Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the European Commission’s Digital Omnibus Regulation proposal. The proposal, published by the Commission on November 19, 2025, aims to simplify the EU’s digital regulatory framework by amending key legislation, including the GDPR, the ePrivacy Directive, the Data Act, and the NIS 2 Directive, while reducing administrative burdens and enhancing the competitiveness of European organizations.
The EDPB and EDPS support the broad objectives of the Omnibus to optimize the application of the digital rulebook, simplify compliance, strengthen individuals’ ability to exercise their rights, and stimulate competitiveness. However, they raise significant concerns that certain proposed changes could adversely affect the level of protection enjoyed by individuals, create legal uncertainty, and make data protection law more difficult to apply.
Among the changes the authorities welcome are the increase in the threshold of risk triggering the obligation to notify data breaches to the competent data protection authority, the extension of the notification deadline from 72 to 96 hours, and proposed common templates for data breach notifications and data protection impact assessments. They also support a new derogation permitting the processing of biometric data for authentication purposes where the verification means are under the individual’s sole control, and the harmonization of the notion of scientific research.
However, the opinion raises concerns about the proposed amendment to the definition of personal data, which the EDPB and EDPS view as potentially overruling the Court of Justice of the European Union case law. According to the EDPB and EDPS, the amended definition that the Commission proposed could exclude pseudonymous data from the definition of personal data and, consequently, from the GDPR as a whole – in a way that could diminish the protections for personal data. Subsequent news reports indicated that the Commission accepted the comments of the EDPB and EDPS on this issue and will withdraw its proposed amendment to the definition of personal data.
On the use of legitimate interest as a lawful basis for AI model training, the authorities consider the proposed GDPR amendment unnecessary, since the EDPB has already confirmed in its Opinion 28/2024 on AI models that legitimate interest may serve as a legal basis in some cases. The opinion also addresses proposed changes to the ePrivacy Directive, welcoming efforts to reduce cookie banner fatigue while cautioning that ambiguity in the definition of personal data could lead to inconsistent requirements.
Click here to read the EDPB-EDPS Joint Opinion 2/2026 on the Digital Omnibus Regulation.
