Digital Regulation

EDPB and EDPS release much-anticipated joint opinion on the EU Digital Omnibus

Published on 13th February 2026

Both EU data protection bodies criticise the definition of personal data and highlight areas for further specification and improvement 

Abstract smart grid big data storage cyber

This article was authored by Julia Kaufmann.

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS), following the joint opinion on the Digital Omnibus on artificial intelligence (AI), have adopted their highly anticipated joint opinion on the simplification of the Union's digital legislative framework of the General Data Protection Regulation (GDPR), ePrivacy and data legislative acquis – the EU's body of rules and regulations.

Despite the general support by the EDPB and the EDPS of the broader objective of the Digital Omnibus package, the joint opinion published on 10 February identifies several areas where the EDPB and the EDPS request a re-evaluation of the proposed approach and further amendments to the Digital Omnibus relating to the GDPR, ePrivacy and data legislative aquis.

Amended definition of personal data criticised

The heaviest criticism by the EDPB and the EDPS with respect to the proposed amendments to the GDPR concerns the definition of personal data. Those amendments will – in their view – adversely affect the fundamental right to data protection for individuals and create legal uncertainties, as they would narrow the concept of personal data.

The amendments go allegedly far beyond a mere codification of the decisions of the Court of Justic of the European Union (CJEU) and are not merely of technical nature. The EDPB and the EDPS have urged the legislative bodies in the EU not to adopt this proposed amendment. In particular, they consider the amendments to the definition as a selective codification of only a single element of a particular CJEU decision (C‑413/23 P - EDPS v SRB) thereby lacking the context and the specific characteristic of the underlying case.

Furthermore, the EDPB and the EDPS have argued that the amendments do not accurately reflect the CJEU’s position stated in EDPS v SRB. While preparing the updated guidance on pseudonymisation, the EDPB found that the application of the EDPS v SRB decision raised numerous practical and legal questions which require consideration of the rest of the body of CJEU case law. Those questions can – in their view – not be appropriately addressed by an amendment of the definition of personal data in the GDPR. The EDPB’s guidelines would be a better way to solve this issue.

Subsequently, the EDPB and the EDPS have criticised the proposed article 41a of the GDPR that would empower the European Commission to adopt implementing acts to determine whether data resulting from pseudonymisation no longer constitute personal data for certain entities. It shall be the competence of the EDPB and the EDPS, not of the Commission, to ensure consistent application of the GDPR this matter.

Scientific research

However, certain aspects of the Digital Omnibus have won the overarching support of both the EDPB and the EDPS. The joint opinion highlights that the EDPB and the EDPS welcome the introduction of a definition for scientific research. The clarification that article 6(4) of the GDPR does not need to be applied in the context of scientific research and the (limited) derogation to the duty to inform find their support as well.

In particular, the EDPB and the EDPS have welcomed the specification that scientific research should contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society's general knowledge and wellbeing, and adhere to ethical standards in the relevant research area.

They note that the publication of the research results may contribute to this aim of contributing to the growth of society’s general knowledge and wellbeing. It is, however, unclear whether publication of the research result shall be a precondition for scientific research to benefit from the derogations. The EDPB and the EDPS seem to have taken the view that product research and development does not necessarily constitute scientific research within the meaning of GDPR which would limit the intended simplification efforts for many organizations.

Biometric authentication

Further, the new permission ground for the processing of special categories of data for biometric authentication, where the verification means are under the individual’s sole control, has also found full support from the EDPB and the EDPS

Personal data breaches

The joint opinion also welcomes increasing the notification threshold to high-risk scenarios, extending the deadline for data breach notifications under the GDPR and establishing a data breach notification template and a list of circumstances for high-risk scenarios. These amendments are considered necessary given the reality.

However, companies that are subject to several notification obligations (for example, the GDPR and the Network and Information Security Directive 2 (NIS2) could still face a short deadline of 24 hours under NIS2 and a longer deadline of 96 hours under GDPR. More harmonisation in this respect is recommended in the joint opinion.

Data protection impact assessments

The EDPB and the EDPS support the harmonisation efforts at EU level regarding a common European Economic Area (EEA) list on scenarios requiring a data protection impact assessment (DPIA).

However, the EDPB and the EDPS should be exclusively entrusted with such a list. This would remove the proposed right for the Commission to unliterally modify the list. The preparation of a common template and methodology for conducting a DPIA is also welcomed to achieve simplification for organizations.

