The Digital Omnibus: GDPR Update

On 19 November 2025, the European Commission (EC) released the Digital Omnibus Proposal as part of its comprehensive 2024–2029 legislative simplification agenda, aiming to streamline the EU's digital regulatory framework, alleviate administrative burdens, and enhance competitiveness. The proposal was introduced following a contentious pre-adoption period, during which the leak of an internal draft prompted significant debate among academics, civil society representatives, and industry stakeholders regarding the potential reopening of the GDPR.

The proposal has since continued to generate controversy and the EU's two main data protection authorities have now weighed in.

On 10 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) jointly adopted EDPB-EDPS Joint Opinion 2/2026 on the Digital Omnibus Proposal. The opinion is a wide-ranging assessment of the proposed GDPR and ePrivacy amendments. The overall message is one of conditional support: the authorities welcome certain simplification measures but express serious reservations and in some cases firm opposition to others.

Below is a theme-by-theme breakdown of their position on the key GDPR amendments we covered in our previous e-zine.

 

1    DEFINITION OF PERSONAL DATA -  A RED LINE 

Digital Omnibus Proposal: The EC proposed introducing an entity-relative identifiability standard: information would not qualify as personal data in relation to a given entity if that entity cannot reasonably identify the data subject. This was presented as a targeted clarification to facilitate data sharing and pseudonymisation practices.

Opinion of the EDPB & EDPS: negative

This is the point on which the EDPB and EDPS take their strongest stance. The proposed changes to the definition of personal data would, in the EDPB and EDPS's view, narrow the concept in a way that goes far beyond a technical amendment or a codification of case law of the European Court of Justice (ECJ). 

For these reasons, the EDPB and the EDPS strongly urge the co-legislators to not adopt the proposed changes to the definition of personal data. Their concern is not merely theoretical. A narrowed definition risks inviting controllers to engineer structures that place them outside the GDPR's reach, for instance by outsourcing certain activities specifically to avoid meaningful accountability — while individuals' data remains exposed. 

The EDPB and the EDPS consider that the proposed changes would result in significantly narrowing the concept of personal data, thereby adversely affecting the fundamental right to data protection, and may induce controllers to seek loopholes in the data protection regime and try to circumvent the application of the GDPR. 

 

2    SENSITIVE DATA – BIOMETRIC EXCEPTION WELCOMED, AI EXEMPTION REQUIRED IMPROVEMENTS

Digital Omnibus Proposal: The EC proposed adding two new exemptions to Article 9 GDPR. Firstly, biometric data may be processed for verification purposes where both the biometric data and the verification mechanisms remain exclusively under the data subject's control (e.g. secure on-device authentication). Secondly, AI developers may process incidentally encountered sensitive data during AI training operations, provided robust mitigation measures are in place.

Opinion of the EDPB & EDPS: 

The EDPB and the EDPS welcome the new exception for the processing of special categories of data for biometric authentication, where the verification means are under the individual's sole control.

As for the proposed exemption covering residual AI processing of sensitive data, the EDPB and EDPS acknowledge the practical reality that when training AI systems, it is not always possible to avoid incidental exposure to sensitive data. However, they recommend several improvements, such as referring to 'incidental and residual' in the enacting terms, clarifying the scope of the derogation, and ensuring safeguards throughout the whole lifecycle.

 

3    DSARS - CLARIFICATION WELCOME, BUT SCOPE OF REFORM MUST BE NARROWED

Digital Omnibus Proposal: The EC proposed clarifying that, in addition to the existing ability under the GDPR for controllers to refuse or charge a reasonable fee for data subject access requests that are manifestly unfounded or excessive, such requests may also be refused or subject to a reasonable fee where they are used or abused for purposes other than data protection. Controllers would continue to bear the burden of proving that a request meets that threshold.

Opinion of the EDPB & EDPS: 

According to the EDPB and the EDPS, clarifying what qualifies as an abuse of rights is welcomed, but it should not be linked to the exercise of the right to access for purposes other than data protection, as the GDPR also aims to protect other fundamental rights and freedoms. In addition, the CJEU has already confirmed that data subjects may exercise their right of access without having to justify their reasons. Tying refusal rights to the requestor's motivation would cut across settled case law.

The EDPB and EDPS instead suggest linking “abuse of rights” to the existence of an abusive intention (e.g. evident intention to cause harm to the controller). This is a deliberately high bar: it is not enough that a request is inconvenient, broad, or motivated by litigation strategy, there must be a demonstrable intent to harm.

On the practicalities of what counts as "excessive", the EDPB and EDPS recommend removing the suggestion in the proposed Recital that "overly broad and undifferentiated requests should be regarded as excessive," as that would run counter to the very purpose of the right of access, which is to enable data subjects to be aware of the processing concerning them. Where a request is very broad, the existing GDPR framework already allows controllers to ask the data subject to specify the information or processing activities concerned and if a request appears manifestly unfounded, the data subject should first be given the opportunity to further specify their request before it is rejected.

 

4    TRANSPARENCY – SIMPLIFICATION IN PRINCIPLE, BUT CLEARER CRITERIA NEEDED

Digital Omnibus Proposal: The EC proposed that information duties may be waived where three cumulative conditions are met: (i) the controller–data subject relationship is direct and clear; (ii) the processing is not data-intensive; and (iii) it is reasonable to assume that the data subject is already aware of the relevant information. This limited information obligation is subject to carve-outs (including third‑country transfers, onward disclosures, automated decision making and high-risk).

