On 19 March, 2026, Commissioner Magnus Brunner appeared before the European Parliament’s LIBE Committee to discuss revising Europol’s mandate to address persistent gaps in cooperation and information-sharing.
The concern; Europe’s fragmented law enforcement framework is becoming a structural vulnerability, one that organised crime is increasingly exploiting.
The meeting highlighted the increasing sophistication of organised crime, particularly as criminal operations utilise digital technologies that transcend jurisdictional borders.
A key takeaway from the discussion was the urgent need for improved information exchange among EU Member States and between EU agencies like Europol, Eurojust, and EPPO. Currently, fragmented rules hamper cooperation, ultimately affecting security within the European Union. Closing the information gap is imperative for effective law enforcement and investigations into cross-border crimes.
Moreover, the importance of fostering international partnerships cannot be overstated. As emphasised by the Council of the European Union in the review of the Law Enforcement Directive, strengthening cooperation with third countries and international organisations is essential to combatting global crime effectively.
The proposed new Europol Regulation is due to be published in Q2 2026. The proposals for improving Europol’s operational effectiveness need to ensure security measures are undertaken while protecting citizens’ rights and civil liberties. Solid regulatory frameworks can empower Europol while ensuring respect for fundamental rights within criminal justice systems.
As ever, Privacy Next will be following developments and providing updates.
Discussions within the Council of the European Union on the GDPR-related elements of the Digital Omnibus have entered a quieter phase following the last exchange at the Antici Group (Simplification) on 27 February 2026. That meeting marked the first structured opportunity for Member States to react to the Presidency text on the Commission’s proposed adjustments to the General Data Protection Regulation (GDPR). Since then, the file has not returned to the agenda of the Antici Group (Simplification).
This pause is notable not because the Antici Group (Simplification) has been inactive—it continues to meet regularly on other Omnibus files—but because of the absence of any follow-up specifically on GDPR-related changes.
One key explanation lies in the decision, following the February meeting, to invite Member States to submit written comments on the proposed GDPR amendments by 18 March, 2026. This effectively positioned March as a period of written consultation rather than in-person negotiation. For a file of this sensitivity, such an approach is understandable. GDPR remains a cornerstone of the EU’s regulatory framework, and even targeted “simplification” measures can have wider implications for enforcement, accountability, and legal certainty. Written submissions allow delegations to articulate more carefully calibrated positions, including internal red lines, without the immediacy of negotiations.
At the same time, the reliance on written comments suggests that underlying divergences may be more pronounced than initially anticipated. While some Member States are likely supportive of reducing administrative burdens and clarifying obligations, particularly for smaller organisations, others remain cautious about any changes that could weaken established accountability mechanisms or introduce interpretative ambiguity. These tensions are not easily resolved and may explain why the Presidency has not yet reconvened the Antici Group (Simplification) to advance discussions.
The period since the deadline for written comments is therefore particularly telling. The absence of a prompt return to formal technical discussions may indicate that the written feedback revealed a broad spectrum of views, requiring further bilateral engagement before a collective exchange can be productive. In this sense, the current lull appears less a pause in substance than a phase of quieter political calibration behind the scenes.
Nonetheless, the gap carries implications. Procedurally, it reduces visibility for stakeholders attempting to track the Council’s position. Substantively, it risks slowing momentum on what were presented as targeted and technical adjustments. The longer discussions remain outside a structured forum, the greater the risk that positions harden rather than converge.
Looking ahead, there are early indications of when discussions may resume. Privacy Next understands, based on local sources, that the next meeting of the Antici Group (Simplification) could take place in late April, with 24 or 27 April mentioned as possible dates. If confirmed, this would provide the first opportunity to test how far Member States have moved following the written consultation phase and whether a path toward compromise is emerging.
Until then, the extended gap since 27 February stands out. While partly explained by the shift to written input, it also underscores the political sensitivity of even limited changes to GDPR, and the challenges the Council faces in translating a simplification agenda into concrete progress.
