European data protection authorities strongly oppose proposed GDPR changes in Digital Omnibus, warning modifications would weaken privacy rights rather than simplify compliance.
The European Data Protection Board and European Data Protection Supervisor this week published a scathing assessment of the European Commission's Digital Omnibus proposal, rejecting key amendments that would fundamentally alter how personal data is protected across the continent. The joint opinion, adopted February 10, 2026, exposes deep conflicts between the Commission's stated goal of regulatory simplification and actual proposals that authorities say would "significantly narrow the concept of personal data" while creating new legal uncertainties.
The 47-page technical analysis represents the most comprehensive official pushback against the Commission's Digital Omnibus initiative, which aims to modify multiple digital regulations simultaneously. According to the European Data Protection Board Chair Anu Talus, "simplification is essential to cut red tape and strengthen EU competitiveness - but not at the expense of fundamental rights."
European Data Protection Supervisor Wojciech Wiewiórowski emphasized the severity of certain proposals. "We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data," he stated in the February 11 press release. "These changes are not in line with the Court's case law and would significantly narrow the concept of personal data."
The authorities' strongest objections target amendments to Article 4(1) GDPR that would introduce what the Commission characterizes as technical clarifications following recent Court of Justice rulings. The proposal would add language stating that "information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person."
According to the joint opinion document, this proposed text "goes far beyond a targeted modification of the GDPR, a 'technical amendment' or a mere codification of CJEU jurisprudence." The authorities note that the last sentence of the proposed amendment - specifying that information "does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person" - actually contradicts established case law from the Court of Justice.
The September 2025 judgment in EDPS v SRB confirmed previous jurisprudence by establishing that otherwise impersonal data may become personal in nature when put at the disposal of any recipient with means reasonably likely to identify a data subject. The court clarified that in such cases, the data qualifies as personal both for the recipient and indirectly for the entity making it available.
"The proposed changes would result in significantly narrowing the concept of personal data, thereby adversely affecting the fundamental right to data protection," the opinion states. The authorities warn that controllers might exploit the modified definition to circumvent GDPR application through nominal organizational separation of processing activities from identification means.
The joint opinion further criticizes companion provisions that would grant the Commission implementing act authority to specify means and criteria determining whether pseudonymized data no longer constitutes personal data for certain entities. This delegation would effectively allow the executive branch to redefine the material scope of EU data protection law through secondary legislation.
"An implementing act as proposed could de facto affect the material scope of EU data protection law, effectively redefining the scope of when and for whom information is considered personal data," according to the authorities. They emphasize that applying legal definitions should remain the competence of supervisory authorities under court control, as guaranteed by the EU Charter of Fundamental Rights.
The Commission's proposed Article 88c GDPR would explicitly confirm that legitimate interest may serve as legal basis for AI model development and operation. The data protection authorities acknowledge this possibility already exists under current law, making the new provision unnecessary.
"The EDPB has already explicitly confirmed this in its Opinion 28/2024 on AI models," the joint opinion notes. "Therefore, it does not appear necessary to insert a specific provision to this effect."
The authorities recommend that if legislators maintain the provision, it should explicitly reference the three-step test required for legitimate interest processing under Article 6(1)(f) GDPR. Controllers must establish legitimate interests, demonstrate processing necessity, and balance those interests against fundamental rights impacts.
According to the joint opinion, the proposed text fails to clarify whether automated decision-making processed under Article 88c would still require the unconditional right to object mentioned in recitals. "Such a safeguard goes beyond the general right to object set out by Article 21(1) GDPR," the authorities state, recommending integration into Article 21 rather than creating separate provisions.
The opinion welcomes proposals for exempting incidental and residual processing of special categories data during AI development, acknowledging practical difficulties in completely avoiding sensitive information when training certain models. However, authorities recommend explicitly including preconditions that deletion proves impossible or involves disproportionate effort, with safeguards implemented across the complete AI development lifecycle.
"Controllers' assessment has to be based on a properly documented effort, considering the state-of-the-art technology and the impact on data subjects," according to the document. This approach would prevent organizations from relying on the exemption without genuine technical necessity.
Research from the University of Tübingen published June 2025 demonstrated that large language models qualify as personal data under European privacy regulations due to memorization of training information. The finding supports data protection authorities' concerns about AI model development requiring comprehensive legal frameworks rather than simplified exemptions.
Proposed modifications to Article 12(5) GDPR would expand circumstances where controllers can refuse data subject access requests or charge fees for "manifestly unfounded or excessive" requests. The Commission draft links abuse of rights to exercising access for purposes other than data protection.
The authorities reject this formulation as contradicting both GDPR's explicit purpose and Court of Justice interpretations. "Article 1 GDPR explicitly calls for the protection of 'natural persons with regard to the processing of their personal data' and of 'fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,'" the opinion emphasizes.
The Court of Justice confirmed in its October 2023 judgment that data subjects may legitimately exercise access rights for objectives "other than that of becoming aware of the processing of data and verifying [its] lawfulness" without providing particular motivation. The joint opinion recommends linking "abusive requests" to existence of abusive intention rather than purpose categories.
