In a joint opinion, the European privacy regulators EDPB and EDPS have expressed serious concerns about key elements of the European Commission’s Digital Omnibus proposal. The authorities are particularly opposed to narrowing the definition of personal data and question the proposed changes regarding AI training and the right of access.
On November 19, 2025, the European Commission presented the Digital Omnibus package, a far-reaching proposal to amend the GDPR and the ePrivacy Directive, among other measures. The proposal is described as a simplification measure, but critics say it would mainly benefit large American tech companies. The Commission argues that the changes are necessary to reduce the administrative burden on EU companies and strengthen Europe’s competitive position in AI.
However, civil rights organizations have already issued warnings, and now the independent privacy watchdogs EDPB (European Data Protection Board) and EDPS (European Data Protection Supervisor) are adding their voices to the chorus. In their joint opinion, they make it clear that several proposals go beyond technical adjustments or simplification.
Narrowing of the definition of personal data rejected
The most striking point of criticism concerns the proposal to narrow the definition of personal data in Article 4(1) of the GDPR. According to the EDPB and EDPS, this change would “go far beyond a targeted amendment to the GDPR, a ‘technical amendment’ or a codification of case law of the EU Court of Justice.” The authorities thus confirm the concerns previously expressed by stakeholders.
In addition, the supervisory authorities reject the proposal to give the Commission greater authority to determine what constitutes pseudonymized personal data. Combined with the new definition of personal data, this would offer companies easy ways to avoid the scope of the GDPR.
AI training based on legitimate interest
The EDPB and EDPS take a more nuanced view of the proposal to allow AI training on the basis of legitimate interest. Although they are not opposed to it in principle, they emphasize that the newly proposed Article 88c offers little clarity. Companies would still have to conduct a three-step test to assess whether using legitimate interest as a legal basis is lawful.
Furthermore, many other key issues surrounding the use of personal data for AI training would not be resolved by the proposal. The proposed changes cover a wide range of EU digital legislation, but the practical implications remain unclear.
Restriction of right of access conflicts with case law
In its current form, the proposed amendment to Article 12(5) of the GDPR would restrict data subjects’ exercise of their right of access. The amendment would require that this right be used only for “data protection purposes.” This would likely exclude journalistic, research, political, economic, or legal purposes from access to one’s own personal data.
The authorities make it clear that such a restriction would conflict with existing case law of the European Court of Justice. However, they acknowledge that clarification is possible regarding the existing restrictions on the “abuse” of access rights.