Discussions on the Digital Omnibus are advancing rapidly, but it is clear that they raise serious concerns for organisations crying out for reduced regulatory burden and more legal certainty.
The Council Presidency compromise discussed at the Antici Group (Simplification) on 27 February suggests a clear shift in how GDPR simplification may ultimately be delivered. Whilst an unofficial copy of the compromise text has become available, the discussion itself was not public. We can only assume for now that Member State positions have not yet been finalised at the technical level.
The most structurally significant change concerns how GDPR simplification is to be handled in practice. Whether the evolution of the text at the Council enhances operational efficiency or perpetuates further uncertainty is now the central question.
As an example, on the definition of personal data, the Commission proposed clarifying the concept of “identifiability” directly in Article 4 GDPR. The Presidency compromise text removes that in its entirety and instead places future clarification in the hands of the EDPB through supervisory instruments. Also, whilst several elements aimed at reducing the regulatory burden remain on the table, such as amending the breach notification threshold and EU-level DPIA harmonisation, the Presidency text removes any legal clarification by way of Commission implementing acts and instead gives sole responsibility to the EDPB for creating breach notification and DPIA templates.
So, no legal clarification, instead controllers must rely on more output from the EDPB, a body that tacitly acknowledges in its 2025 Helsinki Statement that its guidance in the past may have lacked clarity and practical usefulness.
Other proposed amendments to the legally binding parts of GDPR, such as the need for objective clarity on the ability of controllers to deal with abusive access requests, have also been considerably diluted in the compromise text. Missing the opportunity to develop a text which remains meaningful as a protector of fundamental rights but which also acknowledges the difficult burden and conflicting obligations placed on controllers, is regrettable.
All of this risks burdening controllers with more of the same, fragmented interpretation by multiple independent authorities rather than legal certainty. It is essential that simplification is not merely acknowledged as an objective but delivered in binding legislative text. Unfortunately, the Presidency approach, following on from the recent joint opinion of the EDPB/S, largely maintains the existing model, in which clarity depends on supervisory interpretation and guidance.
If the Omnibus is intended to reduce compliance burden through greater legal certainty, it must be more ambitious than the current Presidency compromise text. Otherwise, the reform risks preserving the very interpretative uncertainty it set out to address.
03 March, 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
