The European Commission’s Digital Omnibus proposal comes at a time of several policy priorities being asserted by, and upon, the EU. Competitiveness, simplification, better enforcement, increased cooperation, and more efficiency are all priorities going forward. As with any reform process, the priorities being pursued are not always mutually compatible and there are concerns that the proposals will diminish the current levels of protection offered by GDPR.
In the eight years the regulation has been in force, the governance framework promised by GDPR has revealed serious fault lines which need to be addressed. The practical realities of the GDPR framework are under significant stress in relation to operability, effectiveness, and consistency. The current reform process is an opportunity to recalibrate the system that has evolved from GDPR in order to ensure the fundamental right to data protection is realised, as set out in Article 8 of the Charter of Fundamental Rights of the EU.
A key issue in the current debate about reform is data subject access requests (DSARs). Article 8 of the Charter is clear: “Everyone has the right of access to data that has been collected about him or her …”. Ensuring individuals retain control over their data is a critical component of data protection. Equally, the framework allows for limitations on how fundamental rights are exercised. Limitations are to be circumscribed to ensure they are “necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (Article 52 Charter).
At the heart of this debate on access rights lies a fundamental tension: how can the EU maintain the constitutional character of data protection, anchored in transparency, accountability, and individual control, while addressing the realities of a digital ecosystem defined by scale, automation, and complexity? The proposals in the Digital Omnibus call for proportionate limitations on DSARs, thereby ensuring that GDPR enforcement remains both effective and sustainable.
The recent joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the Digital Omnibus questions the Commission’s proposals on the right of access. The joint opinion insists that access rights should not be limited except for a very narrow conception of abuse linked to harm to the controller. But if the current system is already overburdened to the point where its effectiveness is in question, how can proportional limitations be rejected?
DSAR is a right recognised in the Charter and GDPR. In neither case is it framed as an absolute right. Awareness and control over data are foundational to data protection but providing an unfettered right for any data subject to make a request to any organisation, public and private, impedes the ability of the GDPR framework to be an effective regulatory system. As Lynskey explains, “a key concern is that EU data protection has become the law of everything applied to everyone, putting compliance with the legal framework, and those charged with its enforcement, under strain.”
A current case before the CJEU, Case C-526/24 (Brillen Rottler), exemplifies this strain. In these circumstances an individual living in Austria, voluntarily subscribed to a newsletter from Brillen Rottler, an organisation in Germany, and then fifteen days later submitted a DSAR under article 15 GDPR. Brillen Rottler rejected the request under Article 12(5) GDPR. The individual maintained the request and further brought a claim for compensation on the basis that article 15 provides data subjects with an unconditional right of access. The Advocate-General in this case has presented an opinion suggesting that limitations on DSARs should be very few and that the data controller bears a high burden of demonstrating that any DSAR is abusive or excessive. Equally, the AG concludes that a controller can refuse a request, taking into account all relevant circumstances, by showing that the data subject has an “abusive intention”. But the AG rejects the claim that if there is a public record that a data subject makes similar claims in a large number of cases, this fact alone cannot be viewed as excessive. The competing concerns in this case demonstrate a need for a more workable approach to DSARs.
The debate surrounding the Commission’s proposed DSAR reforms exposes a deeper structural tension between the idealism of a rights-driven legal framework and the practical constraints of administering those rights. The GDPR was drafted with a constitutional ambition to give individuals meaningful control over their personal data, but it now operates in an environment where unrealistic expectations are overburdening data controllers and supervisory authorities. face chronic resource constraints. The Digital Omnibus provides the opportunity to discuss how best to recalibrate. The long-term health of GDPR enforcement depends on a technical, organisational, and regulatory infrastructure that allows DSARs to be handled efficiently without compromising their substance. Seeking to provide clearer procedural rules, rather than unfettered access, can contribute to this goal.
Both data controllers and regulators are facing ever growing demands from data subjects. As a recent study by the EU Fundamental Rights Agency has shown, the increasing number of complaints is preventing regulators from carrying out their other responsibilities under the GDPR. On the current course, this will prevent regulators from engaging in situations where time and resources would be better spent than addressing complaints from data subjects about claims that data controllers are not respecting the perceived unlimited right of access.
Further, the EDPB should also give consideration to revising its current guidance on access rights where currently an access request cannot be deemed excessive even if no reasons for the request are given, improper language is used, and the data subject intends to file further claims (para. 109). These parameters are an invitation to overburden the system. At the very least, the EU should try to have a data protection system that respects basic civility and EU values.
Ultimately, the future of GDPR enforcement will be shaped by how well the EU can maintain the constitutional character of data protection while adapting to the realities of a data-intensive society. A rights framework that is impossible to administer at scale is a rights framework that will fail in practice.
20 February 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
