Skip to main content

EDPB-EDPS Joint Opinion on the Digital Omnibus

On February 10, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published their official Joint Opinion on the Digital Omnibus proposal. This document represents the authoritative position of European data protection authorities on the proposed changes.

Understanding This Document

The Joint Opinion is a consultative document—it expresses the regulators' position but does not change the legislative proposal. The European Parliament and Council may consider these recommendations during negotiations, but are not bound by them. The original Commission proposal (COM(2025) 837) remains the basis for legislation.

Document Details

TitleEDPB-EDPS Joint Opinion 2/2026 on the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus)
Adopted10 February 2026
Published11 February 2026
Official pageEDPB Website
PDFFull document (PDF)
Press releaseEDPB News

Overall Position

The EDPB and EDPS support the simplification objectives of the Digital Omnibus while raising significant concerns about specific provisions that could adversely affect protection levels.

What They Support

  • Simplification of the digital regulatory framework
  • Reducing compliance burden for businesses
  • Strengthening effective exercise of individual rights
  • Boosting EU competitiveness
  • Changes to scientific research provisions
  • Raised threshold for breach notifications (with caveats)
  • New exception for biometric authentication under individual's control
  • Cookie consent fatigue solutions (in principle)

What Concerns Them

  • Personal data definition changes
  • Implementing acts for pseudonymization
  • Potential reduction in protection levels
  • Fragmentation of terminal equipment rules
  • Some AI processing provisions

Key Positions by Topic

1. Personal Data Definition

EDPB-EDPS Position: Strong Opposition

The regulators firmly oppose the proposed changes to the personal data definition, recommending their complete removal from the proposal.

Commission proposal: Codify "reasonably likely to be used" standard with entity-specific determination.

EDPB-EDPS concerns:

  1. Unnecessary changes: The current GDPR definition, interpreted through CJEU case law, works well. Changes risk creating new uncertainties.

  2. Reduced protection: Entity-specific determination could exclude data from GDPR protection when it should be covered.

  3. Legal fragmentation: Different entities having different obligations for the same data creates complexity, not simplification.

  4. Undermining CJEU jurisprudence: The proposed wording may contradict established case law rather than codify it.

EDPB-EDPS recommendation:

"The EDPB and the EDPS recommend that the proposed amendments to the concept of personal data are removed from the Proposal."

Implication: If Parliament/Council follows this recommendation, Articles related to personal data definition would remain unchanged from current GDPR.

2. Pseudonymization and Implementing Acts

EDPB-EDPS Position: Serious Concerns

The regulators oppose giving the Commission power to determine what constitutes personal data through implementing acts.

Commission proposal: Commission can adopt implementing acts specifying criteria for effective pseudonymization.

EDPB-EDPS concerns:

  1. Competence question: Whether data is "personal" is a matter of fundamental rights law, not technical specification. The Commission should not have authority to make this determination.

  2. Scope creep risk: Implementing acts could be used to narrow GDPR's scope by declaring certain data "not personal."

  3. EDPB role: The EDPB already provides guidance on pseudonymization. Commission implementing acts could conflict with or undermine this guidance.

EDPB-EDPS recommendation:

Technical guidance on pseudonymization should remain with the EDPB, not be transferred to Commission implementing acts.

3. Cookie Consent and Article 88a

EDPB-EDPS Position: Support with Recommendations

The regulators strongly support addressing cookie banner fatigue, while requesting specific improvements.

What they support:

  • Moving cookie consent under GDPR framework
  • Exemption for audience measurement (Article 88a(3)(c))
  • Single-click refuse requirement
  • 6-month cooldown after refusal

Concerns and recommendations:

  1. Contextual advertising exception: The EDPB-EDPS recommends creating an explicit exemption for contextual advertising that doesn't involve tracking. This would allow ads based on page content without consent, while tracking-based ads still require consent.

  2. Terminal equipment fragmentation: Moving only personal data cookies to GDPR while leaving non-personal data cookies in ePrivacy creates two parallel regimes. They recommend either full integration or clearer coordination.

  3. Browser signals (Article 88b): Support the concept but want clearer technical standards and interoperability requirements.

Notable quote:

"The EDPB and the EDPS strongly support the objective of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners."

4. AI Processing (Article 88c)

EDPB-EDPS Position: Cautious Acceptance

The regulators accept the legitimate interest basis for AI but request stronger safeguards.

What they accept:

  • Recognizing AI development as a legitimate interest under Article 6(1)(f)
  • The balance test approach
  • Special category data safeguards (Article 9(2)(k))

Concerns:

  1. Web scraping: Specific concern about large-scale web scraping for AI training without adequate safeguards.

  2. Right to object: Want stronger guarantees that the unconditional right to object is meaningful and enforceable.

  3. Balance test application: Request clearer criteria for when data subject rights override AI development interests.

  4. Children's data: Want explicit, stronger protections beyond "in particular."

EDPB-EDPS recommendation:

More specific safeguards needed, particularly for web scraping scenarios and effective right to object implementation.

5. Data Breach Notification Threshold

EDPB-EDPS Position: Partial Support with Reservations

The regulators accept the raised threshold but want to ensure it doesn't reduce accountability.

Commission proposal: Change notification threshold from "risk" to "high risk."