"The future legislation should refrain from linking the notion of abuse of rights with the exercise of the right to access for purposes other than data protection," according to the authorities. They suggest focusing on evident intention to cause harm rather than restricting legitimate uses of access rights for journalistic, research, political, economic or legal purposes.
The opinion notes that Article 12(5) mirrors Article 57(4) provisions allowing supervisory authorities to refuse complaints or charge fees under equivalent conditions. Any modifications to controller obligations should therefore extend to supervisory authority powers, particularly given increasing complaint volumes across European jurisdictions.
The authorities support increasing the threshold for mandatory breach notifications from "likely to result in a risk" to "likely to result in a high risk" to fundamental rights and freedoms. This change would significantly reduce administrative burden without substantially affecting data subject protection.
Extending notification deadlines from 72 to 96 hours also receives endorsement, though the opinion notes inconsistency with shorter timelines in NIS2 Directive, DORA, eIDAS Regulation and CER Directive. "The EDPB and the EDPS would recommend more harmonisation between the different notification obligations," the document states.
Proposals for EDPB-developed common templates and lists receive strong support as consistent with the Helsinki Statement commitment to facilitating compliance. However, authorities object to Commission review and modification procedures through implementing acts.
"The EDPB and the EDPS recommend entrusting the EDPB with the preparation and approval of the template and the list," according to the opinion. This allocation would preserve independence and more closely follow subsidiarity principles than Commission adoption.
For the EUDPR governing EU institutions, the opinion recommends entrusting template and list development to the European Data Protection Supervisor rather than the Commission. "The Commission, as a European institution would itself have to comply with those lists," the authorities note, raising conflict of interest concerns about the executive defining its own obligations.
The joint opinion "strongly supports" objectives of addressing consent fatigue and cookie banner proliferation through automated machine-readable preference indications. Proposed Article 88b GDPR would require controllers to honor browser-transmitted user choices regarding terminal equipment data access and storage.
According to the opinion, "the use of technical means can simplify compliance by controllers, support data subjects in making their online choices effective," addressing longstanding frustration with repetitive consent requests. The authorities recommend developing harmonized standards applicable to all actors including controllers and browser providers.
The document raises concerns about splitting terminal equipment protection rules between GDPR and ePrivacy Directive based on whether data qualifies as personal. "The EDPB and the EDPS are concerned that the proposed separation of the rules on access to and storage of information in terminal equipment over different legal instruments may lead to legal uncertainty," the opinion states.
Cookie consent enforcement has intensified across European jurisdictions, with authorities examining implementation details and imposing penalties for non-compliant banner designs. The Digital Omnibus proposals attempt to reduce complexity while maintaining protection standards, though the joint opinion questions whether dual regulatory frameworks achieve this objective.
New exceptions for audience measurement and security purposes receive qualified support with recommendations for clear delimitation to strictly necessary processing. The authorities suggest adding contextual advertising exceptions - advertisements based on current page visits without behavioral tracking - provided implementation includes appropriate safeguards.
"The EDPB and the EDPS consider that such use cases could be considered in the list of cases not requiring consent in Article 88a (3) GDPR," the opinion states. Contextual advertising represents less intrusive alternatives to behavioral targeting that currently faces increased regulatory scrutiny under multiple frameworks.
Proposed definitions and derogations for scientific research purposes receive general endorsement with refinement recommendations. The joint opinion supports introducing Article 5(1)(b) GDPR clarifications that compatible processing for scientific research does not require separate Article 6(4) analysis or additional legal basis.
"The EDPB and the EDPS welcome the parts of the Proposal that have the potential of fostering greater harmonisation, consistency and legal certainty or reduce unnecessary administrative burden," according to the document. This includes new limited transparency derogations when providing information proves impossible or involves disproportionate effort.
The authorities recommend moving methodological requirements from recitals to enacting terms, including that research should be conducted following systematic approaches and lead to verifiable, transparent results. "Scientific research should be conducted in an autonomous and independent manner," the opinion states, suggesting explicit textual provisions rather than guidance paragraphs.
Proposed recital language stating scientific research may "support innovation, such as technological development and demonstration" and "may also aim to further a commercial interest" should remain contextual rather than definitional, according to authorities. These phrases provide guidance without establishing criteria differentiating scientific research from commercial product development.
The proposal largely takes effect three days after publication with specific exceptions. New Article 88a GDPR enters force six months later, while Article 88b paragraphs governing automated consent mechanisms implement over two to four years depending on provisions.
This compressed timeline combined with substantive concerns leads the joint opinion to regret "that the Proposal was not accompanied by a full impact assessment." The authorities consider insufficient attention given to adverse effects of certain changes on fundamental rights protection.
"The EDPB and the EDPS recommend to pay specific attention to the impact of these amendments on the fundamental rights and freedoms of individuals in the next regular evaluations and reviews that will take place under Article 97 GDPR," the document states.
