Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

EDPB and EDPS Joint Opinion on the Digital Omnibus: Support for Simplification, Resistance to Redefining Personal Data

7 minutes ago
6 minRead time
EDPB and EDPS opinion on the Digital Omnibus
Share This Article
Share Post

The EDPB and EDPS joint opinion on the Digital Omnibus supports the European Commission’s goal of simplifying EU digital rules and strengthening competitiveness. However, it firmly opposes proposed changes to the GDPR definition of personal data, warning that such amendments could narrow the scope of EU data protection law and weaken established case law. This tension between simplification and structural change lies at the heart of the current policy debate.

Adopted on 10 February 2026 by the European Data Protection Board and the European Data Protection Supervisor, the opinion is both pragmatic and cautious. It welcomes targeted reforms but draws a clear line where fundamental concepts are concerned.

What the EDPB and EDPS Joint Opinion on the Digital Omnibus Supports

The EDPB and EDPS joint opinion on the Digital Omnibus does not reject reform. On the contrary, it endorses several measures aimed at improving clarity and reducing unnecessary burden. In particular, the supervisory authorities support:

  • Adjustments to data breach notification rules

  • Clarifications regarding Data Protection Impact Assessments (DPIAs)

  • Provisions facilitating processing for scientific research

  • Lawful use of biometric data in identity verification

  • Efforts to reduce cookie banner fatigue under the ePrivacy framework

These changes aim to optimise the application of the digital rulebook. They also seek to improve harmonisation and legal certainty across Member States.

From a policy perspective, this reflects realism. Compliance can be simplified without lowering protection standards.

The Core Disagreement: Redefining Personal Data

The real friction identified in the EDPB and EDPS joint opinion on the Digital Omnibus concerns the proposed amendment to Article 4(1) GDPR.

The Commission suggests clarifying that information should not be considered personal data for an entity if that entity cannot reasonably identify the individual concerned, even if another entity could. At first glance, this appears technical. However, the supervisory authorities view it as structural.

According to the joint opinion, redefining personal data in this way risks narrowing its scope and departing from established CJEU case law. The opinion also criticises defining personal data by describing what it is not. In their view, that approach could increase legal uncertainty.

Furthermore, the EDPB and EDPS oppose empowering the Commission, via implementing acts, to determine when pseudonymized data ceases to qualify as personal data. Such a decision directly affects the scope of EU data protection law. This is not a minor drafting issue. It concerns the gateway to the GDPR itself.

Why This Debate Matters for Pseudonymization and AI

The EDPB and EDPS joint opinion on the Digital Omnibus comes at a sensitive moment. The EDPB is updating guidance on pseudonymization, while businesses are navigating interactions between the GDPR, the Data Act and AI regulation.

If personal data becomes more entity-specific, several practical questions arise:

  • Will cross-border enforcement remain consistent?

  • Could supervisory authorities interpret identifiability differently?

  • How will organisations manage conflicts between GDPR obligations and Data Act data-sharing requirements?

  • Will anonymisation become more flexible, or more uncertain?

The joint opinion also raises concerns about:

  • Legitimate interest as a basis for AI model training

  • Automated decision-making safeguards

  • Incidental processing of special categories of data

  • Fragmentation between GDPR and ePrivacy instruments

Therefore, the issue is not theoretical. It directly affects innovation, compliance design and enforcement coherence.

Simplification Versus Structural Shift

The Commission’s Digital Omnibus aims to modernise and streamline EU digital regulation. That objective is understandable. Businesses need predictability and coherence. However, the EDPB and EDPS joint opinion on the Digital Omnibus highlights a critical distinction. Simplifying procedures is not the same as redefining core legal concepts.

The definition of personal data determines when the GDPR applies. Changing that definition means altering the scope of the entire regulatory framework. This is a strategic choice. A more contextual definition may provide flexibility. Yet it could also introduce fragmentation if different actors assess identifiability differently. The policy question is therefore clear: can Europe modernise its digital rulebook while preserving a stable and uniform concept of personal data?

The Broader Implications

The EDPB and EDPS joint opinion on the Digital Omnibus signals support for competitiveness and innovation. At the same time, it insists on maintaining trust and a high level of protection for fundamental rights. Trust remains the foundation of EU data governance.

If simplification reduces red tape while preserving legal certainty, it strengthens the system. If structural redefinitions create grey zones, they may generate new forms of uncertainty. The coming legislative negotiations will determine whether the Omnibus remains a technical optimisation exercise or becomes a deeper recalibration of EU data protection architecture. Either way, the debate over the EDPB and EDPS joint opinion on the Digital Omnibus marks a pivotal moment in the evolution of the GDPR.

On a similar topic, you can read the article “AI Training Based on Legitimate Interest: Is the Digital Omnibus Proposal Enough?“.

(Visited 1 times, 1 visits today)
Tags:
0LikesShare Post