EU Data Watchdogs Back Digital Omnibus Simplification but Push Back on Redefining Personal Data

Key Takeaways

• Strong Opposition to Redefining Personal Data: The European Data Protection Board and the European Data Protection Supervisor urged lawmakers not to adopt proposed changes to the definition of personal data, warning they would narrow protections and conflict with Court of Justice of the European Union case law.
• Support for Targeted Simplification: The two bodies backed raising the data breach notification risk threshold, extending reporting deadlines, and introducing common templates, saying these steps would reduce administrative burden without weakening protections.
• Conditional Support for AI-Related Derogations: While welcoming a proposed derogation for incidental processing of sensitive data in AI systems, they called for clearer scope and lifecycle safeguards. They also said no new GDPR provision is needed on legitimate interest for AI.
• Backing Action on Cookie Fatigue: The authorities supported efforts to address consent fatigue under the ePrivacy framework, including machine-readable user preferences, and encouraged incentives for contextual advertising over behavioral advertising.
• Caution on Data Act and Public Sector Data Reuse: While supporting integration of the data acquis into the Data Act, they recommended preserving clarity around public sector reuse rules and limiting emergency data sharing to pseudonymised data where anonymity is insufficient.

Deep Dive

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have thrown their weight behind efforts to simplify the European Union’s digital rulebook, while drawing a firm red line around proposed changes to the definition of personal data.

In a Joint Opinion, the two bodies assessed the European Commission’s proposed Digital Omnibus Regulation, a sweeping legislative package designed to streamline EU digital laws, reduce administrative burdens, and enhance the competitiveness of European organizations.

The proposal, first adopted by the Commission on 19 November 2025, would amend a broad range of digital legislation, including the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Data Act, and other elements of the so-called “data acquis.” The Commission formally consulted the EDPB and the EDPS on 25 November 2025, and requested their opinion on aspects affecting the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.

At the core of the Joint Opinion is a balancing act familiar to compliance and privacy professionals: cutting red tape without cutting into fundamental rights.

A Line Drawn Around the Definition of Personal Data

The most forceful criticism from the EDPB and the EDPS concerns proposed amendments to the definition of personal data under the GDPR and the EUDPR.

Both bodies “strongly urge the co-legislators not to adopt” the proposed changes, arguing that they go far beyond a technical adjustment and risk significantly narrowing the concept of personal data. According to the Joint Opinion, the amendments do not accurately reflect the jurisprudence of the Court of Justice of the European Union and would create legal uncertainty.

The two authorities also object to the idea that the European Commission could be empowered, through implementing acts, to determine what no longer qualifies as personal data following pseudonymization. In their view, such a move would directly affect the scope of application of EU data protection law and therefore should not be delegated in that way.

“Simplification is essential to cut red tape and strengthen EU competitiveness but not at the expense of fundamental rights,” said EDPB Chair Anu Talus. “We welcome the Commission’s steps toward greater harmonization, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection.”

European Data Protection Supervisor Wojciech Wiewiórowski echoed those concerns, warning that the proposed changes are “not in line with the Court’s case law” and would significantly narrow the concept of personal data. He added that any changes to the GDPR and the EUDPR must clarify obligations and strengthen legal certainty while maintaining trust and a high level of protection of individual rights and freedoms.

Relief on Breach Notifications and Biometric Authentication

Not all elements of the Digital Omnibus proposal drew criticism. The EDPB and the EDPS endorsed several changes aimed at easing compliance burdens without undermining protections.

They support raising the risk threshold that triggers the obligation to notify a data breach to a competent Data Protection Authority and extending the deadline for such notification. According to the Joint Opinion, these changes would significantly reduce administrative burden for organizations while maintaining the protection of individuals’ personal data.

The introduction of common templates and lists for data breach notifications and data protection impact assessments was also described as a positive step.

The two bodies further welcomed a proposed new derogation allowing the processing of special categories of data for biometric authentication, provided that the verification means remain under the individual’s sole control.

