On 19 November 2025, the European Commission issued a Digital Omnibus proposal with the aim to simplify compliance with the digital rulebook, hereby amending several EU digital legislation, such as GDPR, Data Act and ePrivacy Directive.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed simplification, welcoming certain changes, at the same time raising concerns and proposing improvements for other.
Changes welcomed by the EDPB and EDPS
The authorities support several proposed amendments, including:
- Scientific research: Introduction of a definition, clarification regarding Article 6(4) GDPR, and a limited derogation from the duty to inform.
- Biometric authentication: A new exception allowing processing of special categories of data where verification tools remain under the individual’s sole control.
- Data breach notifications and DPIAs: Raising notification thresholds, extending deadlines, and introducing common templates and lists (while recommending that the EDPB and EDPS be fully entrusted with preparing and approving these).
- Integration of Data Governance Act and Open Data Directive rules into the Data Act, simplifying the data framework.
- Addressing consent fatigue under the ePrivacy Directive, including simplifying rules on terminal equipment and entrusting supervision to GDPR authorities.
- Clarification of enforcement cooperation under the Data Act, and confirmation of the EDIB’s role in supporting consistent application.
Changes supported in principle, but requiring improvements
The EDPB and EDPS support the underlying objectives of several reforms but recommend amendments to ensure safeguards and legal certainty:
- Use of legitimate interest in AI, including clearer guidance on assessments and the right to object.
- Exception for incidental and residual processing of special categories of data in AI, with clearer scope and lifecycle safeguards.
- Limitations to the right of access, which should be linked to abusive intent and not undermine broader fundamental rights.
- New transparency derogations, especially for SMEs, while ensuring individuals still receive meaningful information.
- Automated decision-making, where the general prohibition should be retained, with narrowly defined and clarified exceptions.
- Public-sector data sharing in emergencies, recommending pseudonymisation as a safeguard.
- Data intermediation and data altruism frameworks, with strong transparency and oversight mechanisms.
- Enforcement coordination under the Data Act, including clearer competences and information exchange.
- Contextual advertising exception under ePrivacy, to enhance clarity and responsible innovation.
Changes raising concerns
The EDPB and EDPS express concerns regarding:
- Proposed changes to the definition of personal data, which they believe would narrow its scope, undermine the fundamental right to data protection, and go beyond technical clarification.
- Defining when pseudonymised data is no longer personal data via an implementing act, as this directly affects the scope of EU data protection law.
- Fragmentation of rules on terminal equipment across different legal instruments, which risks legal uncertainty.
The proposal of Regulation amending the EU data legislation (Digital Omnibus) is presented under the ordinary legislative procedure and will now be examined by the European Parliament and the Council.
Full text of the Joint Opinion can be accessed here.
