EU Watchdogs Push Back on Digital Omnibus Reforms * Science and Technology Times

Europe’s data protection authorities have issued a joint opinion rejecting several key elements of the European Commission’s proposed “Digital Omnibus” reforms.
Their assessment warns that the changes would weaken core GDPR protections, including the definition of personal data and the right of access.
The opinion represents a significant challenge to the Commission’s attempt to reshape EU privacy law under the banner of simplification.

Regulators Raise Concerns Over GDPR Redefinitions

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have jointly criticized the Commission’s Digital Omnibus proposal, arguing that several amendments would undermine fundamental GDPR principles. Their opinion highlights strong opposition to narrowing the definition of personal data under Article 4(1). According to the authorities, the proposed change goes far beyond a technical adjustment or a codification of existing case law. They warn that such a shift would significantly reduce the scope of data protection for EU residents.

The watchdogs also reject the Commission’s plan to expand its own powers by allowing it to determine what qualifies as pseudonymised data. This combination of changes could create new loopholes for companies seeking to avoid GDPR obligations. Regulators stress that the proposal risks weakening the legal framework rather than simplifying it. Their stance aligns with concerns raised by civil society groups and privacy advocates.

Max Schrems, a prominent privacy activist, noted that the authorities have clearly identified the proposals as limitations on data protection rights rather than administrative improvements. His comments reflect broader skepticism about the Commission’s framing of the reforms. Critics argue that the changes would primarily benefit large technology companies rather than small and medium‑sized EU businesses. The opinion adds further pressure on lawmakers to reconsider the direction of the Digital Omnibus.

AI Training and Access Rights Under Scrutiny

The joint opinion also addresses the Commission’s proposal to allow AI training based on legitimate interest. While the regulators do not reject the idea outright, they emphasize that the newly introduced Article 88c fails to clarify how such processing would work in practice. Companies would still need to conduct a full three‑step assessment to determine whether legitimate interest applies. Many unresolved issues surrounding the use of personal data for AI training remain unaddressed.

Another major point of contention is the proposed restriction of the right of access under Article 12(5). The Commission suggests limiting access requests to “data protection purposes,” which would exclude journalistic, research, political, economic and legal uses. Regulators argue that this would contradict established Court of Justice of the European Union (CJEU) case law. They acknowledge that clarifying rules on abusive requests may be appropriate, but insist that the current proposal goes too far.

The authorities also highlight that several other provisions lack clarity or depth. They note that while the Commission’s goals may be understandable, the drafting does not provide sufficient precision for practical implementation. Their feedback echoes earlier analyses from privacy organizations, which warned that the reforms could increase complexity rather than reduce it. The opinion suggests that the Digital Omnibus may create more uncertainty for businesses and regulators alike.

Next Steps for Lawmakers and the Commission

The EDPB and EDPS opinion now moves to the European Parliament and the Council, which must consider the recommendations as they shape their positions. Regulators hope lawmakers will remove proposals that cannot be meaningfully corrected and strengthen others that require clearer definitions. Their assessment signals that substantial revisions will be necessary before the Digital Omnibus can move forward. The Commission faces mounting pressure to justify the reforms and address concerns about weakened protections.

Some elements of the proposal were viewed as acceptable, but regulators caution that many changes would increase regulatory burden rather than streamline enforcement. They warn that the reforms could disproportionately benefit large non‑EU technology companies. This outcome would conflict with the Commission’s stated goal of reducing administrative overhead for European businesses. Lawmakers will need to balance simplification with the preservation of fundamental rights.

The debate over the Digital Omnibus reflects broader tensions in EU digital policy. Efforts to modernize data protection must contend with rapid technological change, growing AI adoption and geopolitical pressures. Regulators insist that any reform must maintain the GDPR’s core protections. Their opinion underscores the importance of ensuring that simplification does not come at the expense of user rights.