The EDPB and EDPS recently published its highly anticipated Joint Opinion 2/2026 (“the Opinion”) on the draft Digital Omnibus Regulation (“the Proposal”). The Proposal, which was published by the European Commission on 19 November 2025 seeks to amend the GDPR, EUDPR, ePrivacy Directive and NIS2. It also proposes incorporating and consolidating relevant provisions of the Free Flow of Non-Personal Data Regulation, the Open Data Directive and the Data Governance Act into the Data Act and to repeal the former acts (previously discussed here).
The Opinion supports the Proposal’s aim to simplify compliance with the EU digital rulebook and boost EU competitiveness. These goals echo the Helsinki Statement, where the EDPB committed to take up initiatives facilitating GDPR compliance and strengthening consistency. However the EDPB and EDPS raise concerns that certain proposals risk undermining the fundamental rights and freedoms of individuals and creating legal uncertainty. They also suggest certain improvements to the proposals, with a view to enhancing clarity and legal certainty.
This article provides an overview of the key concerns and recommendations provided by the EDPB and EDPS in their Opinion.
Part 1: GDPR amendments
Change to definition of “Personal Data”
The Proposal seeks to amend the definition of “personal data” in Article 4(1) GDPR to provide that information shall not be personal data under the GDPR for a given entity when that entity cannot identify the natural person to whom it relates, taking into account the means reasonably likely to be used by that entity. Furthermore, such information does not become personal data for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom it relates. The proposed definition aims to codify the recent CJEU ruling in EDPS v SRB (Case C-413/23 P).
The EDPB and EDPS raise significant concerns in regard to this proposed amendment. In their opinion, it goes far beyond a targeted modification of the GDPR and codification of CJEU jurisprudence, and risks undermining the level of protection enjoyed by individuals, and creating legal uncertainty. They emphasise that the definition of personal data must be interpreted in light of the whole body of CJEU jurisprudence. A selective codification of that case-law, as contained in the Proposal, introducing only a single element from a single case, lacks the necessary context.
In addition, the EDPB and EDPS opine that the proposed change does not accurately reflect CJEU jurisprudence. They note that this is the case, in particular, in respect of the last sentence of the proposed new text which provides that “such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates”. They assert that in the EDPS v SRB judgment, the CJEU confirmed its previous jurisprudence, by recalling that otherwise impersonal data may become personal in nature when they are put at the disposal of a recipient (any recipient) with means reasonably likely to be used to identify a data subject. The CJEU confirmed that, in such cases, those data are personal data both for the recipient and, indirectly, for the entity making the data available to the latter.
For these reasons the EDPB and EDPS strongly urge the EU co-legislators not to adopt the proposed changes to the definition of personal data.
Whether data resulting from pseudonymisation constitutes personal data
A newly proposed Article 41a GDPR would empower the European Commission to adopt implementing acts specifying means and criteria to determine whether data resulting from pseudonymisation no longer constitutes personal data for certain entities. The EDPB and EDPS raise concerns that this proposal would directly affect the scope of the application of EU data protection law and should not be addressed in an implementing act of the European Commission. Rather it should be the competence of supervisory authorities, under the control of the competent courts, to apply the definitions of the GDPR in an independent manner.
Definition of scientific research
The Proposal provides for a definition of “scientific research”; clarification that further processing for scientific purposes is compatible with the initial purpose of processing, and clarification that the processing of personal data for scientific research purposes constitutes a legitimate interest within the meaning of article 6(1)(f) GDPR. The EDPB and EDPS welcome these proposals and make some recommendations to further clarify these proposals in the interests of legal certainty.
Exemption to allow the processing of biometric data
The EDPB and EDPS welcome the proposal to include a new exception in Article 9(2) GDPR for the processing of special categories of data for biometric authentication, where necessary for the purpose of confirming the claimed identity of a data subject, and where the verification means are under the individual’s sole control. The EDPB emphasise, however, that the processing of biometric data, even if it is merely for verification purposes, should only take place where it complies with the necessity and proportionality principles. Therefore, alternative methods not involving the processing of biometric data should be used when the purpose of the processing can be achieved through less intrusive verification methods. The EDPB and EDPS encourage the inclusion of these considerations in Recital 34 of the Proposal.
