In the Digital Omnibus, the Commission has proposed using implementing acts for several reforms to ensure a more uniform application of the regulations in question. The February 2026 Joint Opinion of the European Data Protection Board and the European Data Protection Supervisor on the Digital Omnibus pushes back on this aspect of the Omnibus and recommends that the use of EDPB guidelines should remain the primary method for ensuring uniform implementation. The EDPB/S opinion raises a structural question that extends well beyond the specific amendments under discussion. Beneath technical observations regarding the best way to address templates, thresholds, and definitions lies a deeper discussion about how best to shape the ongoing implementation of EU data protection law.
This question matters because institutional competences and responsibilities in regulation have a significant impact on how laws are realised in practice. It is well documented that in the first eight years of GDPR, there has not been a coherent or consistent legal framework across the Single Market. As enforcement is largely driven by national data protection authorities with differing resources, priorities, and regulatory cultures, it has been difficult for organisations to always understand what is required.
The EDPB, established by GDPR, is empowered to ensure consistent application of EU data protection law in several ways, including monitoring the application of the Regulation, and through the issuing of guidelines, recommendations, and best practices. These measures are not legally binding, even though they have come to be seen by some stakeholders as highly authoritative, if not mandatory. What is clear is that the EDPB’s use of guidelines has not resulted in consistent application of GDPR. Dissatisfaction with the EDPB has been voiced by many, with particular concerns raised about the paucity of issued guidelines, the slow pace at which they are created, and the lack of practical advice.
The Commission’s proposal to make more use of implementing acts directly addresses these shortcomings in the current system, with a particular emphasis on building legal certainty. The Joint Opinion counters that the Commission is overstepping its institutional role, as the use of implementing acts, especially with regard to the definition of personal data, would allow the Commission to define the application of GDPR and effectively change the scope of the Regulation and go beyond the Treaty limits regarding the use of implementing acts.
It is hard to see how the Commission would table a proposal to use implementing acts without checking the institutional competences and treaty limitations. Under Article 291 of the Treaty on the Functioning of the European Union, the Commission is empowered to adopt implementing acts where uniform conditions for implementing EU law are required. The EU legal system is based on Member States being responsible for implementing legal obligations. Article 291 TFEU is recognition that certain EU acts cannot function properly if they are implemented differently from one Member State to another. A more uniform interpretation of GDPR is needed. It would lead to a more effective realisation of the regulations’ two primary objectives (Article 1, GDPR) – the protection of personal data and the free flow of personal data.
The Joint Opinion argues that the proposed implementing acts would allow the Commission to determine the scope of GDPR, particularly regarding the definition of personal data. It argues that the proposed implementing acts would create legal uncertainty and potentially oversimplify complex, context-dependent assessments that have been developed by the EU courts and supervisory authorities.
The debate over the substance of the Digital Omnibus proposals will continue, but it is clear from the Joint Opinion that there is also an element of institutional competition in this debate. The Joint Opinion stresses that legal certainty can be achieved through GDPR’s existing governance framework, disagreeing with the Commission’s approach for bringing about more certainty. By warning against the Commission using implementing acts to define key concepts such as personal data or pseudonymisation, the EDPB is effectively asserting that uniform application should come from supervisory authorities acting collectively under the EDPB’s coordination. At the crux of the EDPB/S argument is “that it should be the competence of supervisory authorities, under the control of the competent courts, to apply the definitions of the GDPR in an independent manner”.
The emphasis on independent supervisory authorities is important in the regulatory sphere, as it ensures that bodies with enforcement and oversight powers are not subject to political pressure. Equally, such bodies are also constitutionally problematic in terms of accountability and transparency, key dimensions to realising legal certainty. The EDPB is not subject to parliamentary confirmation, budgetary scrutiny, or systematic political review, nor do its guidance documents undergo comitology or legislative oversight. As a result, the EDPB has evolved into a body that makes regulatory choices with significant economic and social consequences without the democratic checks normally associated with EU‑wide rule‑making.
At a more practical level, the lack of accountability for the EDPB raises issues of the body’s ability to deliver on its responsibilities, especially in relation to guidelines. The issuance of guidelines under GDPR is a critical dimension of the EU’s data protection system because they provide a primary means of ensuring a common interpretation and application of GDPR across all Member States. Organisations rely on the guidelines as a reference point, and courts have given guidelines significant normative weight. However, if guidelines have such substantial normative weight, it should be asked why the EDPB is not more proactive in issuing them, especially at a time of significant technological change that is reshaping how data protection is understood. It may be a question of an overburdening of the EDPB with responsibilities, as it also issues recommendations, best practices, and various opinions and recommendations.
