The European Data Protection Board and European Data Protection Supervisor have issued a joint opinion warning that the EU's proposed Digital Omnibus regulation could weaken privacy protections and create regulatory uncertainty for businesses and individuals.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion raising significant concerns about the European Commission's proposed Digital Omnibus regulation, which aims to simplify the EU's digital legislative framework but may inadvertently weaken privacy protections and create new compliance challenges for businesses operating across the bloc.
The Digital Omnibus proposal, formally titled "Proposal for a Regulation as regards the simplification of the digital legislative framework," seeks to streamline various digital regulations by consolidating and harmonizing rules across different sectors. However, the EDPB-EDPS joint opinion 2/2026, published on March 4, 2025, warns that the proposed changes could undermine the fundamental principles of data protection established under the General Data Protection Regulation (GDPR).
Key Privacy Concerns Identified
The joint opinion highlights several critical areas where the Digital Omnibus proposal could potentially weaken existing privacy safeguards:
Consent Mechanisms and User Control
The EDPB and EDPS express concern that the proposal might dilute the strict consent requirements established under GDPR. The current framework requires explicit, informed consent for data processing activities, but the Digital Omnibus could introduce more flexible interpretations that might reduce user control over personal data.
"The simplification of consent mechanisms must not come at the expense of user autonomy and data protection rights," the opinion states. "Any relaxation of consent requirements could create loopholes that undermine the fundamental purpose of data protection legislation."
Data Processing Limitations
The joint opinion warns that the proposal's approach to data processing limitations could create ambiguity around what constitutes legitimate processing purposes. This uncertainty could lead to inconsistent application of data protection rules across different EU member states, potentially creating a fragmented regulatory landscape rather than the harmonization the proposal intends to achieve.
Cross-Border Data Transfers
Another significant concern relates to the proposal's treatment of international data transfers. The EDPB-EDPS warns that simplified mechanisms for cross-border data flows could weaken the safeguards currently in place to protect EU citizens' data when transferred to third countries.
Impact on Businesses and Compliance
While the European Commission positions the Digital Omnibus as a measure to reduce regulatory burden, the EDPB-EDPS opinion suggests it could create new compliance challenges for businesses:
Increased Legal Uncertainty
Rather than simplifying the regulatory landscape, the proposed changes could introduce new areas of legal uncertainty. Businesses may face challenges in interpreting and implementing the revised rules, potentially leading to inconsistent compliance practices across the EU.
Resource Allocation Challenges
The opinion notes that businesses may need to invest additional resources in legal consultations and compliance measures to navigate the potentially ambiguous provisions of the revised framework. This could offset any intended cost savings from regulatory simplification.
Sectoral Variations
The joint opinion emphasizes that different sectors may be affected differently by the proposed changes. Industries that handle sensitive personal data, such as healthcare and financial services, may face particular challenges in adapting to the revised framework while maintaining adequate privacy protections.
Recommendations from EDPB-EDPS
In response to these concerns, the EDPB and EDPS have made several recommendations to the European Commission:
Preservation of Core Privacy Principles
The joint opinion strongly recommends that any simplification efforts must preserve the core principles of data protection, including purpose limitation, data minimization, and user consent requirements. The fundamental rights of individuals should not be compromised in the pursuit of regulatory efficiency.
Clear Legal Definitions
To avoid ambiguity and ensure consistent application across member states, the EDPB-EDPS recommends that the proposal include clear, unambiguous definitions of key concepts and processing activities. This would help businesses understand their obligations and reduce the risk of inconsistent interpretations.
Enhanced Safeguards for Sensitive Data
The opinion calls for enhanced safeguards specifically for processing sensitive personal data, including health information, biometric data, and financial records. Any simplification measures should not weaken the protections currently afforded to these categories of data.
Stakeholder Consultation
The EDPB-EDPS recommends that the European Commission conduct more extensive consultations with data protection authorities, industry representatives, and civil society organizations before finalizing the proposal. This would help identify potential unintended consequences and ensure that the revised framework adequately addresses the needs of all stakeholders.
Timeline and Next Steps
The European Commission is expected to review the EDPB-EDPS joint opinion as part of the legislative process for the Digital Omnibus proposal. The feedback from these key EU institutions will likely influence the final shape of the regulation.
Data protection authorities across the EU are closely monitoring the development of this proposal, as it could have significant implications for how personal data is processed and protected throughout the European Union. Businesses operating in multiple EU member states should prepare for potential changes to their compliance frameworks, regardless of the final outcome.
Broader Context: EU Digital Strategy
The Digital Omnibus proposal is part of the European Union's broader digital strategy, which aims to create a more integrated and competitive digital single market. However, this initiative must balance the goals of regulatory simplification with the EU's strong commitment to protecting individual privacy rights.
The joint opinion from EDPB and EDPS underscores the ongoing tension between regulatory efficiency and privacy protection in the digital age. As the EU continues to develop its digital framework, finding the right balance between these competing priorities remains a central challenge.
For individuals, the outcome of this legislative process will determine the level of control they maintain over their personal data in an increasingly digital economy. For businesses, it will shape the compliance landscape and potentially influence their data processing practices across the European Union.
The EDPB-EDPS joint opinion serves as a crucial checkpoint in the legislative process, ensuring that privacy considerations remain at the forefront of efforts to modernize and simplify the EU's digital regulatory framework.
Comments
Please log in or register to join the discussion