EDPB and EDPS publish Joint Opinion on the Digital Omnibus Proposal

On February 10, 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted their Joint Opinion 2/2026 on the Digital Omnibus Proposal, put forward the European Commission on November 19, 2025. This proposal amends a large body of European Union (“EU”) digital legislation, including the General Data Protection Regulation (“GDPR”), the Data Protection Regulation for EU institutions, bodies, offices and agencies, the ePrivacy Directive, the Data Act, the Data Governance Ac, the NIS 2 Directive, and the Single Digital Gateway Regulation. We previously summarized the main developments proposed by this legislative initiative in a blog post.

Aspects supported

The EDPB and the EDPS support the proposal’s aim of improving the application of digital rules, simplifying compliance, strengthening the effective exercise of individual rights, and boosting competitiveness. They particularly support the parts of the proposal that foster greater harmonization, consistency, and legal certainty, as well as those that reduce unnecessary administrative burdens.

They welcome the following changes:

Regarding scientific research, the EDPB and the EDPS welcome the introduction of a harmonized definition of “scientific research” under the GDPR, as this can increase legal certainty and support research activity. They also support the clarification that Article 6(4) of the GDPR does not need to be applied in this context, as well as the new (limited) exemption from the duty to inform.

Regarding biometric data processing, they welcome the new exception enabling the processing of special categories of data for biometric authentication, provided the verification mechanism remains under the individual’s sole control.

Regarding security breach notifications, the EDPB and the EDPS support increasing the mandatory notification threshold for notifying the supervisory authorities, so that only breaches considered to pose a high risk to the rights and freedoms of data subjects need to be reported. They also support extending the deadline for notifying a data breach from 72 to 96 hours and creating common templates and lists of circumstances requiring notification.

Regarding data protection impact assessments (“DPIA”), the EDPB and the EDPS support EU-level harmonization of lists of processing activities requiring a DPIA, as well as the creation of common templates and methodologies.

Regarding the ePrivacy Directive, both bodies strongly support the aim of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners, and of simplifying the rules applicable to the protection of end-users’ terminal equipment. They also welcome the requirements for the use of automated and machine-readable indications of data subjects’ preferences.

Regarding the data acquis, the EDPB and the EDPS welcome the integration of the Data Governance Act and Open Data Directive rules on the re-use of data and documents held by public sector bodies into the Data Act, which will simplify regulatory compliance, while also making some recommendations on specific issues to ensure the security of personal data. In particular, with regard to intermediation services and data altruism organizations, the EDPB and the EDPS set out recommendations to ensure that access to data is carried out in accordance with the applicable principles and requirements.

Areas of concern

The Joint Opinion also expresses concern over certain proposed changes that may negatively affect the level of protection enjoyed by individuals, create legal uncertainty, and make it difficult to apply the rules in practice.

The main objection concerns the proposed changes to the definition of personal data. The EDPB and the EDPS emphasize that the definition of personal data lies at the very core of EU data protection law, including Article 8 of the Charter of Fundamental Rights of the EU (“CFREU”) and Article 16 of the Treaty on the Functioning of the EU (“TFUE”). They consider thtat the proposed changes would significantly narrow the concept of personal data and adversely affect the fundamental right to data protection. Therefore, the EDPB and the EDPS strongly urge the co-legislators to not adopt the proposed changes to the definition of personal data.

Regarding implementing acts on pseudonymization, the EDPB and the EDPS express concern because the proposal enables specification—through implementing acts—of the means and criteria for determining when pseudonymized data ceases to be personal data. They consider that the delineation of what constitutes (and what does not constitute) personal data directly affects the scope of application of EU data protection law and must not be addressed through an implementing act. Therefore, they suggest deleting proposed Article 41(a) from the GDPR.

Regarding the separation of rules protecting terminal equipment, the EDPB and the EDPS warn that the proposed separation of rules on access to and storage of information in terminal equipment across different legal instruments may lead to legal uncertainty.

Regarding limitations on the right of access, although they support clarifying what qualifies as an abuse of rights, they believe that this clarification should not be linked to the exercise of the right of access for purposes other than data protection, as the GDPR also protects other fundamental rights and freedoms.

Regarding automated individual decision-making, the EDPB and the EDPS believe the prohibition in principle, as clarified by the Court of Justice of the EU, should be retained using appropriate language to reflect that Article 22(1) of the GDPR establishes a prohibition subject to with exceptions under specific conditions.

Regarding data intermediation services, the EDPB and the EDPS recommend maintaining a mandatory prior registration requirement, or at least requiring prior registration when the intended data intermediation services involve processing personal data that is likely to result in a high risk to the rights and freedoms of individuals.

Final Assessment

The EDPB and the EDPS regret that the proposal was not accompanied by a full impact assessment and consider that insufficient attention was paid to the adverse effects of certain proposed changes on the protection of individual’s fundamental rights and freedoms of individuals. They emphasize the importance of the proposed simplifications in clarifying obligations and providing legal certainty, while maintaining trust and a high level of protection of fundamental rights and freedoms.