Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws

By Dan Cooper, Kristof Van Quathem & Anna Oberschelp de Meneses on February 12, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.

The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.

Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.

Link to 1.      Revised definition of personal data 1.      Revised definition of personal data

Disagree. The Authorities strongly oppose the proposed changes to the definition of personal data. They assert that the amendments go far beyond a targeted adjustment, contradict CJEU case law, and would significantly narrow the concept of personal data. They also reject giving the Commission the power, through implementing acts, to decide when pseudonymized data would no longer qualify as personal data.

Link to 2.      Allowances for AI development and deployment 2.      Allowances for AI development and deployment

Partially agree. The Authorities accept that legitimate interests may, in some cases, serve as a legal basis for developing and operating AI models. They also note that this is already possible under the GDPR and does not require a new article. If the provision is retained, they recommend:

  • clearer conditions, including an explicit reference to the GDPR three-step test for applying the legitimate interest condition, avoiding vague terms such as “where appropriate,” and defining what “operation” of an AI system means;
  • reinforcing the standard Article 21 GDPR right to object and clearly communicating it to individuals early on; and
  • requiring “enhanced transparency” to give individuals more information than normally required by the GDPR.

The Authorities generally support a narrow derogation to cover incidental and residual processing of special category data during AI training, testing, and validation, where deletion is impossible or would involve disproportionate effort, provided robust safeguards apply. However, they recommend:

  • adding “incidental and residual” to the operative text, clarifying that the derogation does not extend to prompts during deployment, requiring documented assessments, and preventing re-use of the data for other purposes; and
  • clearer guidance on how this derogation interacts with the separate Digital Omnibus proposal on AI, which would add a rule to the AI Act allowing special category data to be used for bias detection and correction.

Link to 3.      Clearer rules for “scientific research” activities 3.      Clearer rules for “scientific research” activities

Partially agree. The Authorities support creating a single, clear definition of “scientific research,” but recommend:

  • making the definition more precise to ensure its consistent application across the EU;
  • clarifying that scientific research should follow a systematic method, be carried out independently and lead to transparent, verifiable results; and
  • moving references to innovation or commercial interests into the recitals, as these should not determine whether an activity qualifies as scientific research.

They also support clarifying that processing for scientific research can rely on legitimate interest under Article 6(1)(f) GDPR, provided all conditions of that legal basis and other GDPR requirements are met, while noting that in some cases another Article 6(1) basis may be more appropriate.

They welcome the clarification that further processing for scientific research may be compatible with the original purpose but call for clearer rules on when/if a new legal basis is required.

Link to 4.      Expanded exemptions to data subjects’ rights 4.      Expanded exemptions to data subjects’ rights

Partially agree. The Authorities support introducing a limited exemption from transparency rules for scientific research. But they recommend adding “where and insofar” to clarify that the exemption is applied narrowly to when giving the information is impossible or would seriously hinder the research.

They support efforts to clarify how to handle misuse of access rights but caution that “abuse” should not depend on a person’s motives. Instead, it should be based on clear signs of bad faith. They recommend maintaining the current high threshold for refusing requests, avoiding language that treats broad requests as excessive, giving individuals an opportunity to clarify their request, and allowing regulators to refuse clearly abusive complaints under the same conditions as controllers.

They also welcome efforts to simplify information duties when individuals already have the information. However, they warn that the current wording is too vague, including references to a “clear and circumscribed relationship” or a “not data intensive activity,” and may create confusion. They call for clearer conditions and for ensuring that individuals can still request full information when needed.

Link to 5.      Updated cookie rules 5.      Updated cookie rules

Partially agree. The Authorities welcome efforts to reduce consent fatigue and support allowing people to express their choices through automated and machine-readable signals. They recommend tightening the rules by keeping consent exemptions strictly limited and necessary (while supporting a narrow exemption for contextual advertising), allowing subsequent processing of data to rely on the same legal basis as applied to the original storing and accessing of the data when the purpose is the same, and ensuring that new exceptions such as audience measurement and security are strictly defined and used only when necessary.

They warn that splitting rules between the GDPR and the ePrivacy Directive may create confusion, so clearer boundaries and stronger security safeguards are needed. They also call for consistent application of the new standards by browsers and other software, the introduction of consent renewal safeguards, and explicit enforcement powers for supervisory authorities.

Link to 6.      EU-wide data breach template and notification platform 6.      EU-wide data breach template and notification platform

Partially agree. The Authorities support raising the notification threshold for personal data breaches that are “high risk,” extending the deadline from 72 to 96 hours, and creating an EEA wide single-entry point for breach notifications. They encourage greater harmonization across the EU’s various incident reporting regimes, some of which require notification within as little as 24 hours, to avoid inconsistent obligations and to support the effectiveness of the single-entry point system. They caution against giving the Commission the power to revise the EDPB breach notification template and the accompanying risk list, which is the list of criteria used to assess whether a breach is likely to result in a high risk to individuals. Instead, they recommend that the EDPB prepare and approve these documents to ensure independence and consistency.

Link to 7.      Harmonized data protection impact assessment (DPIA) guidance and template 7.      Harmonized data protection impact assessment (DPIA) guidance and template

Partially agree. The Authorities support EU-wide harmonization of DPIA lists to give organizations clearer guidance on when a DPIA is required and to reduce compliance burdens. They support giving the EDPB the role of preparing these lists but caution against allowing the Commission to modify them unilaterally, recommending that the EDPB approve the lists to preserve independence. They also welcome plans for a common DPIA template and methodology, but stress that the methodology should remain practical and flexible rather than a rigid checklist, and that it should be developed by the EDPB.

Link to Next Steps Next Steps

The Joint Opinion is not binding, but the European Commission, Parliament, and Council are expected to take it into account in the context of negotiations on the Digital Omnibus Regulation. Next, the Parliament and Council will each set out their positions. In the Parliament, two committees are working together and have already appointed rapporteurs to lead the file. Once the Parliament adopts its position and the Council is able to agree theirs, they will enter negotiations among themselves and with the Commission to seek a final compromise text. If endorsed, this text will then be formally adopted and published in the Official Journal of the EU before entering into force.

*                            *                                  *

The Covington team is closely monitoring the Digital Omnibus package and its potential impact on organizations. Please reach out to a member of the team if you would like to discuss these developments or need assistance.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Read more about Dan Cooper
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem
Read more about Kristof Van Quathem
  • Posted in:
    Privacy & Data Security
  • Blog:
    Inside Privacy
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo