This publication is a follow-up to our e-zine, "The Digital Omnibus: A Quick Glance at the GDPR Impact" (27 November 2025), in which we analysed the key proposed GDPR amendments introduced by the European Commission's Digital Omnibus Proposal.
Recap: Where we left off
On 19 November 2025, the European Commission (EC) released the Digital Omnibus Proposal as part of its comprehensive 2024–2029 legislative simplification agenda, aiming to streamline the EU's digital regulatory framework, alleviate administrative burdens, and enhance competitiveness. The proposal was introduced following a contentious pre-adoption period, during which the leak of an internal draft prompted significant debate among academics, civil society representatives, and industry stakeholders regarding the potential reopening of the GDPR.
The proposal has since continued to generate controversy and the EU's two main data protection authorities have now weighed in.
The EDPB and EDPS Joint Opinion: What did they say?
On 10 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) jointly adopted EDPB-EDPS Joint Opinion 2/2026 on the Digital Omnibus Proposal. The opinion is a wide-ranging assessment of the proposed GDPR and ePrivacy amendments. The overall message is one of conditional support: the authorities welcome certain simplification measures but express serious reservations and in some cases firm opposition to others.
Below is a theme-by-theme breakdown of their position on the key GDPR amendments we covered in our previous e-zine.
1. Definition of personal data – a red line
Digital Omnibus Proposal: The EC proposed introducing an entity-relative identifiability standard: information would not qualify as personal data in relation to a given entity if that entity cannot reasonably identify the data subject. This was presented as a targeted clarification to facilitate data sharing and pseudonymisation practices.
Opinion of the EDPB & EDPS: negative. This is the point on which the EDPB and EDPS take their strongest stance. The proposed changes to the definition of personal data would, in their view, narrow the concept in a way that goes far beyond a technical amendment or a codification of CJEU case law. They strongly urge the co-legislators to not adopt the proposed changes. A narrowed definition risks inviting controllers to engineer structures that place them outside the GDPR's reach, while individuals' data remains exposed.
2. Sensitive data – biometric exception welcomed, AI exemption requires improvements
Digital Omnibus Proposal: The EC proposed adding two new exemptions to Article 9 GDPR. First, biometric data may be processed for verification purposes where both the biometric data and the verification mechanisms remain exclusively under the data subject's control. Second, AI developers may process incidentally encountered sensitive data during AI training operations, provided robust mitigation measures are in place.
Opinion of the EDPB & EDPS: They welcome the new exception for biometric authentication where the verification means are under the individual's sole control. As for the AI residual processing exemption, they recommend referring to "incidental and residual" in the enacting terms, clarifying the scope of the derogation, and ensuring safeguards throughout the whole lifecycle.
3. DSARs – clarification welcome, but scope of reform must be narrowed
Digital Omnibus Proposal: The EC proposed clarifying that, in addition to the existing ability to refuse or charge a reasonable fee for manifestly unfounded or excessive DSARs, such requests may also be refused or subject to a fee where they are used or abused for purposes other than data protection.
Opinion of the EDPB & EDPS: Clarifying what qualifies as an abuse of rights is welcomed, but it should not be linked to the exercise of the right to access for purposes other than data protection. The CJEU has already confirmed that data subjects may exercise their right of access without having to justify their reasons. The EDPB and EDPS instead suggest linking "abuse of rights" to the existence of an abusive intention (e.g. evident intention to cause harm to the controller).
4. Transparency – simplification in principle, but clearer criteria needed
Digital Omnibus Proposal: The EC proposed that information duties may be waived where three cumulative conditions are met: (i) the controller–data subject relationship is direct and clear; (ii) the processing is not data-intensive; and (iii) it is reasonable to assume that the data subject is already aware of the relevant information.
Opinion of the EDPB & EDPS: Reducing information obligations, particularly for SMEs, is an aim the EDPB and EDPS support in principle. However, the current drafting is too vague to achieve it reliably, and risks creating interpretive fragmentation.
5. Automated decision-making – prohibition in principle must be retained
Digital Omnibus Proposal: The EC proposed clarifying that a decision may be automated if it is necessary for performing the contract, even if a human could theoretically have taken the same decision.
Opinion of the EDPB & EDPS: They are concerned that the proposed changes risk softening the prohibition on automated decision-making. Their recommendation is to retain clear language reflecting a prohibition in principle, with defined exceptions, and to make explicit that individuals retain a right to invoke Article 22 GDPR themselves.
6. Data breach notifications – broad support
Digital Omnibus Proposal: The EC proposed raising the notification threshold so that only breaches likely to result in a high risk to individuals trigger a reporting obligation. The deadline for notification would be extended from 72 to 96 hours, notifications would be channelled through a single point of contact, and a harmonised notification template would be introduced with the aim of better aligning the GDPR with NIS2 and DORA.
Opinion of the EDPB & EDPS: This is one of the areas where the EDPB and the EDPS are most supportive. However, the EDPB should be fully entrusted with both the preparation and approval of such templates and lists.
7. DPIA – harmonisation welcomed, but governance must lie with the EDPB
Digital Omnibus Proposal: The EC proposed replacing the current patchwork of national DPIA lists with a single, harmonised EU-wide framework, to be prepared by the EDPB and adopted by the Commission.
Opinion of the EDPB & EDPS: The move towards harmonisation is broadly welcomed. The main concern is one of governance: the proposal gives the EC the power to unilaterally modify the lists prepared by the EDPB, and the EDPB and EDPS consider this inappropriate. They recommend that the EDPB be exclusively responsible for both preparing and approving the lists.
8. ePrivacy / cookie rules – welcome aim, legal uncertainty flagged
Digital Omnibus Proposal: The EC proposed integrating cookie and terminal equipment rules currently governed by the ePrivacy Directive directly into the GDPR framework, with new consent exemptions for low-risk purposes and standards for interpreting machine-readable signals.
Opinion of the EDPB & EDPS: They strongly welcome the underlying aim of reducing consent fatigue and cutting down the proliferation of cookie banners. However, they flag that splitting terminal equipment rules across two legal instruments could introduce new legal uncertainty rather than remove it. They also propose an explicit consent exemption for contextual advertising.
9. AI & legitimate interests – not strictly necessary, but workable if improved
Digital Omnibus Proposal: The EC proposed explicitly recognising AI development and operation as a legitimate interest under Article 6(1)(f) GDPR, provided there are no overriding rights or interests and that an unconditional right to opt out for data subjects is foreseen.
Opinion of the EDPB & EDPS: As the EDPB has already explicitly confirmed in its Opinion 28/2024 on AI models, it does not appear necessary to insert a specific provision to this effect in the GDPR. The Joint Opinion nevertheless provides specific suggestions, including on the legitimate interest assessment and on the right to object.
Next steps
The Digital Omnibus Proposal is now in the hands of the European Parliament and the Council. Amendments are expected, particularly on the definition of personal data, which has drawn the strongest opposition from both the EDPB and the EDPS. The European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) is expected to play a central role in shaping the final text, and early indications suggest that several Member States share the data protection authorities' concerns regarding any narrowing of the GDPR's material scope. Adoption of the final text is envisaged in 2026, with an entry into force anticipated in 2027–2028.
Organisations should monitor these legislative developments closely, as the outcome will have direct implications for compliance strategies, particularly in relation to data categorisation, AI training practices, and cookie consent mechanisms.
Authors (Lydian):
- Bastiaan Bruyndonckx
- Olivia Santantonio
- Liese Kuyken
- Ines Nibakuze
