While the Digital Omnibus on AI has reached the finish line, the twin package affecting the GDPR and ePrivacy is still on its way, and carries the most delicate question: the amendment of the definition of personal data. In Joint Opinion 2/2026 of 10 February 2026, the EDPB and the EDPS open to simplification but draw a red line: they “strongly urge the co-legislators to not adopt the proposed changes”. Let us see why.
We dealt with the Digital Omnibus on the AI Act side. But the simplification package proposed by the Commission with COM(2025) 836 has a second front, touching the heart of European data-protection law: the GDPR, Regulation (EU) 2018/1725, the ePrivacy Directive and the Data Act, plus the repeal of several acts of the data acquis. On this front the European Data Protection Board and the European Data Protection Supervisor pronounced jointly, with Joint Opinion 2/2026, adopted on 10 February 2026. This seems the right place to examine its salient passages.
The red line: the definition of personal data
The opinion’s most severe point concerns the proposal to amend the definition of personal data. The two authorities observe that “the proposed amendment goes far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence” and that it “would also result in a more restrictive interpretation of the concept of personal data, limit the scope of application of the GDPR, and thus negatively affect the protection of the fundamental rights and freedoms of individuals while increasing legal uncertainty for organisations”. Hence the conclusion, of rare institutional sharpness: “the EDPB and the EDPS strongly urge the co-legislators to not adopt the proposed changes to the definition of personal data”. Analogous firmness on the connected theme of pseudonymisation regulated by implementing acts: “an implementing act as proposed could de facto affect the material scope of EU data protection law, effectively redefining the scope of when and for whom information is considered personal data”, whereas “it should be the competence of supervisory authorities, under the control of the competent courts, to apply the definitions of the GDPR in an independent manner”. In other words: the perimeter of the fundamental right is not redrawn by executive act.
The openings: where simplification convinces
The opinion is anything but a wholesale rejection; on the contrary, it records significant convergences that prefigure the law to come. On scientific research: “the EDPB and the EDPS welcome the Proposal’s aim of harmonising the notion of ‘scientific research’ […] as this can enhance legal certainty and help to support scientific research”, consistently with the EDPB’s Guidelines 1/2026. On data breaches: the authorities support raising the notification threshold to supervisory authorities, which “is not expected to substantially affect the level of protection for data subjects but would significantly reduce the administrative burden for controllers”, as well as extending the notification deadline “from 72 to 96 hours”. On the DPIA: the creation of a common template and methodology is welcomed, recalling that “the EDPB had already announced that it will draft such a template” — as duly happened with the DPIA template adopted in April 2026 — with the caveat that “the EDPB should be fully entrusted with both the preparation and approval of such documents”. On biometrics for authentication: favour for the new exemption “limited to situations where processing of biometric data is necessary for the purpose of confirming the claimed identity of a data subject (verification based on a one-to-one comparison)”, provided it is “restricted to cases where the biometric data or the means needed for the verification are under the sole control of the data subject”.
The ePrivacy front: cookie fatigue and terminal equipment
On the ePrivacy Directive, the authorities strongly support the aim of remedying banner proliferation: “the EDPB and the EDPS strongly support the aim of the Proposal to provide for a regulatory solution on consent fatigue and proliferation of cookie banners and to simplify the rules applicable to the protection of the terminal equipment of end-users”, also welcoming automated, machine-readable signals of the data subject’s choices. But with a structural reservation: “the proposed separation of the rules on access to and storage of information in terminal equipment over different legal instruments may lead to legal uncertainty”.
Conclusions
Joint Opinion 2/2026 clearly draws the line between two simplifications: the one that reduces burdens without touching the level of protection, welcomed, and the one that, under the guise of technical maintenance, redraws the scope of the fundamental right to data protection, firmly rejected. The legislative outcome will tell which of the two souls prevails; for controllers and processors, meanwhile, the message is not to anticipate adjustments on a still-moving text. In the light of the above, one wonders whether the co-legislators will heed the data-protection authorities’ warning: the distance between a simplification that lightens burdens and one that steps back on the level of protection runs, in the last analysis, through the integrity of that notion of personal data on which, for a decade, the entire edifice of the GDPR has rested.