Use of legitimate interest in the context of AI
The Proposal seeks to introduce a new Article 88c GDPR which would explicitly recognise that a controller “may” rely on the “legitimate interests” legal basis under Article 6(1)(f) GDPR where the processing of personal data is necessary in the context of the development or operation of an AI system. The EDPB and EDPS do not view this amendment as necessary as the EDPB has already explicitly confirmed this in its Opinion 28/2024 on AI models. The Opinion nevertheless provides recommendations, including in respect of the three-step legitimate interests assessment, and on the right to object, should the EU co-legislators wish to proceed with this change. In addition, to ensure legal clarity, the Opinion recommends defining the term “operation” [of an AI system], as this term is neither defined in the GDPR nor the EU AI Act.
Residual processing of special categories of data in the context of AI
The Proposal seeks to introduce a new Article 9(2)(k) and 9(5) GDPR, permitting the incidental and residual processing of special category data for the development and operation of an AI system or AI model, subject to certain conditions, including appropriate and technical measures to avoid collecting special category data and removing such data.
The EDPB and EDPS acknowledge that when data is collected for the training, testing and validation of certain AI systems or models, it is not always possible for controllers to avoid residual and incidental processing of special categories of data. The Opinion, however, recommends several improvements, such as referring to “incidental and residual” in the enacting terms, clarifying the scope of the exception, and ensuring safeguards throughout the whole AI development lifecycle.
Limitation to the right of access
The Proposal seeks to allow controllers to refuse or charge a reasonable fee for “abusive” data access requests, on the ground that such requests constitute a “manifestly unreasonable or excessive” request under Article 12(5) GDPR. The EDPB and EDPS welcome this amendment. However they raise concerns with the proposed wording as it links an abuse of data protection rights with exercising the right of access for purposes other than the protection of personal data. They note that the CJEU has confirmed that data subjects may legitimately exercise their right of access for objectives “other than that of becoming aware of the processing of data and verifying [its] lawfulness” (and without having to provide any particular motivation)” (Case C-307/22). Accordingly, the EDPB and EDPS recommend that the notion of abusive access requests should instead be linked with the existence of an abusive intention (e.g. evident intention to cause harm to the controller).
In addition, the EDPB and EDPS reject the proposal to lower the burden of proof of controllers in respect to demonstrating the “excessive” character of an access request. They consider that the current threshold for the assessment of excessive requests should be maintained, in order to limit the possibility of misuse of Article 12(5) GDPR by controllers to refuse access requests.
Furthermore, the EDPB and EDPS note that Article 12(5) GDPR is currently mirrored in Article 57(4), and that this should be maintained, so that (under the latter provision) a supervisory authority should continue to be able to refuse to act on a complaint or to charge a reasonable fee under the same conditions as a controller can refuse to grant an access request, provided that their recommendations regarding Article 12(5) are duly taken into account.
New derogation for transparency
The Proposal seeks to modify Article 13(4) GDPR, in order to remove the obligation to inform data subjects (via a data privacy notice) about the processing of their personal data under Article 13 GDPR, in circumstances where there are reasonable grounds to assume that the data subject already has the information. The EDPB and EDPS welcome this proposal to the extent that it reduces the administrative burden on controllers, in particular for SMEs. However, they recommend certain clarifications to ensure legal certainty. In addition, the EDPB and EDPS recommend requiring the controller to provide all information listed by Article 13 GDPR upon request of the data subject, as otherwise a data subject would be forced to file access request under Article 15 GDPR in order to obtain the information.
Automated individual decision-making
The Proposal provides for an amendment to Article 22(1) GDPR in order to change it from a “right not to be subject to” automated decision-making that produces legal effects for the data subject or similarly significantly affects them, to a provision laying down the exhaustive list of cases where such types of decisions are permitted. The EDPB and EDPS recall that the CJEU has interpreted Article 22(1) GDPR as a prohibition in principle, the infringement of which does not need to be invoked individually by the data subject. Therefore, in the interests of legal certainty, the Opinion considers it necessary to use language reflecting Article 22(1) GDPR that provides for prohibitions with exceptions under specific conditions.
