legal loopholes. From their perspective, such a change moves beyond a "technical" update and could allow controllers to bypass GDPR protections through artificial organisational structures. Furthermore, they express deep reservations about granting the Commission the power to define the effects of pseudonymisation through implementing acts, viewing this as an encroachment on the independence of supervisory authorities.

The EDPB and EDPS welcome the dimensions of the proposal that bring harmonised definitions to "scientific research." The Omnibus suggests that research contributing to the "growth of society’s general knowledge" should be viewed as compatible with original data collection purposes. The authorities interpret this as a positive step for legal certainty, though they emphasise that such processing must still adhere to strict ethical standards and the principle of legitimate interest.

The authorities agree on the basis that the proposed changes will not apply to commercial, in-house research per se. To this end, the authorities suggest clarifications that research for the growth of societal knowledge should require - in principle - the publication of related research results. The Joint Opinion emphasises that the authorities recognise that research might also further commercial interests and may relate to development, demonstration, and innovation. Yet, the EDPB and EDPS highlight that as long as the GDPR privileges “scientific research,” legislative clarity on distinguishing scientific research from other forms of research is necessary.

In the same vein, the EDPB and EDPS welcome the proposed clarification and streamlining of privileged public archiving purposes.

Interestingly, the EDPB and EDPS support a new exception for the processing of special categories of personal data - specifically in the context of biometric authentication - provided the data remains under the individual’s "sole control," such as on a personal smart device. At the same time, the Joint Opinion asks for a proportionality test. Verification via biometric data should only be implemented where alternative, less intrusive means are not suitable.

The EDPB and EDPS take a critical stand on the proposals regarding data subject rights and transparency obligations. The Commission has identified a growing abuse of data subject requests, namely access requests pursuant to Art. 15 GDPR. Consequently, the proposal suggests limitations in this respect. The Joint Opinion highlights the primary objective of the GDPR, which is the protection of natural persons. The Joint Opinion also emphasises that the GDPR itself aims to protect data subjects' fundamental rights and freedoms and, in particular, their right to the protection of personal data.

In other words, the Joint Opinion argues that data protection is - to some extent - the vehicle for these rights. It underpins its position with a reference to Case ECJ C-526/24 (FT vs. DW), where the European Court of Justice ruled that the applicable provisions do not require data subjects to “put forward reasons to justify their requests. Therefore, those provisions do not give the controller the possibility of demanding that reasons be given for the request for access submitted by the data subject." Therefore, those provisions do not give the controller the possibility of demanding that reasons be given for the request for access. Additionally, “the first sentence of recital 63 of the GDPR cannot be interpreted as meaning that that request must be rejected if it concerns an objective other than that of becoming aware of the processing of data and verifying the lawfulness of that processing. That recital cannot restrict the scope of Article 15(3) of that regulation as recalled in paragraph 35 of the present judgment.”

The EDPB and EDPS acknowledge, though, the existence of abuse. While the Commission links this abuse to the purposes of data protection, the authorities favour linking the abuse to the data subject's intentions. In the same vein, the authorities suggest refraining from any notions in the GDPR where access is deemed excessive if requests are “overly broad and undifferentiated,” as this would contradict the purpose of the access request in the first place.

In general, the EDPB and EDPS recognise the linguistic parallel between the Commission proposal and the authorities' own possibilities to reject complaints or charge fees. However, the EDPB and the EDPS raise concerns on the burden of proof and the clarity of the proposal. Such clarity is especially challenged in respect of controllers' transparency obligations. The authorities consider the notions of “clear and circumscribed relationship”, “data-intensive activity”, and “reasonable doubts” to have limited to no added value. Creating confusion on interpretation may eventually lead to the opposite of reduced burdens for SMEs.

The EDPB and the EDPS consider the suggested modifications critical. They recommend amending the Proposal to avoid any impression that automated decision-making is in principle allowed, whether in general or within the context of a contract. The authorities refer to an ECJ judgment again to underpin their position that automated decision-making should be deemed a generally prohibited means of processing which is only lawful if one of the exceptions in the GDPR is met (Case ECJ C‑634/21, Schufa).

