115th Plenary meeting

Brussels, 11 February - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal.* This proposal aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations.

The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.** More specifically, they assess whether the proposal 1) leads to real simplification and facilitates compliance, 2) brings more legal certainty and 3) affects individuals’ fundamental rights.

Changes to the GDPR and the EUDPR

Changes raising significant concerns

Some proposed changes raise significant concerns as they can adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply.

The EDPB and the EDPS strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a targeted or technical amendment of the GDPR. In addition, they do not accurately reflect and clearly go beyond the CJEU jurisprudence, and they would result in significantly narrowing the concept of personal data. The European Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law.  

“Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights. We welcome the Commission’s steps toward greater harmonisation, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection.”

EDPB Chair, Anu Talus

“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data.  We must make sure that any changes to the GDPR and EUDPR actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms."

European Data Protection Supervisor, Wojciech Wiewiórowski

Steps in the right direction

The EDPB and the EDPS are in favour of the increase of the threshold of risk leading to the obligation to notify a data breach to the competent Data Protection Authority (DPA) and the extension of the deadline to submit such a notification. This would significantly reduce the administrative burden for organisations without affecting the protection of individuals’ personal data. In addition, the proposed common templates and lists for data breaches and data protection impact assessments are positive.

The EDPB and the EDPS also welcome the proposed introduction of a new derogation to process special categories of data for biometric authentication, where the verification means are under the individual’s sole control.

Lastly, they support the harmonisation of the notion of ‘scientific research’ and other related changes, since they enhance legal certainty and help to bring more harmonisation.

Changes that need fine-tuning

As stated in the EDPB Opinion 28/2024 on AI models, legitimate interest may be used, in some cases, as a legal basis in the context of the development and deployment of AI models or systems. Therefore, the EDPB and the EDPS do not consider it necessary to include a specific provision on this in the GDPR.

The EDPB and the EDPS welcome the proposal’s aim to introduce a specific derogation to the prohibition to process sensitive data, subject to conditions, covering the incidental and residual processing of such data in the context of the development and operation of AI systems or models. However, they recommend several improvements, such as clarifying the scope of the derogation and ensuring safeguards throughout the whole lifecycle.

The EDPB and the EDPS agree with the Commission’s aim to provide legal clarity to controllers where they face abuse of rights by data subjects. However, they consider that the exercise of the right to access for purposes other than the protection of personal data should not be an element defining what an abuse is. Concerning the new derogation for transparency, the EDPB and the EDPS support simplifying information requirements and reducing administrative burden, in particular for SMEs, but suggest clarifications to ensure legal certainty and ensure that individuals may still receive relevant information about their data when necessary.

Lastly, changes brought to the provision on automated individual decision-making should be clarified to make these changes meaningful and legally sound.

Changes to the ePrivacy Directive

The EDPB and the EDPS strongly support the objective of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners. This relates, for instance, to the proposed requirements on the use of automated and machine-readable indications of individuals’ choices regarding the processing of their data. The use of technical means can simplify compliance by controllers and support individuals in making their online choices effective.

The EDPB and the EDPS also welcome the limited additional derogations to the general prohibition to store or gain access to personal data in the terminal equipment and further invite the co-legislators to incentivise contextual advertising rather than behavioural advertising, by adding a specific exception surrounded by some safeguards.

The EDPB and the EDPS welcome the fact that the oversight of such matters will be entrusted to DPAs. 
At the same time, the EDPB and the EDPS highlight the legal and technical difficulties raised by the co-existence of two different regimes for personal and non-personal data. They also provide additional recommendations to enhance legal certainty, minimise the risk and foster responsible innovation.

Changes to the Data Acquis

The EDPB and the EDPS support the simplification of the Data Acquis through the integration into the Data Act of the Data Governance Act and Open Data Directive rules on the re-use of data and documents held by public sector bodies.

In relation to access granted by public bodies for re-use, they recommend maintaining the clarity offered by the current legal framework, namely that it does not oblige public sector bodies to allow re-use, nor does it provide a legal basis for granting access.

Regarding public emergencies, the EDPB and the EDPS recommend affirming that personal data can be shared only in pseudonymised form with public sector bodies, in cases where anonymous data is insufficient to respond to the public emergency.

Concerning data intermediation services and data altruism organisations, the EDPB and the EDPS highlight the importance of trustworthy and responsible data sharing. They recommend maintaining specific safeguards, favouring transparency and oversight.

The EDPB and the EDPS recommend streamlining further the provisions on enforcement (e.g. by enabling cross-regulatory exchange of information on enforcement including with DPAs and clarifying the role of DPAs in enforcing the Data Act).