EDPB-EDPS position:

  1. Accept in principle: Reducing notification burden for minor incidents is reasonable.

  2. Template control: The EDPB wants to maintain control over breach notification templates and "high risk" criteria lists, rather than merely being "consulted" by the Commission.

  3. Supervisory authority information: Ensure that streamlined reporting still gets necessary information to national DPAs.

EDPB-EDPS recommendation:

"The EDPB should have the competence to adopt the templates and lists, rather than the Commission after consultation."

6. Right of Access and "Abusive" Requests

EDPB-EDPS Position: Concerns About Balance

The regulators worry the lower burden of proof could enable unjustified refusals.

Commission proposal: Lower burden of proof for controllers to refuse "abusive" access requests.

EDPB-EDPS concerns:

  1. Fundamental right: Right of access is a fundamental right; lowering barriers to refusal could undermine it.

  2. Abuse of the abuse exception: Controllers might too easily label legitimate requests as "abusive."

  3. Burden shift: The proposal shifts burden of proof in a way that may disadvantage data subjects.

EDPB-EDPS recommendation:

Maintain sufficient safeguards to ensure legitimate access requests are not refused under the guise of being "abusive."

7. Data Acquis Consolidation

EDPB-EDPS Position: Generally Supportive

The regulators support consolidating data laws but want clarity on oversight.

Areas addressed:

  1. Data intermediation services: Support integration into Data Act but want clear rules on how DPAs interact with intermediary oversight.

  2. Data altruism organizations: Want maintained oversight mechanisms.

  3. Coordination between authorities: Request clear delineation of responsibilities between data protection and other authorities.

8. Additional Recommendations

The Joint Opinion includes recommendations not addressed in the original proposal:

  1. Collective representation: EDPB-EDPS recommends allowing organizations to represent data subjects in complaints without requiring individual mandates (expanding Article 80 GDPR).

  2. Legitimate interest lists: The regulators oppose any Commission power to create binding lists of legitimate interests, as this could expand lawful processing beyond what the GDPR intended.

  3. NIS2 coordination: Request clearer rules for coordination between cybersecurity authorities (under NIS2) and data protection authorities.

What This Means for the Digital Omnibus

Possible Outcomes

EDPB-EDPS RecommendationLikelihood of AdoptionImpact if Adopted
Remove personal data definition changesMedium-HighStatus quo maintained
Remove Commission implementing acts for pseudonymizationMediumEDPB retains guidance role
Add contextual advertising exceptionMediumBroader cookie banner relief
Stronger AI safeguardsMedium-HighMore conditions on Article 88c
EDPB controls breach templatesHighTechnical change only
Maintain access request protectionsMediumBalance preserved

Timeline Implications

The Joint Opinion was published during the feedback period (deadline: March 9, 2026). The European Parliament's ITRE and LIBE committees will consider this input as they develop their positions.

Expected impact on timeline:

  • Committee rapporteur appointments: Q1 2026 (ongoing)
  • Parliament/Council positions: Q2 2026 (may incorporate EDPB-EDPS recommendations)
  • Trilogue negotiations: Summer 2026 (contested provisions will be negotiated)
  • Final text: May differ significantly from Commission proposal

Implications for Analytics and Sealmetrics

The EDPB-EDPS supports the Article 88a(3)(c) exemption for audience measurement. Their recommendation for a contextual advertising exception, if adopted, would further reduce consent requirements.

For Sealmetrics users: The Joint Opinion reinforces the legal basis for consentless analytics. The regulators are not challenging the audience measurement exemption.

First-Party Analytics: Validated

The regulators' concerns focus on:

  • Third-party tracking
  • Cross-site profiling
  • Web scraping for AI

First-party, aggregated analytics (Sealmetrics' model) is not targeted by EDPB-EDPS concerns.

Contextual Advertising: Potential New Exemption

If the EDPB-EDPS recommendation for contextual advertising is adopted:

  • Ads based on page content (not user tracking) would be exempt
  • This benefits privacy-respecting advertising models
  • Could expand the "no consent needed" category

How to Follow Developments

Official Sources

Key Dates

DateEvent
November 19, 2025Commission proposal published
February 10, 2026EDPB-EDPS Joint Opinion adopted
March 9, 2026Digital Omnibus feedback deadline
March 11, 2026Digital Fitness Check feedback deadline
Q2 2026Expected Parliament/Council positions
Summer 2026Trilogue negotiations
Late 2026 / Early 2027Expected final adoption

Key Takeaways

  1. Joint Opinion is consultative - It expresses regulators' views but doesn't change the proposal
  2. Strong support for simplification goals - EDPB-EDPS agrees with reducing complexity
  3. Personal data definition: opposed - Regulators recommend removing these changes
  4. Cookie exemption: supported - Article 88a(3)(c) is not challenged
  5. Contextual advertising: new recommendation - Could expand exemptions if adopted
  6. AI processing: cautious acceptance - With requests for stronger safeguards
  7. Breach threshold: accepted - But EDPB wants control over templates
  8. Final text may differ - Parliament/Council negotiations will determine outcome

The Joint Opinion provides valuable insight into how European data protection authorities view the Digital Omnibus. While they support simplification, they're vigilant about maintaining protection levels. The final regulation will likely reflect compromises between the Commission's efficiency goals and the regulators' protection concerns.