EDPB Rejects GDPR Amendments in Digital Omnibus: What It Means for Data Privacy Compliance

Key Takeaways

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a joint opinion rejecting significant portions of the European Commission's 'Digital Omnibus' proposal to amend the General Data Protection Regulation (GDPR). The authorities specifically oppose narrowing the definition of personal data under Article 4(1) GDPR and restricting data subjects' right of access under Article 12(5) GDPR. They also criticize proposed Article 88c for AI training as insufficiently clear. This represents a major setback for regulatory changes that would have potentially reduced GDPR obligations for companies.

What Happened: The Digital Omnibus Rejection

The European Commission's 'Digital Omnibus' proposal aimed to amend several digital regulations, including GDPR and the ePrivacy Directive. However, the EDPB and EDPS have strongly rejected key elements, arguing they would undermine fundamental data protection principles.

Key Rejected Provisions

• Narrowed Definition of Personal Data (Article 4(1) GDPR): The proposal sought to narrow what constitutes personal data, but authorities warn this could enable companies to circumvent GDPR obligations by reclassifying data as non-personal.
• Restricted Access Rights (Article 12(5) GDPR): The proposal would have limited data subjects' right of access to 'data protection purposes only,' which the EDPB and EDPS state violates existing Court of Justice of the European Union (CJEU) case law.
• Unclear AI Training Provisions (Article 88c): The proposed article would allow processing for AI training based on legitimate interest but fails to clarify key issues, leaving companies to conduct the standard three-step test for lawfulness.

The authorities view many provisions as unclear and insufficient, warning that changes primarily benefit large tech companies rather than reducing burdens for EU SMEs. This opinion represents a significant setback for the Commission's efforts to limit user rights under the guise of simplification.

Why This Matters for GDPR Compliance

This rejection has several important implications for businesses operating in or with the EU:

Continued Strong Enforcement

The EDPB and EDPS have signaled they will resist any attempts to weaken GDPR's core protections. This means businesses should expect continued rigorous enforcement of existing GDPR requirements, including those related to automated decision-making under Article 22. The rejection aligns with ongoing regulatory scrutiny of AI systems, as seen in the CNIL's February 2026 plenary session agenda reviewing automated image analysis tools for illegal dumping control.

Uncertainty for Compliance Planning

Organizations that were anticipating simplified GDPR requirements must now maintain current compliance programs. The proposed Article 88c for AI training would have provided clearer pathways for legitimate interest processing, but its rejection means companies must continue conducting thorough assessments for AI training data processing.

Alignment with AI Governance

This development reinforces the connection between data privacy and AI governance. With the EU AI Act's high-risk AI system obligations applying from 2 August 2026, and AI systems used in recruitment/HR classified as high-risk under Annex III, businesses must ensure their data processing practices align with both GDPR and upcoming AI regulations. For more on AI governance compliance, see our EU AI Act compliance roadmap guide.

What Organizations Should Do Now

Given this regulatory development, businesses should take the following actions:

1. Maintain Current GDPR Compliance Programs

Do not anticipate or plan for reduced GDPR obligations. Continue implementing robust data protection measures, including Data Protection Impact Assessments (DPIAs) for high-risk processing and respecting all data subject rights without restriction.

2. Strengthen Data Governance for AI

With unclear provisions for AI training data processing, ensure your organization conducts thorough legitimate interest assessments when processing personal data for AI development. Document these assessments carefully, as they may be scrutinized by data protection authorities.

3. Monitor Regulatory Developments

Stay informed about both data privacy and AI governance developments. The CNIL's ongoing work on automated image analysis tools demonstrates how data protection authorities are actively engaged in AI governance oversight. Consider using compliance intelligence platforms like AIGovHub for real-time regulatory updates across multiple domains.

4. Prepare for Integrated Compliance

As regulations like GDPR and the EU AI Act intersect, develop integrated compliance strategies. Our complete guide to AI governance for emerging technologies can help organizations navigate these complex requirements.

Looking Ahead: Data Privacy in 2026 and Beyond

This rejection demonstrates that GDPR's fundamental principles remain firmly in place. Businesses should expect:

• Continued enforcement of existing rights: Data subject access rights and broad personal data definitions will remain unchanged.
• Closer scrutiny of AI data practices: As seen with the CNIL's review of automated image analysis, data protection authorities are increasingly examining AI applications.
• Need for proactive compliance: Organizations cannot rely on regulatory simplification and must maintain robust data protection programs.

For ongoing updates on data privacy, AI governance, and other compliance developments, subscribe to AIGovHub's regulatory intelligence service. Our platform provides real-time updates on GDPR, EU AI Act implementation, and other critical regulations affecting your business.

This content is for informational purposes only and does not constitute legal advice.