They also expressed support for harmonizing the notion of “scientific research,” arguing that this and related changes would enhance legal certainty and promote greater consistency across the Union.

AI, Legitimate Interest, and Sensitive Data

The Joint Opinion also addresses provisions linked to artificial intelligence and automated decision-making.

Referring to its earlier Opinion 28/2024 on AI models, the EDPB noted that legitimate interest may, in certain circumstances, serve as a legal basis for the development and deployment of AI models or systems. As a result, the EDPB and the EDPS do not consider it necessary to introduce a specific provision in the GDPR to that effect.

The two authorities welcomed the proposal to introduce a specific derogation from the prohibition on processing sensitive data in the context of AI systems, particularly where such processing is incidental and residual. However, they recommended clarifying the scope of the derogation and ensuring safeguards apply throughout the entire lifecycle of AI systems.

They also supported the Commission’s aim of clarifying how controllers should respond in cases of abuse of rights by data subjects. At the same time, they cautioned that exercising the right of access for purposes other than the protection of personal data should not automatically be considered abusive.

On proposed changes to transparency obligations, the EDPB and the EDPS backed efforts to simplify information requirements and reduce burdens, especially for small and medium-sized enterprises, but called for clearer drafting to ensure individuals continue to receive relevant information when necessary.

Proposed amendments to rules on automated individual decision-making were described as requiring further clarification to ensure they are meaningful and legally sound.

Tackling Consent Fatigue in ePrivacy

Turning to the ePrivacy Directive, the EDPB and the EDPS strongly supported the objective of addressing consent fatigue and the proliferation of cookie banners.

They endorsed proposals to enable automated and machine-readable indications of individuals’ choices regarding the processing of their data, arguing that technical solutions could simplify compliance for controllers and make user preferences more effective online.

They also welcomed limited additional derogations to the general prohibition on storing or accessing data on terminal equipment. In addition, they encouraged co-legislators to incentivise contextual advertising over behavioral advertising by introducing a specific exception surrounded by safeguards.

The Joint Opinion notes positively that oversight in this area would be entrusted to Data Protection Authorities.

At the same time, the two bodies flagged legal and technical difficulties arising from the co-existence of separate regimes for personal and non-personal data. They called for further measures to enhance legal certainty, minimize risks, and foster responsible innovation.

Integrating the Data Acquis into the Data Act

A significant part of the Digital Omnibus proposal concerns the “data acquis,” including the planned repeal of the Data Governance Act, the Open Data Directive, and the Free Flow of Non-Personal Data Regulation, with relevant provisions to be integrated into the Data Act.

The EDPB and the EDPS expressed support for this simplification effort, particularly the integration of rules on the re-use of public sector data into the Data Act.

However, they recommended maintaining the clarity of the current framework, which does not oblige public sector bodies to permit re-use nor provide a standalone legal basis for granting access.

In cases of public emergencies, the two authorities advised that personal data should be shared only in pseudonymised form with public sector bodies where anonymous data is insufficient.

They also emphasized the importance of trustworthy and responsible data sharing in relation to data intermediation services and data altruism organisations, recommending that specific safeguards, transparency, and oversight be maintained.

On enforcement, the EDPB and the EDPS called for further streamlining, including enabling cross-regulatory exchanges of information and clarifying the role of Data Protection Authorities in enforcing the Data Act.

They welcomed the confirmation of the European Data Innovation Board’s role in supporting the consistent application of the Data Act and recommended empowering the Commission to issue guidelines on any topic under the Data Act, with assistance from the Board and the EDPB.

Simplification Without Erosion

For organizations navigating the EU’s expanding digital regulatory landscape, the Joint Opinion offers both reassurance and warning.

The EDPB and the EDPS have made clear that they support efforts to harmonize rules, reduce duplicative processes, and provide greater legal certainty. At the same time, they have signaled that competitiveness cannot come at the expense of the core concept underpinning EU data protection law, a broad and protective understanding of personal data.

As the Digital Omnibus proposal moves through the legislative process, that tension between simplification and safeguarding fundamental rights is likely to define the debate.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.