Processing of sensitive data in AI systems and models

Other aspects of the Digital Omnibus are considered being in need of further specification and improvements, including the processing of sensitive data in AI systems and models. They acknowledge that when data is collected for the training, testing and validation of certain AI systems or models, it is not always possible to avoid residual and incidental processing of sensitive data and they welcome the permission ground in the proposed article 9(2)(k).

However, they consider this permission ground not applicable where the processing of sensitive data is at the core and therefore necessary for the development or operation of an AI system. It shall only be the incidental and residual processing of sensitive data in this context that would be permitted by the proposed article 9 (2)(k). They recommend several improvements to the required safeguards provided in the proposed articles 9 (5) of the GDPR.

Limitation to the right of access

The EDPB and the EDPS recommend further clarification on what qualifies as an abuse of right. It should be clarified that the right of access for purposes of protecting other fundamental rights is not limited by the amendment, as the GDPR aims to protect such other fundamental rights as well. They would also like to see those amendments mirrored in article 57 (4) of the GDPR to expand the supervisory authorities’ ability to refuse to act under the same conditions.

Exception for transparency obligations

Even though the EDPS and the EDPB welcome simplification efforts for small to medium-sized enterprises, the proposed exception to transparency obligations requires in their view further clarification to ensure legal certainty, effectively reduce the burden, and ensure that individuals may still receive information.

Automated individual decision-making

The EDPS and the EDPB also welcome the aim of clarifying the exceptions in which automated individual decision-making shall be allowed. However, they recommend further specifications. They also object to the restructuring of article 20 of the GDPR as the general prohibition of automated individual decision-making shall in their view be retained.

Legitimate interest in the context of AI

The EDPB and the EDPS consider this change unnecessary given the existing Opinion 28/2024 of the EDPB on AI models. The EDPB in this opinion has already confirmed that processing of personal data for AI development is a legitimate interest of the data controller, as the first out of the three-step legitimate interest test. However, they support the specific suggestions including on the legitimate interest assessment and on the right to object and recommend further clarifications.

Cookie rules

The EDPB and the EDPS strongly support the aim of the Digital Omnibus to simplify the cookie rules and to provide for a regulatory solution to address consent fatigue and proliferation of cookie banners as well as to empower the data protection authority with the oversight of the new cookie rules.

However, they contend that the proposed additional derogations from the consent requirement should be further specified. Also, the proposed separation of the cookie rules over different legal instruments (that is, GDPR when personal data is affected and ePrivacy Directive when non-personal data is affected) may lead to legal uncertainty. The joint opinion points out that the derogation from the consent requirement when cookies (and similar technology) are required for "providing a service explicitly requested by the data subject" differs from the currently existing derogation in article 5(3) of the ePrivacy Directive which refers more narrowly to an “information society service”.

The data legislative acquis

On the data legislative acquis, the EDPB and the EDPS welcome the integration of the Data Governance Act and Open Data Directive into the Data Act, which will simplify compliance and the application of the rules.

However, in relation to access granted by public bodies for re-use, the EDPB and the EDPS recommend amendments on certain aspects. Those recommendations include maintaining the provisions clarifying that the legal framework does not in itself create any obligation on public sector bodies to allow reuse of personal data and does not provide a legal basis for granting access as well as clarifying that personal data can be shared with public sector bodies in case of public emergencies in pseudonymised form only where anonymous data is insufficient.

Specific safeguards, favouring transparency and oversight should also be maintained for data intermediation services. The responsibilities and competences of supervisory authorities in terms of monitoring and enforcing the Data Act should be clarified.

What comes next

While the EDPB and the EDPS have issued their two joint opinions on the Digital Omnibus package, the EU legislative bodies are forming their opinion on the Digital Omnibus package as well. The Council has recently issued their feedback on the Digital Omnibus on AI, and the European Parliament has determined the four committees that are reviewing the Digital Omnibus package, including the co-rapporteurs for each committee. Official opinions and statements by the EU legislative bodies are expected in the near future, including information on whether and to what extent they may agree with the joint opinion of the EDPB and the EDPS.

Related articles
How the EU's Digital Omnibus package may shape Spanish digital regulation
22/01/2026 5 mins
Simplification for AI Medical Devices?
12/01/2026 1 mins
Digital Omnibus reshapes EU cookie rules but leaves banner fatigue largely intact
10/12/2025 9 mins
EU Digital Fairness Act unpacked: 'horizontal' issues
23/10/2025 5 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up