On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
1. Revised definition of personal data
2. Allowances for AI development and deployment
- clearer conditions, including an explicit reference to the GDPR three-step test for applying the legitimate interest condition, avoiding vague terms such as “where appropriate,” and defining what “operation” of an AI system means;
- reinforcing the standard Article 21 GDPR right to object and clearly communicating it to individuals early on; and
- requiring “enhanced transparency” to give individuals more information than normally required by the GDPR.
- adding “incidental and residual” to the operative text, clarifying that the derogation does not extend to prompts during deployment, requiring documented assessments, and preventing re-use of the data for other purposes; and
- clearer guidance on how this derogation interacts with the separate Digital Omnibus proposal on AI, which would add a rule to the AI Act allowing special category data to be used for bias detection and correction.
3. Clearer rules for “scientific research” activities
- making the definition more precise to ensure its consistent application across the EU;
- clarifying that scientific research should follow a systematic method, be carried out independently and lead to transparent, verifiable results; and
- moving references to innovation or commercial interests into the recitals, as these should not determine whether an activity qualifies as scientific research.
They also support clarifying that processing for scientific research can rely on legitimate interest under Article 6(1)(f) GDPR, provided all conditions of that legal basis and other GDPR requirements are met, while noting that in some cases another Article 6(1) basis may be more appropriate.
They welcome the clarification that further processing for scientific research may be compatible with the original purpose but call for clearer rules on when/if a new legal basis is required.
4. Expanded exemptions to data subjects’ rights
They support efforts to clarify how to handle misuse of access rights but caution that “abuse” should not depend on a person’s motives. Instead, it should be based on clear signs of bad faith. They recommend maintaining the current high threshold for refusing requests, avoiding language that treats broad requests as excessive, giving individuals an opportunity to clarify their request, and allowing regulators to refuse clearly abusive complaints under the same conditions as controllers.
They also welcome efforts to simplify information duties when individuals already have the information. However, they warn that the current wording is too vague, including references to a “clear and circumscribed relationship” or a “not data intensive activity,” and may create confusion. They call for clearer conditions and for ensuring that individuals can still request full information when needed.
5. Updated cookie rules
They warn that splitting rules between the GDPR and the ePrivacy Directive may create confusion, so clearer boundaries and stronger security safeguards are needed. They also call for consistent application of the new standards by browsers and other software, the introduction of consent renewal safeguards, and explicit enforcement powers for supervisory authorities.
6. EU-wide data breach template and notification platform
7. Harmonized data protection impact assessment (DPIA) guidance and template
Next Steps
The Joint Opinion is not binding, but the European Commission, Parliament, and Council are expected to take it into account in the context of negotiations on the Digital Omnibus Regulation. Next, the Parliament and Council will each set out their positions. In the Parliament, two committees are working together and have already appointed rapporteurs to lead the file. Once the Parliament adopts its position and the Council is able to agree theirs, they will enter negotiations among themselves and with the Commission to seek a final compromise text. If endorsed, this text will then be formally adopted and published in the Official Journal of the EU before entering into force.
* * *
The Covington team is closely monitoring the Digital Omnibus package and its potential impact on organizations. Please reach out to a member of the team if you would like to discuss these developments or need assistance.