The EDPB and the EDPS welcome the proposal’s confirmation of the European Data Innovation Board (EDIB)’s role in supporting the consistent application of the Data Act. On the development of guidelines, they recommend empowering the Commission to issue guidelines on any topic concerning the Data Act and clarifying the EDIB’s role in assisting the Commission in this process. This would enable the Commission to develop joint guidelines with the EDPB and allow the EDIB to advise and assist the Commission in the development of such guidelines.

Note to editors:

*On 19 November 2025, the Commission adopted a Digital Omnibus proposal amending a large corpus of the EU’s digital legislation, including the GDPR, the EUDPR, the Data Act, the ePrivacy Directive, the NIS 2 Directive.

On 25 November 2025, the Commission formally consulted the EDPB and the EDPS in accordance with Article
42(2) EUDPR and requested an opinion on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.

On 20 January 2026, at the request of the Commission, the EDPB and EDPS have also adopted a  Joint Opinion on the ‘Digital Omnibus on AI'’.

** The “data acquis”, part of the Digital Omnibus proposal, aims to repeal the Data Governance Act (“DGA”), Open Data Directive (“ODD”) and the Free Flow of Non-Personal Data Regulation (“FFNPR”) and integrates amended relevant provisions of those acts into the Data Act.

Brussels, 12 February - During its latest plenary, the EDPB adopted its work programme for 2026-2027.  This is the second work programme to support the implementation of the EDPB strategy 2024-2027*.

The work programme is based on the priorities set out in the EDPB strategy and the needs identified as most critical for stakeholders. It also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation.

Built on the four pillars of the EDPB strategy, the work programme focuses on 1) enhancing harmonisation and promoting compliance, 2) reinforcing a common enforcement culture and effective cooperation, 3) safeguarding data protection in the developing digital and cross-regulatory landscape, and 4) contributing to the global dialogue on data protection.

Enhancing harmonisation and promoting compliance

The EDPB will continue to provide timely and clear guidance on key issues and concepts of EU data protection law to make GDPR compliance easier. For example, the EDPB is working on guidelines on Consent or Pay, guidelines on anonymisation, guidelines on pseudonymisation and guidelines on children’s data. The Board will also develop and promote tools for a broader audience, by producing content for non-experts, such as templates, illustrative examples, checklists, FAQs and “how to” guides.

The EDPB will support the implementation of compliance measures for controllers and processors. 

The EDPB will advise the EU legislature on important issues related to the protection of personal data in the EU. This includes giving advice on legislative proposals, together with the EDPS in the context of joint opinions such as with the Digital Omnibus, in response to any requests from the European Commission.

Reinforcing a common enforcement culture and effective cooperation

“We will continue working together to ensure greater consistency across Europe and to strengthen cooperation among Data Protection Authorities.
The commitments we made last year in our Helsinki statement will be our compass going forward. We will also embrace the opportunities that come with the recently adopted Regulation on GDPR procedural rules.”
EDPB Chair, Anu Talus

The EDPB will remain fully committed to fulfil its role as a forum to regularly exchange information on ongoing cases, expertise and best practices among DPAs. The Board will also continue to support the development of enforcement and cooperation tools and will focus on ensuring the smooth functioning of the consistency mechanism.

The IT tools and systems used by the Board will be evaluated and enhanced.

Safeguarding data protection in the developing digital and cross-regulatory landscape

The EDPB will continue to promote a human-centric approach to new technologies, including via the adoption of guidelines on generative AI and data-scraping. 

The EDPB will proactively engage with other regulatory authorities on matters relating to data protection to support the new cross-regulatory landscape. The Board will continue to take an active role in relevant forums, including the Digital Markets Act (DMA) High Level Group, the European Board for Digital Services and the European Data Innovation Board. 

The Board will establish common positions and guidance in the cross-regulatory and interdisciplinary landscape, while maintaining coherent and consistent safeguards for the protection of personal data. Guidance in this regard will include joint guidelines on the Interplay between the AI Act and the GDPR and guidelines on political advertising. 

Contributing to the global dialogue on data protection

The EDPB commits to promoting global dialogue on privacy and data protection, focusing on international cooperation in enforcement among its members and also with authorities of third countries. It will continue its initiative of close cooperation with DPAs from the countries or organisations with an adequacy decision. 

The EDPB will also continue to work on the GDPR and Law Enforcement Directive (LED) transfer mechanisms and provide further guidance on their practical implementation.

The EDPB will be engaged with the international community, making sure to facilitate the exchange of information and cooperation among the EDPB members active in international forums. 

Note to editors:
* The first work programme supporting the EDPB strategy 2024-2027 can be found here.