This year is set to be pivotal for the EU’s agenda on law enforcement cooperation and data privacy. There are numerous reviews of existing legislation, and potentially new legislative proposals, on law enforcement cooperation and data flows.
The second review report on the Law Enforcement Directive is due 6 May 2026. The evaluation report and possible legislative proposal for the Europol Regulation is expected before July, 2026. The Commission is also preparing a legislative proposal for a revised Eurojust Regulation later in 2026. Also, before the end of 2026, the Commission is expected to deliver a new proposal extending the Prüm II Framework to selected non-EU Member States.
Expanding cooperation in law enforcement generally, and in the sharing of data, is a key part of the EU’s political and strategic agenda for supporting a “Strong and Secure Europe.” Action in this area is driven by the need to address increasingly transnational, digital, and organised crime, which requires cooperation both within the EU and with other partner states.
During its February meetings, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) addressed a number of legislative proposals related to personal data and law enforcement cooperation.
The Committee approved the draft Agreement between the European Union and the Republic of Ecuador on cooperation between Europol and the Ecuadorian authorities competent to combat serious crime and terrorism. Cooperation between Europol and Ecuador already exists through a working arrangement agreed in October 2023. But this arrangement did not address the exchange of personal data, which the current draft covers, increasing operational cooperation and information sharing between Europol and Ecuador for countering serious crime. Ecuador is a key logistics hub for a range of transnational criminal activities so enhanced cooperation in the exchange of personal data between Europol and the Ecuadorian authorities is important for dismantling criminal networks. The LIBE Committee approved the draft agreement by roll-call vote, with 65 members in favour and 3 against. The draft Agreement will now be voted on by the European Parliament Plenary, scheduled for 11 March.
LIBE also received the reports of the rapporteur regarding two Passenger Name Record (PNR) agreements, one with Norway and one with Iceland. These agreements provide for the transfer of PNR data to prevent, detect, investigate and prosecute terrorist offences and serious crime. The agreements provide for clear rules on the processing, storage, use, and retention of PNR data, along with safeguards to ensure the data is used for specified purposes, retained only for limited periods, and protected against misuse or unauthorised access. The EDPS provided positive opinions about both agreements, concluding that they are compatible with the EU legal framework on data protection. All political groupings, with the exception of The Greens, are in favour of the agreements and the two PNR agreements will be subject to a full committee vote during the 18-19 March LIBE session, before moving on to approval by the Parliament.
LIBE also received a Commission presentation on the future development of the Prüm II Framework, extending cooperation to non-EU Member States. The Prüm II Framework is a legal and technical system designed to streamline the automated exchange of sensitive personal data between national law enforcement authorities to address serious crime and terrorism. The Prüm II Regulation ((EU) 2024/982) was formally adopted in early 2024, and the Commission is now examining the possibility of allowing other states to enter into the framework. The Commission presented its view on the importance of expanding information sharing for law enforcement in the context of cross-border crime. In this regard, it is essential to further law enforcement cooperation with immediate neighbours, candidate countries and other like-minded third countries. The Commission emphasised that cooperation under Prüm II is a two-way street, whereby potential new participants will be chosen not only on the basis that appropriate safeguards are in place, but also that any new countries to the Framework have important information to share with the EU in addressing serious crime. The Commission will be preparing the new proposal during 2026.
Finally, the LIBE hosted a public event on Empowering Police and Judicial Authorities: Towards More Effective and Lawful Data Access for Law Enforcement Purposes. The event had two panels examining the challenges to ensuring lawful access to data for law enforcement. The first panel consisted of perspectives from policy and operational considerations, and the second panel provided perspectives from civil society. Both panels addressed the need for enhanced access to digital evidence for law enforcement while maintaining strict data protection safeguards. Discussions highlighted the imperative to harmonise EU legal frameworks, balancing swift operational access to data with privacy rights, oversight, and the technical challenges of encryption.