The EDPB and EDPS welcome the aim of clarifying the exceptions to the current prohibition on solely automated decision-making. However, they suggest amendments to avoid implying that solely automated decision-making is in principle allowed whenever there is a contract regardless of whether it is “necessary” for the purposes of entering into or performing the contract. They also provide recommendations to further clarify what assessing “necessity” entails.
Data breaches
The EDPB and EDPS welcome the proposal to increase the personal data breach notification threshold to the DPC to “high risk” breaches only, and to extend the notification deadline from 72 hours to 96 hours, as well as establishing harmonised common data breach and DPIA templates and lists. However, they opine that the EDPB should be fully entrusted with both the preparation and approval of such documents and the EDPS should be entrusted with corresponding competences under the EUDPR.
The EDPB and EDPS, however, would recommend more harmonisation between the different notification obligations, noting the fact that shorter deadlines apply under other reporting obligations, including NIS2 Directive (24 or 72 hours depending on the obligation), DORA (24 or 72 hours depending on the obligation), eIDAS Regulation (24 hours) and CER Directive (24 hours). They highlight that harmonisation is this regard is all the more important since the Explanatory Memorandum to the Proposal notes that one of the purposes of the single-entry point is to allow organisations “to seemingly file one single notification, whereas responding to multiple legal obligations at the same time”.
DPIAs
The Proposal seeks to harmonise the processing activities requiring a Data Protection Impact Assessment (“DPIA”) across the EU. In this regard, it requires the EDPB to set out a list of processing activities that require and do not require a DPIA, and for the EDPB to create a common template and common methodology for conducting a DPIA, which the European Commission would be required to adopt by implementing act. The EDPB and EDPS welcome this proposal, but recommend entrusting the EDPB exclusively with the preparation and approval of DPIA list, common template and methodology.
EUDPR
The EDPB and EDPS welcomes the intention to ensure alignment of the EUDPR and GDPR. They underline the need to ensure legal certainty and uniform application of equivalent data protection standards across the Union by private and public organisations, including EU institutions, agencies and bodies. At the same time, they also identify specific cases where full alignment between the texts is not appropriate, and adaptations are needed.
ePrivacy provisions
The EDPB and EDPS strongly support the aim of the Proposal to provide for a regulatory solution to address consent fatigue and proliferation of cookie banners and to simplify the rules applicable to the protection of the terminal equipment of end-users. They also generally welcome that the Proposal aims to provide limited additional derogations to the general prohibition to store or gain access to personal data in the terminal equipment, and the fact that the oversight of such matters will be entrusted to the supervisory authorities established in accordance with the GDPR to further support regulatory consistency.
However, they raise concerns that the proposed separation of the rules on access to and storage of information in terminal equipment over different legal instruments (i.e. the GDPR in respect of the processing of personal data or the ePrivacy Directive in respect of non-personal data) may lead to legal uncertainty. The Opinion sets out recommendations to enhance legal certainty, and minimise the risks for data subjects. The EDPB and EDPS also welcome the repeal of the security and breach reporting requirements in Article 4 of the ePrivacy Directive, on the basis that they are obsolete in view of the breach reporting obligations under the GDPR.
Part 2: Amendments to the broader EU Digital Rulebook
In the second part of the Opinion, the EDPB and EDPS address key changes introduced by the Proposal in the data legislative acquis (“Data Acquis”). This Opinion addresses the most relevant aspects of the Data Acquis, which are of particular importance for the protection of individuals’ rights and freedoms, with regard to processing personal data.
The EDPB and EDPS welcome the objectives of the Proposal to streamline and harmonise the Data Acquis. In particular, they welcome the integration of the Data Governance Act (“DGA”) and Open Data Directive (“ODD”) rules on the re-use of data and documents held by public sector bodies into the Data Act, which will simplify compliance and the application of the rules.
