Digital Omnibus Part 2: What Organisations Need to Know About the Joint Opinion of EDBP and EDPS

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have published their Joint Opinion (the Joint Opinion) on the European Commission’s Digital Omnibus Proposal (the Proposal). Following our earlier analysis (Part 1) of the Proposal itself, this article examines how key elements of the reform are viewed by these supervisory bodies.

For organisations, the Joint Opinion provides a clear signal of where the legislative debate is likely to intensify and which provisions may be revised during the parliamentary process.

Avoiding ‘Loopholes’ in the Identifiability Criteria

One of the most consequential aspects of the Digital Omnibus Proposal was its attempt to codify an “actor-specific understanding” of personal data, drawing on the Court of Justice of the European Union’s (CJEU) reasoning in EDPS v Single Resolution Board (C-413/23 P). Under the proposed wording, information would not qualify as personal data for an entity lacking means reasonably likely to identify the individual.

The EDPB and EDPS devote significant attention to this amendment. They emphasise that the definition of personal data lies “at the very core of EU data protection law” and criticise the Proposal for selectively codifying one element of a single judgment while disregarding the broader body of CJEU jurisprudence.

In particular, they take issue with the proposed clarification that data does not become personal “merely because” a subsequent recipient has identifying means. In EDPS v SRB, the CJEU confirmed that data may become personal when disclosed to any recipient capable of identification and, in such circumstances, may be personal both for the recipient and indirectly for the disclosing entity. The Joint Opinion considers the proposed wording inconsistent with that reasoning.

The EDPB further notes that it is preparing updated guidance on pseudonymisation and new guidance on anonymisation. In its view, the practical and legal questions raised by the EDPS v SRB judgment are better addressed through supervisory guidance than by amending the definition itself.

For these reasons, the EDPB and EDPS urge co-legislators not to adopt the proposed changes. For organisations, this suggests that existing GDPR-based identifiability assessments should remain unchanged while negotiations continue.

Defining the Boundaries of ‘Revenge’ DSARs

The Digital Omnibus Proposal sought to introduce greater flexibility for handling ‘revenge’ data subject access requests (DSARs). The Joint Opinion adopts a more cautious position. The supervisory authorities consider it problematic to link ‘abuse’ or ‘revenge’ like concepts to access requests made for purposes other than data protection. They recall that the right of access under the GDPR is not limited to verifying lawfulness and may be exercised for broader legitimate objectives.

Instead, the EDPB and EDPS recommend tying the concept of abusive requests to demonstrable abusive intent, such as a clear intention to cause harm. They also oppose characterising ‘overly broad’ requests as excessive. Any refusal should be based on an objective assessment, properly documented, and preceded by an opportunity for the data subject to clarify the request.

For organisations, this signals that flexibility in refusing DSARs will remain tightly circumscribed and subject to careful evidentiary standards.

Balancing Test Remains Central for AI and Legitimate Interest

The Proposal’s recognition of AI model development and operation as a potential legitimate interest was one of the most practically significant elements discussed in Part 1. In their Joint Opinion, the EDPB and EDPS make clear that this must remain firmly anchored in Art. 6 para. 1 lit. f GDPR and its strict balancing-test requirements.

Specifically, they call for explicit and proactive information to be provided to data subjects about their ‘unconditional right to object’, where possible before processing begins, given the technical challenges of removing personal data once embedded in AI systems. They also request clearer definition of the scope of this right.

Moreover, the Joint Opinion emphasises that mitigating measures invoked to justify legitimate interest, including enhanced transparency, must go beyond the standard requirements of Arts. 13 and 14 GDPR and must not be conflated with existing compliance obligations.

For organisations, this signals that AI development based on legitimate interest will remain subject to heightened scrutiny, robust documentation and strengthened rights-management frameworks.

Green Light for New Breach Notifications Threshold

The Proposal suggested raising the notification threshold under Art. 33 para. 1 GDPR so that only personal data breaches that are likely to result in a high risk to the rights and freedoms of individuals would need to be reported to supervisory authorities. In contrast to many other elements of the reform, the EDPB and EDPS expressly support this amendment. They consider that increasing the threshold is not expected to substantially affect the level of protection for data subjects, while significantly reducing the administrative burden on controllers. For organisations, this signals welcome procedural relief.

Conclusion

The Joint Opinion confirms that the Digital Omnibus Proposal will be subject to careful scrutiny. While the supervisory authorities support the objective of simplification, they emphasise continuity of core GDPR principles and safeguards.

For organisations, the Joint Opinion offers valuable insight into where amendments may occur and underscores the importance of maintaining robust compliance frameworks while the legislative process continues.