Guidelines remain the most prominent soft-law instrument used in the EU data protection system. Yet, organisations have been calling on the EDPB to improve the system for producing and issuing guidelines significantly. This would include producing more guidelines, making the guidance more relevant to actual practice, and subjecting the production of guidelines to a more inclusive and transparent process.
Legal certainty also suffers because such soft law instruments lack clear mechanisms of judicial control within the constitutional system. Legislative acts can be challenged directly before the EU and national courts, judicial review of guidelines is possible only indirectly, through national enforcement actions, making legal challenges slow, fragmented, and uncertain. This results in the legal effect of guidelines accumulating without being tested against the limits of GDPR or the broader EU legal order. Where obligations stem from legislation, courts can assess their validity and proportionality in a structured way.
The Commission’s proposal to make use of an implementing act, in specific areas of the Digital Omnibus, provides a much more accountable legal approach. Article 291 TFEU provides the Parliament and Member States with elements of control over the Commission when it exercises implementing powers. Paragraph 3 requires the European Parliament and the Council, acting together through the ordinary legislative procedure, to lay down in advance the rules and general principles governing how Member States control the Commission in this context. The comitology process allows the Member States to express views on any proposed implementing act. This enables Member States to exercise collective control over how the Commission applies EU law in practice while supporting the role of national expertise and supporting uniformity in implementation across the EU.
Neither would the EDPB be excluded from the drawing up of proposals for implementing decisions involving data protection. Critically, it appears, the EDPB would not have an exclusive or priority position; its role would be to advise the Commission. Then the implementing act goes through the legislative process and under article 263 TFEU, implementing acts are subject to judicial review, unlike guidelines from the EDPB. The recent CJEU decision, WhatsApp Ireland (Case C-97/23), held that EDPB binding decisions can be challenged, as the EDPB’s actions have a direct legal effect on data controllers. This is an important development in ensuring institutional accountability, but the decision applies only to the EDPB’s binding decisions; it does not extend to the EDPB’s soft-law instruments. Legal certainty is never a complete process, as circumstances facing society change over time. Rules and responsibilities set out in legislation provide much greater clarity when compared to views, statements, or positions expressed by regulatory bodies. The Digital Omnibus proposals are not seeking to sideline the EDPB; rather, they are an effort to increase confidence and reliability in the data protection system. Still, the EDPB/S, in the Joint Opinion, feels the Commission is going too far in the proposals on the use of implementing acts and overstepping its institutional competence as set out in the EU legal system. The EDPB/S is seeking to preserve its primary position as the authoritative institution in data protection, even though these institutions remain disconnected from democratic or judicial accountability. A system in which an unelected body shapes interpretive norms through guidelines and other similar instruments risks concentrating authority outside the established legislative framework.
The EDPB is an important EU body, but it was created by secondary legislation and does not have the same status as institutions established and empowered by the EU treaties. The EDPB will continue to play an essential role, but it should not seek to block the constitutional hierarchy of norms regarding accountability in rulemaking. Soft law can play a supportive role in clarifying legislation, but it cannot become a substitute for democratically enacted rules. Legal certainty depends on the ability of individuals and organisations to trace their obligations back to legislative texts adopted through accountable processes. Similarly, democratic legitimacy requires that policy decisions with wide‑ranging effects be anchored in institutions subject to political scrutiny and judicial control.
Clarifying the non‑binding status of guidelines, introducing parliamentary scrutiny, expanding judicial review, and rebalancing authority toward national regulators are all mechanisms aimed at realigning data protection governance with constitutional principles. They seek to ensure that when new obligations are created or existing ones reshaped, this occurs through legislation rather than through the incremental accumulation of soft‑law interpretations.
The Digital Omnibus highlights a fundamental tension in EU data protection law between flexibility and legal certainty. The existing reliance on non-binding guidelines reflects a pragmatic attempt to manage complexity. Still, it also introduces a degree of unpredictability that is difficult to reconcile with the demands of legal certainty. A model that relies more heavily on Commission implementing acts, grounded in Article 291 TFEU, offers a more stable and legally certain framework. Such acts provide binding and uniform rules, are subject to judicial review, and rest on a clear foundation in EU primary law. While they must remain within the limits set by the Treaties and avoid encroaching on essential elements, they are better suited to delivering consistent and enforceable outcomes.
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
