Digital Omnibus opinion shows EU privacy regulators will tolerate simplification but not weaker definitions
EU privacy regulators say the Digital Omnibus proposal can simplify compliance, but warn that narrowing the definition of personal data would weaken data protection.
Summary
The EDPB and EDPS have backed parts of the EU’s proposed Digital Omnibus package that would simplify compliance and reduce administrative burden, while strongly opposing proposals that would narrow the definition of personal data. The message is clear: simplification is acceptable, but not if it weakens the scope of protection.
What happened
On 11 February 2026, the EDPB and EDPS adopted a joint opinion on the Digital Omnibus Regulation proposal. The regulators assessed whether the proposal would genuinely simplify the digital regulatory framework, improve legal certainty, and preserve fundamental rights. They said some measures are welcome, including higher thresholds and longer deadlines for some breach notifications, common templates, and clearer treatment of certain research and biometric-authentication issues.
At the same time, they raised significant concerns about proposed changes to the definition of personal data. In particular, they said the proposal goes beyond existing case law, could narrow the concept of personal data too far, and would create legal uncertainty while weakening protection for individuals.
Why it matters
This is important because it shows where European privacy regulators are drawing the line in the next phase of compliance reform. They are open to reducing operational burden where that does not materially damage protections, but they are not willing to trade away core legal concepts in the name of competitiveness. That matters for organisations planning around future AI, data, and platform governance obligations.
Assessment
The opinion reads like a boundary-setting exercise. It signals that the debate is no longer simplification versus regulation in the abstract; it is about which forms of simplification preserve trust and which ones erode the legal baseline. For security, privacy, and AI governance teams, this is a useful indicator of likely regulatory posture: procedural streamlining may survive, but attempts to shrink the scope of protected data will face hard resistance.
Recommended actions
- track whether legislative negotiations preserve or dilute the current definition of personal data
- avoid assuming that political pressure for simplification will translate into a looser enforcement environment
- review compliance programmes for places where better templates, DPIA standardisation, or breach-notification changes could reduce overhead without changing core obligations
- monitor how AI-related provisions are framed, especially where they intersect with legitimate interest, sensitive data, and model development