Opinion of the EDPB & EDPS: 

Reducing information obligations, particularly for SMEs, is an aim the EDPB and EDPS support in principle. However, in their opinion, the current drafting is too vague to achieve it reliably, and risks creating interpretive fragmentation.

 

5    AUTOMATED DECISION-MAKING — PROHIBITION IN PRINCIPLE MUST BE RETAINED

Digital Omnibus Proposal: Under the current framework, automated decision-making is only permitted where it is strictly necessary for performing a contract, and authorities have historically interpreted this narrowly. The EC proposed clarifying that a decision may be automated if it is necessary for performing the contract, even if a human could theoretically have taken the same decision, thereby providing more room for AI-driven processes such as onboarding or credit scoring.

Opinion of the EDPB & EDPS: 

The EDPB and EDPS are concerned that the proposed changes risk softening the prohibition on automated decision-making. Under the current framework, automated decision-making is prohibited in principle and requires specific justification. The proposed changes would effectively turn this into a default permission whenever a contract is involved. Their recommendation is to retain clear language reflecting a prohibition in principle, with defined exceptions and to make explicit that individuals retain a right to invoke Article 22 GDPR themselves.

 

6    DATA BREACH NOTIFICATIONS - BROAD SUPPORT

Digital Omnibus Proposal: The EC proposed raising the notification threshold so that only breaches likely to result in a high risk to individuals trigger a reporting obligation (aligning it with the threshold already applicable for notifying data subjects). The deadline for notification would be extended from 72 to 96 hours, notifications would be channelled through a single point of contact, and a harmonised notification template would be introduced with the aim of better aligning the GDPR with NIS2 and DORA.

Opinion of the EDPB & EDPS: 

This is one of the areas where the EDPB and the EDPS are most supportive. The EDPB and the EDPS indeed welcome the proposed changes on data breach notifications and DPIAs, in particular increasing the notification threshold and extending the deadline, as well as establishing data breach notification and DPIA common templates and lists. However, the EDPB should be fully entrusted with both the preparation and approval of such documents.

 

7    DPIA – HARMONISATION WELCOMED, BUT GOVERNANCE MUST LIE WITH THE EDPB

Digital Omnibus Proposal: The EC proposed replacing the current patchwork of national DPIA lists with a single, harmonised EU-wide framework, to be prepared by the EDPB and adopted by the Commission.

Opinion of the EDPB & EDPS: 

The move towards harmonisation is broadly welcomed a single EU framework is a genuine improvement over the current mosaic of national lists. The EDPB and EDPS's main concern is one of governance: the proposal gives the EC the power to unilaterally modify the lists prepared by the EDPB when adopting them by implementing act and the EDPB and EDPS consider this inappropriate. They recommend that the EDPB be exclusively responsible for both preparing and approving the lists, as well as the common template and methodology.
 

8    EPRIVACY / COOKIE RULES - WELCOME AIM, LEGAL UNCERTAINTY FLAGGED

Digital Omnibus Proposal: The EC proposed integrating cookie and terminal equipment rules currently governed by the ePrivacy Directive directly into the GDPR framework. This would be accompanied by new consent exemptions for low-risk purposes and the establishment of standards for interpreting machine-readable signals expressing data subjects' choices, with the aim of reducing reliance on cookie banners and addressing consent fatigue.

Opinion of the EDPB & EDPS: 

The EDPB and the EDPS strongly welcome the underlying aim of reducing consent fatigue and cutting down the proliferation of cookie banners. However, they flag a structural concern: splitting terminal equipment rules across two legal instruments depending on whether personal or non-personal data is involved could introduce new legal uncertainty rather than remove it. They also propose a practical addition that industry is likely to welcome: an explicit consent exemption for contextual advertising (i.e., advertising based on the user's current page visit or search query, with no retention or cross-site tracking).
 

9    AI & LEGITIMATE INTERESTS - NOT STRICTLY NECESSARY, BUT WORKABLE IF IMPROVED

Digital Omnibus Proposal: The EC proposed explicitly recognising AI development and operation as a legitimate interest under Article 6(1)(f) GDPR, provided there are no overriding rights or interests (particularly for vulnerable individuals) and that enhanced safeguards are implemented and an unconditional right to opt out for data subjects is foreseen.

Opinion of the EDPB & EDPS: 

As the EDPB has already explicitly confirmed in its Opinion 28/2024 on AI models, it does not appear necessary to insert a specific provision to this effect in the GDPR. The Joint Opinion nevertheless provides specific suggestions, including on the legitimate interest assessment and on the right to object.

The Digital Omnibus Proposal is now in the hands of the European Parliament and the Council. Amendments are expected, particularly on the definition of personal data, which has drawn the strongest opposition from both the EDPB and the EDPS. The European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) is expected to play a central role in shaping the final text, and early indications suggest that several Member States share the data protection authorities' concerns regarding any narrowing of the GDPR's material scope. Adoption of the final text is envisaged in 2026, with an entry into force anticipated in 2027 - 2028.

Organisations should monitor these legislative developments closely, as the outcome will have direct implications for compliance strategies, particularly in relation to data categorisation, AI training practices, and cookie consent mechanisms.

Our Lydian Information & Communication Technology (ICT) and Information Governance and Data Protection (Privacy) teams are available to assist you with any questions you may have regarding the latest developments in the field of data protection. Please feel free to reach out to us for further assistance.