Regarding Artificial Intelligence (AI), the Joint Opinion takes a measured stance on the proposed "incidental" processing of sensitive data during AI training. The authorities acknowledge the practicalities of AI development but suggest that safeguards must be "implemented across the AI development lifecycle" to prevent the reuse of such data for other purposes.

On the administrative front, the proposal includes several streamlining measures that the authorities find constructive:

• Higher Notification Thresholds: Raising the bar for reporting data breaches and extending the deadline to 96 hours is viewed as a pragmatic way to reduce "red tape."
• Common Templates: The introduction of EEA-wide templates for breach notifications and DPIAs is seen as a way to foster greater harmonisation.
• Single Entry Point (SEP): The authorities strongly support a Single Entry Point for incident reporting, which they believe will simplify compliance for organisations operating across multiple jurisdictions.

Finally, the Joint Opinion addresses the integration of the Data Governance Act and the Open Data Directive into a unified "Data Act." While they support this consolidation, the EDPB and EDPS recommend reinstating provisions that clarify that this framework does not, by itself, create a legal basis for processing personal data.

In the realm of ePrivacy, they support the "regulatory solution" to address consent fatigue and the "proliferation of cookie banners." However, they remain cautious that splitting these rules across different legal instruments could lead to "legal uncertainty" for both businesses and consumers.

Interestingly, the EDPB and EDPS favour including incentives to use less intrusive processing activities in the context of tracking and profiling. The Joint Opinion recognises that contextual advertising also requires some form of tracking technology. As they consider contextual advertising less intrusive than behavioural advertising, the EDPB and EDPS suggest strong and clear language to prevent legal uncertainties in this respect as an incentive.

Where processing is based on consent, the Joint Opinion asks for suitable renewals of such consent, ensuring that data subjects are reminded at appropriate intervals of their processing choices. The authorities also highlight the potential circular argument where controllers should not ask for consent for six months following a rejection. This will likely require a mechanism to store such information on the terminal device, even though access (including storage) has been rejected. Alongside this, the Joint Opinion strongly welcomes the requirements regarding automated and machine-readable indications of data subjects’ choices. Generally, the authorities ask for more data protection by default in this context.

The Joint Opinion provides a constructive analysis of the current situation under the GDPR. The GDPR was drafted more than ten years ago - a lifetime ago in technological terms, given significant changes in geopolitics, society, media, and technology.

Any claims neglecting the need for well-drafted updates to the GDPR appear delusional. Therefore, it is refreshing that the authorities and the Commission share the same conclusion on the overarching need and essential objectives.

In two recent articles (refer to the Related News Section), I have analysed some of the elements myself, and I mostly agree with the conclusions of the EDPB.

Indeed, the Commission's proposal appears insufficient in addressing pressing needs. The suggested language is - at best - confusing, and - at worst - contradicts its own intents. If the suggested limitations of transparency obligations under Art. 13 GDPR are deemed necessary to reduce unnecessary burdens for SMEs, such limitations must be as crystal clear as possible. SMEs - like any other business - probably do not fear transparency; they fear legal uncertainty. They suffer - competitively - where legal compliance requires legal support for almost every step along the way.

The conclusion that transparency information has limited added value if personal data has been acquired from the data subjects themselves appears accurate. However, Art. 13(4) GDPR already provides for an exception: "Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.” Perhaps transparency obligations require a more robust update than surgical amendments, as suggested in my article “Once reforms come knocking thrice (German)". 

The EDPB and the EDPS correctly analyse that the proposed amendment by the Commission is badly phrased. the Commission apparently intends to integrate the ECJ's ruling in EDPS vs. SRB (see also my articles for further details, especially Opportunities to reduce bureaucracy under GDPR after CJEU in EDPS v. SRB). 

The “negative” within the definition is anything but clear. On the other hand, I do not tend to agree with the Joint Opinion that the definition would negatively affect GDPR's reach. I would rather say, the modifications as suggested by the Commission will have no impact at all. The latter is unfortunate as GDPR may indeed require some modifications in respect of its definition. As I highlight in my article on recent updates and reform of GDPR (Once reforms come knocking thrice (German), there might be a need to separate personal identified data and personal identifiable data rather than merging both well-known concepts into one definition of personal data. One might even extend the concept by “non-/genuine identifiability”, as I highlight in my article post EDPS vs. SRB (Opportunities to reduce bureaucracy under GDPR after CJEU in EDPS v. SRB).