Making data available to public sector bodies in case of a public emergency
The Proposal seeks to amend the obligation for data holders to make non-personal data available to public sector bodies, the European Commission, the European Central Bank and a Union body, in case of an exceptional need. The Proposal notes that the types of data which can be requested depends on whether the data is necessary to respond to a public emergency, and which the requesting body is unable to obtain “by other means in a timely and effective manner” or if the data is necessary to mitigate or support the recovery from a public emergency. In particular, by amending Article 17(2)(e) of the Data Act, the Proposal introduces the possibility that non-pseudonymised personal data may be made available to requesting bodies when responding to a public emergencies.
The EDPB and the EDPS recommend keeping the requirement that the request should concern non-personal data (by default) and only concern personal data in pseudonymised form when non-personal data (i.e. anonymous data) are not sufficient to respond to the public emergency. They state that the Proposal does not justify the change or offer any examples where access to non-pseudonymised personal data would be necessary to respond to a public emergency in a timely and effective manner.
Re-use of data and documents held by public sector bodies
The EDPB and EDPS welcome the simplification of the regulatory framework for the use of data and documents held by public sector bodies. The Proposal aims to address the lack of clarity and certainty between the existing rules of the DGA and the ODD by combining the rules into the new Chapter VIIc of the Data Act. The Opinion notes that this new Chapter does not retain the provision from Article 1(2) DGA, that the DGA ‘‘does not create any obligation on public sector bodies to allow the re-use of data, nor does it release public sector bodies from their confidentiality obligations under Union or national law”. The EDPB and EDPS recommend reinstating this provision.
Changes to the Data Intermediation Services and altruism organisations
The Proposal suggests the insertion of a new Chapter IIVa of the Data Act, with the aim of providing lighter regulation for data intermediaries and data altruism organisations. The EDPB and EDPS understand and welcome the intention to reduce administrative burden in this domain, but emphasise that the objective of the Data Act is increasing trust in data sharing, resulting in more easily accessible and re-usable data. With this in mind, the EDPB and EDPS recommend maintaining specific safeguards, favouring transparency and oversight.
For example, the Proposal removes the record-keeping and reporting obligations for recognised data altruism organisations. However, the EDPB and EDPS recommend maintaining this record-keeping obligation, so that competent authorities may exercise oversight and to foster trust.
Enforcement by and cooperation between Competent Authorities and other Authorities
The Proposal removes the current Article 38(8) of the Data Act which governs competent authorities’ co-operation to “handle and resolve complaints effectively and in a timely manner, including by exchanging all relevant information by electronic means, without undue delay”. The EDPB and EDPS recommend reinserting this provision to ensure legal certainty for how co-operation should function and reduce the risk of possible future legal disputes on procedural matters.
In addition, the Data Act currently does not provide for an explicit legal basis for the exchange of relevant information across regulatory domains. The EDPB and the EDPS recommend including provisions to enable the exchange of information on enforcement activities among authorities competent under the Data Act and other regulatory authorities, such as supervisory authorities. They also recommend clarifying the responsibilities and competences of supervisory authorities in terms of monitoring and enforcing the Data Act.
EDIB: changes to structure and role
There are a number of developments set out in the Proposal regarding the European Data Innovation Board (“EDIB”). The EDPB and the EDPS welcome the Proposal’s confirmation of the EDIB’s role in supporting the consistent application of the Data Act. They recommend clarifying that the EDIB will continue to assist the European Commission in the development of guidelines and standards. They also recommend empowering the Commission to issue guidelines on any topic concerning the Data Act. This would enable the Commission to develop joint guidelines with the EDPB, and allow the EDIB to advise and assist the Commission in the development of such guidelines
Commentary
It remains to be seen whether the recommendations provided by the EDPB and EDPS will be taken into consideration by the EU co-legislators. The Proposal will be subject to intensive negotiations over the coming months. We will continue to monitor the developments in this space and will issue further updates as they become available.
Contact Us
Matheson’s Technology and Innovation Group are available to guide you through the proposed reforms set out in the draft Digital Omnibus Regulations, and related legislation. For more information, please contact Marie McGinley, Davinia Brennan and Sarah Jayne Hanna.
With many thanks to Celeste Cannon for her contribution to this article.