Previous Digital Omnibus coverage has highlighted competing pressures between genuine administrative burden reduction for small and medium enterprises versus industry lobbying for exemptions primarily benefiting large technology platforms. The joint opinion attempts to distinguish legitimate simplification from proposals that would fundamentally weaken privacy protections.
The Dutch government previously raised similar concerns in December 2025, emphasizing that some GDPR amendments have "fundamental impacts" on privacy and data protection rights. Without comprehensive impact assessments and data protection authority opinions, proportionality evaluations prove impossible.
The second portion of the joint opinion examines proposed integration of Data Governance Act, Open Data Directive and Free Flow of Non-Personal Data Regulation into the Data Act. Authorities welcome streamlining objectives while recommending specific safeguards for personal data processing.
Proposed modifications to public emergency data requests would remove requirements that personal data be provided only in pseudonymized form when non-personal data proves insufficient. "The EDPB and the EDPS recommend keeping the requirement that the request should concern non-personal data (by default), and only concern personal data in pseudonymised form when non-personal data are not sufficient to respond to the public emergency," the opinion states.
For data intermediation services, the shift from mandatory prior notification to voluntary registration raises oversight concerns. The authorities recommend maintaining registration requirements when intended services involve high-risk personal data processing, ensuring supervisory visibility without imposing unnecessary burden on lower-risk activities.
Proposed functional separation instead of legal separation for data intermediation providers requires clear criteria for verification. "The EDPB and the EDPS recommend including clear criteria for functional separation," with technical and organizational segregation plus separate management, financing and staff where appropriate.
The joint opinion arrives as European privacy enforcement faces significant challenges in consistency and effectiveness. Analysis of GDPR Procedural Regulation negotiations suggests that attempts to streamline cooperation mechanisms may create additional complexity rather than resolving fundamental problems.
Digital marketing professionals face mounting compliance obligations as multiple regulatory frameworks overlap. The European Data Protection Board published guidelines September 11, 2025, establishing how marketers must navigate intersections between Digital Services Act and GDPR requirements.
For advertising technology stakeholders, the Digital Omnibus proposals create significant uncertainty about future compliance requirements. If AI training automatically qualifies as legitimate interest without necessity testing, this could reshape how platforms develop targeting algorithms and audience optimization tools.
The Commission's characterization of proposals as "unprecedented simplification" targeting 25% administrative burden reduction for all companies and 35% for small and medium enterprises conflicts with data protection authorities' assessment that certain changes would increase complexity while weakening protections.
Privacy advocacy organization noyb, which published preliminary analysis of internal draft documents in November 2025, characterized the proposals as neither "technical changes" nor "simplification" but rather "limitations of the right to data protection for EU residents." Chair Max Schrems stated that "the independent authorities have called out key changes for what they are."
The European Parliament and Council of the European Union will consider the EDPB-EDPS joint opinion as they develop positions on the Digital Omnibus proposal. According to standard EU legislative procedures, both institutions must agree on final text through trilogue negotiations before adoption.
The joint opinion provides technical expertise and independent assessment that typically carries significant weight in legislative deliberations, particularly regarding fundamental rights implications. Previous instances where data protection authorities raised substantive concerns have resulted in substantial modifications to original Commission proposals.
However, political momentum for competitiveness-focused regulatory changes may complicate technical assessments of privacy impacts. The 2024 Draghi report on European competitiveness explicitly identified GDPR as requiring recalibration, with specific recommendations for proportional regulations and simplified compliance pathways.
Germany previously submitted comprehensive proposals in October 2025 calling for modifications extending beyond the Commission's current simplification efforts, including fundamental restructuring of European data protection law following immediate tactical changes.
The Netherlands, France and other member states have indicated varying levels of support for different Digital Omnibus elements, suggesting complex negotiations ahead as the Council formulates its position.
For marketing professionals and advertising technology providers operating in European markets, the extended uncertainty period will likely continue through 2026 as legislative institutions work toward final compromise text addressing both competitiveness concerns and fundamental rights protections.
Who: The European Data Protection Board combining all 31 national data protection authorities and the European Data Protection Supervisor published a joint opinion assessing the European Commission's Digital Omnibus proposal affecting GDPR, ePrivacy Directive, and Data Act provisions.
What: The authorities strongly oppose proposed narrowing of personal data definitions, question necessity of explicit AI training provisions, reject access rights restrictions linked to purpose categories, support increased breach notification thresholds with governance concerns, and welcome cookie consent automation while recommending refinements to legal framework structure.
When: The joint opinion was adopted February 10, 2026, and published February 11, 2026, following formal consultation that began November 25, 2025, after the Commission adopted its Digital Omnibus proposal November 19, 2025.
Where: The assessment applies throughout the European Union and European Economic Area, examining proposed amendments to regulations and directives that establish privacy frameworks across all 27 member states plus Iceland, Liechtenstein and Norway.
Why: Data protection authorities concluded that despite Commission characterization as simplification measures, several proposed changes would "significantly narrow the concept of personal data," create new legal uncertainties, and adversely affect fundamental rights protection while failing to achieve stated administrative burden reduction objectives for legitimate compliance challenges faced by small and medium enterprises.