03 March 2026
Discussions on the Digital Omnibus are advancing rapidly, but it is clear that they raise serious concerns for organisations crying out for reduced regulatory burden and more legal certainty.
The Council Presidency compromise discussed at the Antici Group (Simplification) on 27 February suggests a clear shift in how GDPR simplification may ultimately be delivered. Whilst an unofficial copy of the compromise text has become available, the discussion itself was not public. We can only assume for now that Member State positions have not yet been finalised at the technical level.
The most structurally significant change concerns how GDPR simplification is to be handled in practice. Whether the evolution of the text at the Council enhances operational efficiency or perpetuates further uncertainty is now the central question.
As an example, on the definition of personal data, the Commission proposed clarifying the concept of “identifiability” directly in Article 4 GDPR. The Presidency compromise text removes that in its entirety and instead places future clarification in the hands of the EDPB through supervisory instruments. Also, whilst several elements aimed at reducing the regulatory burden remain on the table, such as amending the breach notification threshold and EU-level DPIA harmonisation, the Presidency text removes any legal clarification by way of Commission implementing acts and instead gives sole responsibility to the EDPB for creating breach notification and DPIA templates.
So, no legal clarification, instead controllers must rely on more output from the EDPB, a body that tacitly acknowledges in its 2025 Helsinki Statement that its guidance in the past may have lacked clarity and practical usefulness.
Other proposed amendments to the legally binding parts of GDPR, such as the need for objective clarity on the ability of controllers to deal with abusive access requests, have also been considerably diluted in the compromise text. Missing the opportunity to develop a text which remains meaningful as a protector of fundamental rights but which also acknowledges the difficult burden and conflicting obligations placed on controllers, is regrettable.
All of this risks burdening controllers with more of the same, fragmented interpretation by multiple independent authorities rather than legal certainty. It is essential that simplification is not merely acknowledged as an objective but delivered in binding legislative text. Unfortunately, the Presidency approach, following on from the recent joint opinion of the EDPB/S, largely maintains the existing model, in which clarity depends on supervisory interpretation and guidance.
If the Omnibus is intended to reduce compliance burden through greater legal certainty, it must be more ambitious than the current Presidency compromise text. Otherwise, the reform risks preserving the very interpretative uncertainty it set out to address.
03 March, 2026
This update covers the GDPR amendments proposed in the simplification of the digital legislative framework – Digital Omnibus (2025/0360 (COD)).
The Council of the European Union, one of the two EU Co-legislators, and representative institution of the Member States, remains in a technical examination phase on the published legislative proposal.
Although a number of discussions have already taken place, including submission of initial written comments by the Member States, our information is that discussions to date have been limited to technical examination of the proposed GDPR simplification measures and no substantive positions have been adopted by the Member States.
The working party responsible for the negotiation, the Antici Group (Simplification), currently meets twice weekly but only discusses the GDPR simplification measure as part of its overall simplification agenda. The last GDPR discussions took place on 19 January, 2026, and the next one is likely to take place before the end of February.
The other co-legislator, the European Parliament, has been focused so far on the AI Act simplification proposal. As of early February, the GDPR proposal is only just entering into a substantive parliamentary work phase, with Committee work finally getting underway in recent weeks.
The responsible joint Committees will be Industry, Research and Energy (ITRA) and Civil Liberties, Justice and Home Affairs (LIBE), who are both currently engaged in the process of appointing rapporteurs.
Representatives of Privacy Next attended the meeting of LIBE on 26 January, 2026, at which the European Commission presented the proposal and answered questions from members of the Committee.
As part of our Next Generation Partnership programme, we will be tracking this very important legislative proposal and providing Partners with more detailed updates, analysis and information on how they can influence the process through collective engagement.
Detailed tracking information will be provided in our exclusive members area which we hope to roll out in Q2 this year.
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