In respect of data subject rights, namely data access requests, the EDPB and the EDPS appear to be "offside." It is accurate that the ECJ ruled that data subjects are not required to justify their requests. Indeed, an effective right to request data access is a prerequisite for any other data protection-related right. On the other hand, there are reports that Art. 15 GDPR has been exercised with statistically insignificant regard for its original intent (enforcing data protection). Art. 15 GDPR has become a cheap and easy way to extend pre-court and in-court procedural possibilities to gain proof for non-data protection-related claims.

Where the EDPB and the EDPS refer to the ECJ's ruling, one should ask since when judgments replace the wording of a law, and since when legislators lost their powers within the separation of powers to readjust legal frameworks - provided such updates remain within the guardrails of fundamental rights. In this case, the ECJ has already ruled that non-data protection-related interests may indicate excessive exercise of data subject rights, justifying a controller's rejection (Case ECJ C-526/24, Brillen Rottler). The court ruled that “A finding of an abusive intention may be made where the data subject has made that request for a purpose other than that of being aware of the processing of those data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of his or her rights under the GDPR.” In this respect, where the Joint Opinion refers to this very same procedure, the authorities appear - unintentionally - to be narrowing down the effects of such a ruling, as they needed to recur to the Advocate General's opinion.

It is well noted that the authorities welcome the exception for biometric data. While it seems reasonable to ask for limitations “where no suitable alternative will suffice,” this limitation appears to ignore real-life facts.

First, European security requirements require two-factor authentication (2FA), of which one element is often met by biometric data. Second, traditional passwords have been recognised as a weak means of protection for years. This weakness results from several aspects, such as limited creativity ("12345"), limited flexibility (reusing passwords), and limited changes (survival of leaked passwords). Concepts like "passkeys" have suffered from limited usability for "lay users." Biometric data has become an easy means to translate biometric information into a passkey. Will any app suggesting biometric login instead of password-protected login be deemed excessive in the view of the Joint Opinion? The requirement is a “proper password,” which lies outside the effective influence of a service provider.

If the EDPB and EDPS refer to corporate environments - especially badges or smart cards - the Joint Opinion seems more nuanced. Indeed, employees should not be forced to provide their biometric data to access non-critical areas. On the other hand, considering increasingly elaborate attack vectors, including social engineering, thresholds may shift fast.

Unfortunately, the EDPB and EDPS did not recognise the need for a fundamental overhaul of Art. 9 GDPR. One might claim that the effects of Art. 9 GDPR have become excessive as they do not fit real-life scenarios anymore. While alignment with Art. 6 GDPR would probably be the best approach, it seems at a minimum necessary to provide for processing in the context of contractual relations where the processing of special categories of personal data is inherent to service operations. From a risk perspective, it also seems unfortunate that neither the Commission nor the EDPB and EDPS considered an update to the list of data requiring specific protection; nowadays, other data (such as payment information or public identification numbers) may result in high-profile damages in case of severe identity theft.

In the same vein, it appears unfortunate that the authorities prefer raising concerns and defending established grounds instead of proactively moderating current challenges.

Indeed, automated decision-making can have negative impacts on data subjects. On the other hand, it can provide significant added value - claims can be processed faster and fraud can be detected more easily so that costs of third-party misconduct are not socialised. Defining thresholds between “preparatory” automation and “de facto automated decisions” appears nearly impossible. If no certain thresholds can be upheld nor enforced, a shift in methodology is needed. Automated decision-making by itself is not harmful; harm arises from opaque design, bad faith, and limited means of reassessment.

This leads to the aspect of research. Interestingly, the EDPB and the EDPS acknowledge that research for commercial interests, development, and demonstration is a de facto need. Thus, the GDPR must provide options to enable such research. While the Joint Opinion raises reasonable concerns about the proposed language, it is unfortunate that it tries to further narrow "scientific research" instead of bravely suggesting to extend the definition to any kind of “research,” provided defined standards of ethics and research are applied.