This year is set to be pivotal for the EU’s agenda on law enforcement cooperation and data privacy. There are numerous reviews of existing legislation, and potentially new legislative proposals, on law enforcement cooperation and data flows.
The second review report on the Law Enforcement Directive is due 6 May 2026. The evaluation report and possible legislative proposal for the Europol Regulation is expected before July, 2026. The Commission is also preparing a legislative proposal for a revised Eurojust Regulation later in 2026. Also, before the end of 2026, the Commission is expected to deliver a new proposal extending the Prüm II Framework to selected non-EU Member States.
Expanding cooperation in law enforcement generally, and in the sharing of data, is a key part of the EU’s political and strategic agenda for supporting a “Strong and Secure Europe.” Action in this area is driven by the need to address increasingly transnational, digital, and organised crime, which requires cooperation both within the EU and with other partner states.
During its February meetings, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) addressed a number of legislative proposals related to personal data and law enforcement cooperation.
The Committee approved the draft Agreement between the European Union and the Republic of Ecuador on cooperation between Europol and the Ecuadorian authorities competent to combat serious crime and terrorism. Cooperation between Europol and Ecuador already exists through a working arrangement agreed in October 2023. But this arrangement did not address the exchange of personal data, which the current draft covers, increasing operational cooperation and information sharing between Europol and Ecuador for countering serious crime. Ecuador is a key logistics hub for a range of transnational criminal activities so enhanced cooperation in the exchange of personal data between Europol and the Ecuadorian authorities is important for dismantling criminal networks. The LIBE Committee approved the draft agreement by roll-call vote, with 65 members in favour and 3 against. The draft Agreement will now be voted on by the European Parliament Plenary, scheduled for 11 March.
LIBE also received the reports of the rapporteur regarding two Passenger Name Record (PNR) agreements, one with Norway and one with Iceland. These agreements provide for the transfer of PNR data to prevent, detect, investigate and prosecute terrorist offences and serious crime. The agreements provide for clear rules on the processing, storage, use, and retention of PNR data, along with safeguards to ensure the data is used for specified purposes, retained only for limited periods, and protected against misuse or unauthorised access. The EDPS provided positive opinions about both agreements, concluding that they are compatible with the EU legal framework on data protection. All political groupings, with the exception of The Greens, are in favour of the agreements and the two PNR agreements will be subject to a full committee vote during the 18-19 March LIBE session, before moving on to approval by the Parliament.
LIBE also received a Commission presentation on the future development of the Prüm II Framework, extending cooperation to non-EU Member States. The Prüm II Framework is a legal and technical system designed to streamline the automated exchange of sensitive personal data between national law enforcement authorities to address serious crime and terrorism. The Prüm II Regulation ((EU) 2024/982) was formally adopted in early 2024, and the Commission is now examining the possibility of allowing other states to enter into the framework. The Commission presented its view on the importance of expanding information sharing for law enforcement in the context of cross-border crime. In this regard, it is essential to further law enforcement cooperation with immediate neighbours, candidate countries and other like-minded third countries. The Commission emphasised that cooperation under Prüm II is a two-way street, whereby potential new participants will be chosen not only on the basis that appropriate safeguards are in place, but also that any new countries to the Framework have important information to share with the EU in addressing serious crime. The Commission will be preparing the new proposal during 2026.
Finally, the LIBE hosted a public event on Empowering Police and Judicial Authorities: Towards More Effective and Lawful Data Access for Law Enforcement Purposes. The event had two panels examining the challenges to ensuring lawful access to data for law enforcement. The first panel consisted of perspectives from policy and operational considerations, and the second panel provided perspectives from civil society. Both panels addressed the need for enhanced access to digital evidence for law enforcement while maintaining strict data protection safeguards. Discussions highlighted the imperative to harmonise EU legal frameworks, balancing swift operational access to data with privacy rights, oversight, and the technical challenges of encryption.
03 March 2026
Discussions on the Digital Omnibus are advancing rapidly, but it is clear that they raise serious concerns for organisations crying out for reduced regulatory burden and more legal certainty.
The Council Presidency compromise discussed at the Antici Group (Simplification) on 27 February suggests a clear shift in how GDPR simplification may ultimately be delivered. Whilst an unofficial copy of the compromise text has become available, the discussion itself was not public. We can only assume for now that Member State positions have not yet been finalised at the technical level.
The most structurally significant change concerns how GDPR simplification is to be handled in practice. Whether the evolution of the text at the Council enhances operational efficiency or perpetuates further uncertainty is now the central question.
As an example, on the definition of personal data, the Commission proposed clarifying the concept of “identifiability” directly in Article 4 GDPR. The Presidency compromise text removes that in its entirety and instead places future clarification in the hands of the EDPB through supervisory instruments. Also, whilst several elements aimed at reducing the regulatory burden remain on the table, such as amending the breach notification threshold and EU-level DPIA harmonisation, the Presidency text removes any legal clarification by way of Commission implementing acts and instead gives sole responsibility to the EDPB for creating breach notification and DPIA templates.
So, no legal clarification, instead controllers must rely on more output from the EDPB, a body that tacitly acknowledges in its 2025 Helsinki Statement that its guidance in the past may have lacked clarity and practical usefulness.
Other proposed amendments to the legally binding parts of GDPR, such as the need for objective clarity on the ability of controllers to deal with abusive access requests, have also been considerably diluted in the compromise text. Missing the opportunity to develop a text which remains meaningful as a protector of fundamental rights but which also acknowledges the difficult burden and conflicting obligations placed on controllers, is regrettable.
All of this risks burdening controllers with more of the same, fragmented interpretation by multiple independent authorities rather than legal certainty. It is essential that simplification is not merely acknowledged as an objective but delivered in binding legislative text. Unfortunately, the Presidency approach, following on from the recent joint opinion of the EDPB/S, largely maintains the existing model, in which clarity depends on supervisory interpretation and guidance.
If the Omnibus is intended to reduce compliance burden through greater legal certainty, it must be more ambitious than the current Presidency compromise text. Otherwise, the reform risks preserving the very interpretative uncertainty it set out to address.
03 March, 2026
This update covers the GDPR amendments proposed in the simplification of the digital legislative framework – Digital Omnibus (2025/0360 (COD)).
The Council of the European Union, one of the two EU Co-legislators, and representative institution of the Member States, remains in a technical examination phase on the published legislative proposal.
Although a number of discussions have already taken place, including submission of initial written comments by the Member States, our information is that discussions to date have been limited to technical examination of the proposed GDPR simplification measures and no substantive positions have been adopted by the Member States.
The working party responsible for the negotiation, the Antici Group (Simplification), currently meets twice weekly but only discusses the GDPR simplification measure as part of its overall simplification agenda. The last GDPR discussions took place on 19 January, 2026, and the next one is likely to take place before the end of February.
The other co-legislator, the European Parliament, has been focused so far on the AI Act simplification proposal. As of early February, the GDPR proposal is only just entering into a substantive parliamentary work phase, with Committee work finally getting underway in recent weeks.
The responsible joint Committees will be Industry, Research and Energy (ITRA) and Civil Liberties, Justice and Home Affairs (LIBE), who are both currently engaged in the process of appointing rapporteurs.
Representatives of Privacy Next attended the meeting of LIBE on 26 January, 2026, at which the European Commission presented the proposal and answered questions from members of the Committee.
As part of our Next Generation Partnership programme, we will be tracking this very important legislative proposal and providing Partners with more detailed updates, analysis and information on how they can influence the process through collective engagement.
Detailed tracking information will be provided in our exclusive members area which we hope to roll out in Q2 this year.
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
