The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal (Joint Opinion) which follows their previous joint opinion on the Digital Omnibus on AI. The Digital Omnibus (plus the Digital Omnibus on AI) aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations and the Joint Opinion is the first formal, non-binding, response to it. The Joint Opinion summarises areas where the EU data protection bodies support the proposals, and where there is only partial agreement, or fundamental disagreement with the proposals. We have unpicked the EU Digital Omnibus here, and note that UK businesses should keep an eye on the legislative progress of the Digital Omnibus, monitoring any amends which might impact them where they have customers in the EU, or transfer data in the EU. The Joint Opinion sets the tone perhaps for future iterations and challenges to the Digital Omnibus – with one thing certain, the path to adoption might not be a smooth one. We examine some of the key themes of the Joint Opinion below.
The Joint Opinion
The definition of “Personal Data” is not agreed
The proposed changes to the definition of personal data in the Digital Omnibus raise significant concerns for the EU data protection bodies; the primary concern being that the proposed changes adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply. The EDPB and the EDPS strongly urge co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a technical amendment of the EU GDPR and would narrow the concept of personal data. The EDPB and EDPS also assert that the amended definition would impact how pseudonymized data is treated under the EU GDPR stating that the Commission "should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law." Further, leaked reports from the EU Council suggest that the definition of personal data will be untouched with the original wording in EU GDPR Art 22 being retained.
Scientific research
The Joint Opinion supports the creation of a single, clear definition of “scientific research,” however it recommends that the definition is made more precise to ensure consistent application across the EU - as well as clarifying that scientific research should follow a systematic method and be carried out independently to result in transparent, verifiable results. The Joint Opinion also supports clarifying that processing for scientific research can rely on legitimate interest under Article 6(1)(f) GDPR, provided all conditions of that legal basis and other GDPR requirements are met, while noting that in some cases another Article 6(1) basis may be more appropriate. The data protection bodies further recommend moving references to innovation or commercial interests into the recitals, as these should not determine whether an activity qualifies as scientific research. There is broad support regarding introducing a limited exemption from transparency rules for scientific research, qualified by the recommendation adding “where and insofar” to clarify that the exemption is applied narrowly to when giving the information is impossible or would seriously hinder the research.
Suggested amends to legitimate interest in context of AI
As stated in the EDPB Opinion 28/2024 on AI models, legitimate interest may be used, in some cases, as a legal basis in the context of the development and deployment of AI models or systems – the EDPB and the EDPS do not therefore consider it necessary to include a specific provision on this in the EU GDPR and the Digital Omnibus. The introduction of a specific derogation to the prohibition to process sensitive data is welcomed, subject to conditions, covering the incidental and residual processing of such data in the context of the development and operation of AI systems or models, however, improvements are recommended, including clarifying the scope of the derogation and ensuring safeguards throughout the whole lifecycle.
Transparency exception
Concerning the new derogation for transparency, the EDPB and the EDPS support simplifying information requirements and reducing administrative burden, in particular for SMEs, but suggest clarifications to ensure legal certainty and ensure that individuals may still receive relevant information about their data when necessary.
Automated decision making
Again, the clarifications around exception in which automated individual decision-making is allowed is supported, with the qualification that changes here should be clarified to make them meaningful and legally sound with further specifications is recommended.
Data intermediation services and data altruism
Concerning data intermediation services and data altruism organisations, the EDPB and the EDPS highlight the importance of trustworthy and responsible data sharing, recommending maintaining specific safeguards favouring transparency and oversight. The Joint Opinion recommends streamlining further the provisions on enforcement (e.g. by enabling cross-regulatory exchange of information on enforcement including with DPAs and clarifying the role of DPAs in enforcing the Data Act).
AI
The Digital Omnibus removes the requirement for providers to register high-risk AI systems in circumstances where the providers have concluded that their Annex III AI systems are not high-risk under Article 6(3) of the AI Act. The Joint Opinion makes it clear that although the streamlining of administration is welcome and would alleviate the requirement for providers to register AI systems in the EU database for high risk systems, it is noted that this requirement would significantly decrease the accountability of providers of AI systems and would undermine the objective of ensuring appropriate knowledge and skills across the AI-cycle to protect fundamental rights and support AI compliance. The Joint Opinion recommends that the employer duty in respect of responsibility for AI literacy is retained, and that any new obligation for the European Commission of Member States to foster AI literacy complements, rather than replaces the responsibilities of organisations actually developing and deploying AI systems.
As regards processing of sensitive data in AI systems and models, the Joint Opinion welcomes the proposed permission ground where data is collected for training, testing and validation of certain AI models where it is not always possible to avoid incidental or residual processing of sensitive data. This proposal however is only supported where processing of sensitive data is incidental and residual and not forming the core necessary for the development or operation of an AI system.
Changes to e-Privacy Directive (Cookies)
The EDPB and the EDPS support the objective of providing for a regulatory solution to address consent fatigue and proliferation of cookie banners. This relates, for instance, to the proposed requirements on the use of automated and machine-readable indications of individuals’ choices regarding the processing of their data. The Joint Opinion also welcomes the limited additional derogations to the general prohibition to store or gain access to personal data in terminal equipment and suggests incentivisation of contextual advertising rather than behavioural advertising, by adding a specific exception surrounded by some safeguards. The Joint Opinion does however highlight the legal and technical difficulties raised by the co-existence of two different regimes regarding cookie compliance for personal and non-personal data and provide additional recommendations to enhance legal certainty.
DPIA guidance
Having a standardised DPIA template and methodology is welcomed in the Joint Opinion, however, it is noted that this should not be in the form of a rigid checklist and rather should remain practical and flexible and developed by the EDPB. The Joint Opinion supports the EU-wide harmonization of DPIA lists to give organisations clearer guidance on when a DPIA is required in order to reduce compliance burdens. The proposal in the Digital Omnibus that the EDPB have the role of preparing these lists is supported, however the Joint Opinion guards against allowing the Commission to modify them unilaterally, recommending that the EDPB approve the lists to preserve independence.
What’s next
The Digital Omnibus proposals must proceed through the EU legislative process before becoming law (the Joint Opinion in itself is non-binding) - however given that some of the EU AI Act deadlines fast approach (August 2026) this process might be expediated to avoid further confusion for businesses in need of legislative direction. Despite the broad approval from the EDPB and EDPS of the objectives of the Digital Omnibus, it is likely that the Digital Omnibus will be amended to take into account some of the proposed suggestions in the Joint Opinion. We will continue to monitor the progression of the EU Digital Omnibus as well as the formal responses from various legislative bodies which are expected imminently.
