As previously reported, the European Commission’s so-called Digital Omnibus Package aims to simplify and harmonise the EU’s digital regulatory framework through targeted amendments to, among other things, the GDPR; see https://www.gulliksson.se/digital-omnibus-paketet-vad-betyder-det-i-praktiken-for-gdpr-cookies-och-ai/.
In a joint opinion (Joint Opinion 2/2026), the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have reviewed the proposal. While the authorities broadly welcome the simplification objective, they express clear criticism of certain elements, particularly regarding proposed changes to the definition of personal data.
Proposals affecting the core of the GDPR
The Digital Omnibus Package includes a proposal to refine the concept of personal data by placing greater emphasis on which actor processes the information and the specific means available to that actor to identify a natural person. In practice, this could mean that certain information would not be considered personal data for one actor, even though identification is possible further down the processing chain.
According to the EDPB and EDPS, this risks significantly reducing the scope of the GDPR. The authorities emphasise that the definition of personal data is a fundamental building block of EU data protection law and that even seemingly limited adjustments may have far-reaching consequences for the level of protection and legal certainty.
Criticism of regulation through implementing acts
The proposal also entails granting the Commission the power, through implementing acts, to determine when pseudonymised data should no longer be considered personal data for certain actors.
The EDPB and EDPS oppose this and argue that issues directly affecting the scope of the GDPR should not be regulated in this manner. Instead, they believe such matters should be addressed through guidance and case law, under the responsibility of supervisory authorities and courts.
Conclusions based on the criticism
The EDPB and EDPS underline that simplifications in the digital regulatory framework must not come at the expense of fundamental data protection principles. With regard to the definition of personal data and the effects of pseudonymisation, the authorities urge the EU legislator to reconsider the proposal in order to avoid increased legal uncertainty and a reduced level of protection for individuals.
The authorities’ criticism clearly indicates that the concept of “personal data” will, for the time being, continue to be interpreted restrictively in order to maintain a high level of protection. For data controllers, this means that the scope for structuring operations or data flows in a way that falls outside the GDPR is limited and carries risk. Already today, clear documentation, well-founded legal assessments and a proactive data strategy are required – particularly in the use of data and AI – and the ongoing regulatory developments are more likely to reinforce this need than reduce it. Data protection is therefore increasingly becoming a factor that influences which business decisions companies can make, not merely how compliance is achieved.
We at Gulliksson closely monitor developments relating to the Digital Omnibus Package and assist clients in data protection matters. Please do not hesitate to contact us if you have any questions or require advice.
-
Advokat, Senior Associate
+46 70 712 60 25
-
Partner, Office Manager Stockholm
+46 73 316 38 64
