The General Data Protection Regulation (GDPR) was conceived as a risk-based framework designed to promote accountability, safeguard fundamental rights, and encourage responsible data practices across the European Union. Among its key mechanisms are the obligations imposed on data controllers in the event of a personal data breach. At present, however, a structural inconsistency exists between Articles 33 and 34 of the Regulation, requiring organisations to apply two distinct risk thresholds when determining whether to notify Supervisory Authorities and affected individuals. The Digital Omnibus proposal seeks to resolve this inconsistency by raising the notification threshold in Article 33 from “risk” to “high risk,” thereby aligning it with the threshold already established under Article 34.
The proposed amendment represents a proportionate and pragmatic refinement of the GDPR’s breach notification regime. It not only simplifies compliance and enhances legal certainty for organisations, but also alleviates unnecessary administrative burdens on Supervisory Authorities and reinforces the Regulation’s underlying commitment to a risk-based approach. Far from diminishing protections for individuals, this proposed reform strengthens them by enabling regulators to prioritise breaches that present a genuine threat to rights and freedoms. Nevertheless, as the proposal remains subject to the legislative process, continued vigilance is warranted to ensure the proportionate and pragmatic refinement is retained in the final text.
Under the GDPR in its current form, Article 33 requires data controllers to notify the relevant Supervisory Authority of a personal data breach unless it is “unlikely to result in a risk” to the rights and freedoms of natural persons. In practical terms, this establishes a relatively low threshold for notification: where any degree of risk is present, notification is typically deemed prudent or necessary. By contrast, Article 34 obliges controllers to notify affected data subjects only where the breach is “likely to result in a high risk” to their rights and freedoms.
This divergence creates a situation in which controllers must conduct two parallel assessments of the same incident, applying distinct conceptual standards. A breach may be judged sufficiently risky to require notification to a Supervisory Authority, yet insufficiently serious to warrant notification to individuals. The resulting interpretive complexity encourages defensive decision-making, with many controllers opting to notify regulators even in cases of marginal or theoretical risk in order to avoid compliance disputes.
Such cases often involve what might be described as “low-grade” or administrative breaches: emails sent to incorrect recipients, postal correspondence delivered to the wrong address, or minor technical errors exposing very limited data for brief periods. These incidents typically present negligible likelihood of harm, particularly where swift mitigation occurs. Nonetheless, the prevailing interpretation of Article 33 has encouraged systematic reporting of such events, generating significant notification volumes across Member States.
The administrative implications are considerable. Each notification, irrespective of its materiality, requires intake, review, and, in many cases, correspondence or clarification. Supervisory Authorities are therefore required to expend scarce regulatory resources processing incidents that pose little or no real-world risk to individuals. The cumulative effect is a system that is procedurally active, yet often substantively inefficient.
The Digital Omnibus proposal addresses this imbalance by amending Article 33 so that notification to Supervisory Authorities would be required only where a breach presents a “high risk” to individuals’ rights and freedoms. This revision would bring Article 33 into alignment with Article 34, replacing the dual-threshold structure with a single, coherent standard.
The legal consequences of such alignment are significant. Controllers would no longer be required to distinguish between “risk” and “high risk” thresholds when determining whether to notify regulators and affected individuals. Instead, a unified assessment would apply across both obligations. This enhances the internal coherence of the GDPR, reduces interpretive ambiguity, and ensures that notification processes are grounded in a consistent conceptual framework.
Crucially, the reform does not eliminate the duty to notify serious breaches. High-risk incidents—such as those involving special-category data, heightened vulnerability, identity-theft risk, financial exposure, or large-scale disclosure—would continue to trigger notification obligations. The proposal therefore rebalances the framework rather than diluting it.
The principal merits of the proposed reform can be understood across three interrelated dimensions: proportionality, legal certainty, and regulatory efficiency.
First, the change reinforces the GDPR’s foundational commitment to proportionality and risk-based regulation. Not all breaches are equal in nature, scope, or impact. A regime that compels the reporting of low-risk administrative errors risks conflating trivial incidents with materially harmful events. By reserving notification for circumstances in which high risk is present, the amendment ensures that regulatory and organisational resources are directed toward incidents where individuals’ interests are meaningfully at stake. This approach is more closely aligned with the normative logic of the Regulation, which emphasises context, severity, and likely consequences.
Second, the reform enhances legal certainty for organisations. The distinction between “risk” and “high risk” is conceptually subtle yet operationally consequential. In practice, organisations have frequently found the dual-threshold structure difficult to interpret, leading to conservative reporting practices. A single, clearly articulated standard reduces ambiguity, simplifies internal assessment processes, and supports greater consistency in decision-making. Legal certainty of this kind promotes better compliance outcomes by allowing controllers to focus on substantive risk evaluation rather than on navigating technical wording distinctions.
Third, the amendment alleviates unnecessary administrative burdens on Supervisory Authorities, enhancing regulatory efficiency. Current practice obliges regulators to process large volumes of notifications that provide limited regulatory value and do little to advance the protection of personal data. By filtering out low-risk incidents, the proposal would enable authorities to concentrate on serious breaches, systemic failings, and emerging threats. This reallocation of attention strengthens, not weakens, regulatory oversight by allowing resources to be applied where they yield the greatest public-interest benefit.
Importantly, the proposed change does not remove transparency or accountability from the breach management process. Article 33(5) GDPR continues to require controllers to document all personal data breaches, irrespective of whether they are notified to a Supervisory Authority or to affected individuals. This record must contain the facts relating to the breach, its effects, and the remedial action taken.
As a result, even where a breach is assessed as low risk and therefore not notified under the revised threshold, it remains subject to retrospective regulatory scrutiny. Supervisory Authorities retain the ability to verify compliance through complaint-handling, audits, or inspections by examining the controller’s breach register and assessing whether its risk assessment and decision not to notify were justified. The same documentation may also be reviewed where a data subject raises concerns about a breach that they were not notified about.
This continuing obligation functions as a substantive safeguard: it preserves accountability, ensures that low-risk breaches are neither ignored nor concealed, and maintains the institutional capacity of Supervisory Authorities to oversee organisational compliance notwithstanding the reduced volume of formal notifications.
The alignment of Articles 33 and 34 should be understood as an evolutionary rather than revolutionary development within the GDPR framework. It retains the commitment to transparency and accountability while recalibrating the regime to better reflect practical experience accumulated since the Regulation entered into force. In that sense, the proposal exemplifies regulatory learning: policy refinement informed by empirical realities and operational feedback.
However, it is essential to acknowledge that the Digital Omnibus proposal remains under negotiation and may be subject to amendment or reinterpretation before adoption. Stakeholders who recognise the benefits of this reform should therefore remain attentive to the legislative process and engaged in ongoing policy discussion. Until any amendment enters into force, the existing Article 33 standard continues to govern breach notification practice.
Raising the Article 33 breach notification threshold from “risk” to “high risk,” thereby aligning it with Article 34, represents a measured and intellectually coherent refinement of the GDPR’s breach notification architecture. The proposal enhances legal certainty for organisations, promotes proportionality in regulatory obligations, and reduces administrative burdens on Supervisory Authorities, enabling them to prioritise incidents that genuinely endanger individuals’ rights and freedoms. At the same time, the continuing obligation under Article 33(5) to document all breaches ensures that accountability and regulatory oversight remain intact, even when notification is not required.
The change deserves support as a pragmatic step toward a more balanced and risk-sensitive data protection regime. Yet it remains contingent upon the legislative outcome, and those who welcome the proposal should continue to monitor its progress to ensure that this alignment of thresholds is preserved in the final text of the Digital Omnibus package.
03 February, 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
