The EU’s top data protection bodies have broadly welcomed proposed reforms to streamline digital regulation, while raising serious concerns that key changes could narrow privacy rights and create significant legal uncertainty.

On 11 February 2026, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) published their joint opinion (the “Opinion”) on the draft Digital Omnibus Regulation (“DOR”) which aims to amend EU data protection and cyber laws (GDPR, EUDPR, ePrivacy Directive and NIS2) and also the EU AI Act. You can read more about DOR here: Digital Omnibus Regulation Proposal –.

In summary, the Opinion broadly supports the simplification of the EU’s digital regulatory framework, the reduction of administrative burdens and the improvement of competitiveness for European organisations.  However, it raises significant concerns that the DOR would narrow the scope of data protection and may create legal uncertainty. 

1. Definition of Personal Data

The Opinion opposes the proposed change to the definition of personal data as it goes far beyond a targeted or technical amendment of the GDPR. The Opinion finds that the proposed change narrows the concept of personal data, making the relevant factor in determining if data is personal data  the question of whether a specific entity can identify an individual, taking into account the means that entity is likely to use (as established in  EDPS v SRB (Case C-413/23 P)). The Opinion notes that this amendment would narrow the scope of data protection, may cause legal uncertainty and could potentially circumvent the GDPR, and that it significantly departs from CJEU’s jurisprudence. The Opinion emphasises that the CJEU’s entire body of jurisprudence ought to be considered, and that legislators should not rely on one single case that does not reflect that jurisprudence as a whole.

2. Notification of Data Breaches

The Opinion favours increasing the risk threshold for notification, meaning that a data controller would only be required to notify a supervisory authority when there is a high risk to the rights and freedoms of the affected individual. This would certainly reduce the administrative burden on data controllers, with minimal impact on the protection of individuals’ personal data. The Opinion is also in favour of extending the current 72-hour deadline to notify a supervisory authority to 96 hours, which would give data controllers additional time to gather information, assess the breach and determine whether notification is required.

3. Processing Activities that Require a Data Protection Impact Assessment (“DPIA”)

The Opinion supports the Proposal’s aim to harmonise the processing activities requiring a DPIA across the EU and endorses empowering the EDPB to draft a list of processing activities that do and that do not require a DPIA, and for the EDPB to create a common template and common methodology for conducting a DPIA. The Opinion does, however, have concerns about the European Commission’s power to amend these common templates and methodologies.

4. Updates to Cookie Banners

The Opinion strongly supports the amendments relating to cookies, consent fatigue and the proliferation of cookie banners, including the proposal that consent will not be needed where cookies are used for aggregated audience measurement and for security reasons. The Opinion also notes that as data controllers will not be permitted to seek consent where a data subject has previously refused consent for a period of six months, a limited amount of information will need to be retained by data controllers in order to record that refusal.

5. Use of Legitimate Interest as a Lawful Basis for AI

The Opinion notes that the EDPB has already published an Opinion on AI models (Opinion 28/2024) which addresses the circumstances in which legitimate interest may be relied upon for the processing of personal data in the context of AI model development. Accordingly, the EDPB does not consider it necessary to include the proposed new article 88c of the GDPR which would provide that a data controller may rely on legitimate interest under article 6(1)(f) GDPR. The Opinion, however, suggests that additional safeguards are needed in relation to the requirement of legitimate interest assessment, the definition of “enhanced transparency”, and the management of a data subject’s right to object.

6. Changes to the Right of Access

The Opinion welcomes the proposed extension of circumstances in which a data controller can refuse or charge a fee for data access requests that are “manifestly unreasonable or excessive”. However, it caveats that abusive access requests should be linked to the existence of an abusive intention for submitting the request such as an intention to cause harm to a data controller and not the mere fact of submitting an access request for purposes other than the protection of personal data.  This is consistent with the CJEU’s previous confirmation that a data subject may submit a data access request regardless of the purpose behind that request and a data subject is not required to provide any reasons for requesting such access (case C-307/22 here).

7. Single Notification Point for Incident Reporting

The Opinion supports the use of a single-entry point (“SEP”) for reporting incidents under the GDPR, NIS2, DORA and highlights the importance of ensuring the security of notifications submitted via the SEP as these often include very sensitive information.

It is not yet clear if the Opinion’s recommendations will be considered by EU legislators or whether the DOR will be implemented as initially drafted. We will provide an update when further information is available.