The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal. The proposal aims to simplify the EU’s digital regulatory framework, reduce administrative burdens and enhance the competitiveness of European organisations. The joint opinion examines how the proposal would affect the GDPR, the EU Data Protection Regulation (EUDPR), the ePrivacy Directive and the wider data legislation (the “Data Acquis”).
The EDPB and EDPS have assessed if the proposal genuinely simplifies compliance, improves legal certainty, and protects individuals’ fundamental rights.
GDPR and EUDPR changes
Serious concerns
The EDPB and EDPS have raised strong objections to certain proposals. In their view, some changes would weaken protection for individuals, create uncertainty and make data protection rules harder to apply in practice.
In particular, they urge the co-legislators to reject the proposed changes to the definition of personal data. They argue that these go well beyond a technical amendment, do not accurately reflect EU case law, and would significantly narrow what counts as personal data. They also oppose giving the Commission power to decide, via implementing acts, what data ceases to be personal data after pseudonymisation, as this would affect the very scope of EU data protection law.
Positive developments
The EDPB and EDPS welcome several aspects of the proposal:
- Raising the risk threshold that triggers mandatory breach notification to national data protection authorities (DPAs) and extending the notification deadline—this would reduce administrative burden without compromising data protection.
- Introducing common templates and checklists for data breach notifications and data protection impact assessments.
- Creating a new exception allowing biometric authentication where verification tools remain under the individual’s sole control.
- Harmonising the definition of “scientific research” to improve legal certainty.
Areas requiring refinement
The EDPB and EDPS have flagged several provisions that need adjustment:
- Legitimate interest and AI: They do not believe a specific GDPR provision is needed to confirm that legitimate interest can be a lawful basis for developing and deploying AI models, as this is already covered by existing guidance.
- Sensitive data and AI: The proposal to allow incidental processing of special category data in AI development is welcomed in principle, but clearer scope and safeguards throughout the AI lifecycle are needed.
- Abuse of rights: The regulators agree that clarity is needed where data subjects abuse their rights. However, they caution that using access rights for purposes beyond personal data protection should not automatically constitute abuse.
- Transparency exemptions: Simplifying information requirements, particularly for SMEs, is supported. However, clearer rules are needed to ensure individuals can still obtain essential information about their data.
- Automated decision-making: The proposed changes to rules on automated individual decisions need clarification to be both meaningful and legally sound.
ePrivacy Directive changes
The EDPB and EDPS strongly support efforts to tackle “consent fatigue” and reduce the burden of cookie banners. They endorse the proposed use of automated, machine-readable signals to indicate individuals’ choices about their data, which should simplify compliance and empower users. They also welcome new limited exceptions to the general ban on storing or accessing personal data on users’ devices. In addition, they encourage the co-legislators to incentivise contextual advertising (based on page content) over behavioural advertising (based on user tracking), with appropriate safeguards. Oversight of these matters by DPAs is welcomed. However, the regulators highlight practical difficulties arising from having different rules for personal and non-personal data.
Data Acquis changes
The EDPB and EDPS support consolidating the Data Governance Act and Open Data Directive provisions on re-use of public sector data into the Data Act. However, they stress that any reforms should preserve the current position that public bodies are not obliged to allow re-use, and the rules do not create a legal basis for granting access. On public emergencies, the regulators recommend that personal data should only be shared with public bodies in pseudonymised form where anonymous data is insufficient. For data intermediation services and data altruism organisations, they emphasise the need for trustworthy and responsible data sharing, with strong safeguards, transparency and oversight. The regulators also recommend:
- Streamlining enforcement provisions, including enabling cross-regulatory information exchange with DPAs.
- Confirming the European Data Innovation Board’s role in supporting consistent application of the Data Act.
- Empowering the Commission to issue guidance on any Data Act topic, with input from the EDPB and assistance from the EDIB.
