The European Commission wants to “simplify” the EU’s digital rulebook with the Digital Omnibus, making compliance cheaper and faster. This is exactly where Europe’s top data protection bodies see a risk: in their joint statement (Joint Opinion 2/2026), the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) warn that some proposals would not only reduce bureaucracy, but could also significantly weaken the protection of personal data.
What is the Digital Omnibus?
The Digital Omnibus is a legislative proposal by the European Commission (published on 19 November 2025). It is not a single new law, but a package that simultaneously initiates amendments to several existing rules, including the GDPR, ePrivacy, the Data Act and the NIS2 Directive.
Important: none of this is in force yet. The proposal must go through the ordinary legislative procedure (Parliament and Council). The content and timeline are therefore still open, and major changes to the text are realistic.
Why the data protection authorities are warning so clearly
On 11 February 2026, the EDPB and the EDPS published their joint assessment. While they generally support the goal of making rules more practical, they consider several proposals to go too far, especially where core GDPR concepts would be changed.
Their central criticism: “simplification” must not mean narrowing data protection at key points, or creating more uncertainty because new distinctions would only be clarified later.
Point of contention 1: Shifting the definition of “personal data”
The most sensitive issue concerns the definition of personal data in the GDPR (Article 4(1)). The proposal aims to place greater emphasis on the perspective of the controller, or put simply: data could be considered “not personal” for a company if it cannot identify a person with the means available to it, even if another actor could.
There is also a second element the authorities view as particularly critical: the Commission would be able, via an implementing act, to set criteria for when data resulting from pseudonymisation is “no longer personal data” for certain entities. The EDPB/EDPS warn that this could effectively narrow the scope of GDPR obligations, and that it goes far beyond a “technical clarification.”
Why this matters for online marketing: many setups rely on “pseudonymous” signals (e.g., hashed identifiers, event data, matching IDs, server-side events). If the legal classification shifts, this could later affect obligations (transparency, legal basis, contracts, data subject rights) while also creating new grey areas around who bears which responsibility once data flows between multiple parties.
Point of contention 2: Right of access, does a “purpose test” loom?
Another friction point is the planned restriction around the right of access. The authorities welcome greater clarity against genuine abuse, but explicitly criticise the idea of making access requests dependent on the purpose for which someone exercises their right (e.g., not only “data protection” but also other legitimate purposes). In their view, the GDPR also protects other fundamental rights, and such a “purpose test” would be problematic.
For companies, this might look like “less effort” at first glance. At the same time, it increases the risk that data subject rights will be handled inconsistently in the future and that disputes over the admissibility of requests will grow, i.e., the exact opposite of legal certainty.
Point of contention 3: AI training, “legitimate interest” sounds like a solution, but remains complex
The Digital Omnibus also touches AI topics. Regarding “legitimate interest” as a possible legal basis for certain AI contexts, the EDPB/EDPS essentially say: this is already possible in principle today, a new special rule does not automatically solve the practical questions. In particular, the familiar three-step test (balancing of interests, etc.) would still be necessary.
For marketing teams using AI tools (e.g., for segmentation, content production, or model training with their own datasets), this means: even if the Omnibus “organizes” something here, careful documentation and balancing will very likely remain mandatory.
What the authorities explicitly support
Despite the harsh criticism, the opinion is not a complete blockade. The EDPB/EDPS support several simplifications that could genuinely reduce burden in practice:
- Less cookie-banner fatigue: they endorse approaches where user preferences can be expressed in an automated and machine-readable way (instead of repeatedly clicking banners everywhere).
- More pragmatic personal data breach notifications: support for higher reporting thresholds, longer deadlines (e.g., 96 instead of 72 hours) and standardised templates, so authorities and companies can focus on relevant cases.
- Biometric authentication (tightly limited): approval of an exemption if biometric templates/keys remain under the sole control of the data subject (e.g., stored locally on a badge/smartcard).
What companies should do now
For most companies, the short-term takeaway is: don’t change anything yet, but monitor the topic strategically. Three pragmatic measures help without falling into actionism:
- Cleanly document tracking and data flows (which data, which parties, which purposes). This keeps you resilient regardless of how the final text looks.
- Keep the consent setup flexible (CMP, preference signals, tag/server-side logic) so you can react quickly to changes around ePrivacy/consent fatigue.
- Operationalize data subject rights and incident processes (access, deletion, breach handling), because these are precisely the areas currently being “rebuilt” politically.
What happens next?
The Joint Opinion now feeds into the negotiations in the European Parliament and the Council. Concrete dates for the next negotiation rounds (including possible trilogues) are not yet publicly fixed, but it is likely that the decisive discussions will stretch across 2026. Experience shows the text will still change significantly during the legislative process. The key point is this: the proposed changes to the definition of personal data and to the right of access are so fundamental politically and legally that intense resistance and substantial revisions should be expected.
