preloader

· privacy gdpr regulation europe compliance

EDPS, Germany and Bavaria Host High-Level Brussels Debate Monday on What the EU Digital Omnibus Means for GDPR

Source: European Data Protection Supervisor

On Monday 8 June 2026, the European Data Protection Supervisor (EDPS), Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI), and Bavaria’s State Data Protection Commissioner (BayLfD) are hosting a high-level debate in Brussels titled “From Omnibus to Opportunity: Driving Data Protection and Innovation.” The event gathers representatives from the European Parliament, the Council of the EU, the European Commission, national data protection authorities, the private sector, academia, and civil society to work through what the EU Digital Omnibus proposals actually mean for GDPR and the broader EU digital regulatory architecture.

The debate arrives at a politically charged moment. The European Commission published its Digital Omnibus package earlier this year as part of a broader push to reduce administrative complexity across EU digital legislation. The proposals touch the GDPR, the ePrivacy Directive, the AI Act, and related measures simultaneously. The EDPB and EDPS issued a joint opinion in February 2026 supporting the general direction while raising specific concerns about legal certainty and the preservation of fundamental rights protections. Monday’s debate is where those concerns meet the political process.

What the Omnibus proposes to change

The changes most relevant to businesses operating in Europe cluster around three areas:

SME relief on records of processing activities. The GDPR’s Article 30 obligation to maintain Records of Processing Activities (ROPA) currently exempts organisations with fewer than 250 employees from most of the requirement. The Omnibus proposes lifting that threshold to fewer than 750 employees. Organisations that currently maintain full ROPA documentation because they exceed the 250-employee limit would face reduced obligations if the proposal passes.

Streamlined breach notification. Current breach notification requirements under Article 33 require supervisory authority notification within 72 hours where feasible, with a supplementary report if the initial notification is incomplete. The Omnibus proposes simplifying this process, though the specifics remain under negotiation and the 72-hour clock itself is not proposed for removal.

Universal consent signals. Websites would be required to accept and honour browser-level or device-level consent preference signals. This builds on enforcement actions like the French CNIL’s EUR 100 million fine against Google for making cookie rejection harder than acceptance and would standardise consent management across the single market. For organisations currently managing consent through cookie banners, this represents a significant change to the technical implementation of consent.

The AI Act interface

The Omnibus also proposes adjustments to how the GDPR and the AI Act interact for high-risk AI systems. The AI Act’s August 2026 compliance deadline for high-risk systems is unchanged. What the Omnibus addresses is the overlapping transparency and documentation obligations in the two frameworks, which in some cases require essentially the same information in different formats for different regulators. The proposals aim to allow a single documentation exercise to satisfy both frameworks.

For organisations preparing for August’s AI Act deadline, the Omnibus complicates planning: if the GDPR’s AI-related provisions change before or shortly after August 2026, documentation prepared to the current standard may need to be revised.

What to watch from Monday’s debate

The EDPB and EDPS have made clear they support simplification in principle while flagging concerns about specific provisions. Key questions that Monday’s debate is expected to address include how the proposals affect legal certainty, whether the GDPR’s current level of protection is maintained where SME relief is expanded, and how national data protection authorities will handle the transition period if and when the Omnibus passes.

Additionally, the EDPB’s 2026 Coordinated Enforcement Action is already running: its focus is on GDPR transparency obligations under Articles 12 to 14, precisely the provisions governing how organisations inform users about data processing. Enforcement is happening now under the current rules while reform is debated. EDPB Guidelines 1/2026 on scientific research and related processing are open for public consultation until 25 June 2026, another active process running in parallel.

What this means for your organisation

For businesses, the practical takeaway from Monday’s debate is timing. The Digital Omnibus is moving through the legislative process, but it has not passed. Compliance obligations under the current GDPR remain fully in force. Organisations that defer compliance work while waiting for the Omnibus to clarify requirements are taking on enforcement risk for a period that could last through 2027 or beyond if the proposals face significant legislative revision.

The more prudent position is to comply with the current framework, track the Omnibus proposals as they develop, and design compliance programmes that can absorb adjustments rather than ones that require complete rebuilds when the text is finally adopted.

If you want help understanding what the Digital Omnibus proposals mean for your organisation specifically, preparing for the August 2026 AI Act deadline, or reviewing your GDPR compliance posture ahead of the EDPB’s current coordinated enforcement on transparency, contact Excello Digital. We advise European businesses on navigating both current obligations and incoming regulatory change.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!