As the European Union pushes forward with efforts to streamline its sprawling digital regulatory framework, the European Data Protection Board (EDPB) is set to convene its 112th plenary meeting on December 2-3, scrutinizing proposed amendments to the General Data Protection Regulation (GDPR) under the freshly unveiled Digital Omnibus package. The two-day gathering in Brussels comes just weeks after the European Commission tabled the initiative on November 19, aiming to slash bureaucratic burdens and enhance competitiveness in the bloc’s tech sector.
The Omnibus proposal, formally known as the Regulation on the Simplification of the Digital Acquis, targets a constellation of EU laws including the GDPR, the AI Act, the Data Act, and ePrivacy rules. At its core, the package seeks “immediate relief” for businesses by clarifying ambiguities and reducing compliance costs, with estimated savings in the billions of euros annually. For the GDPR specifically, key tweaks include easing record-keeping obligations under Article 30—exempting micro-enterprises and low-risk processors from exhaustive documentation—and refining the definition of “personal data” to exclude certain anonymized information from its scope. These changes, welcomed by the EDPB and the European Data Protection Supervisor (EDPS) earlier this year, reflect a broader drive to harmonize digital legislation without diluting privacy safeguards.
The EDPB’s agenda, circulated ahead of the meeting, underscores the board’s role as a guardian of GDPR enforcement. On the adoption docket for December 2 are several Article 64(1) opinions on draft decisions from national data protection authorities (DPAs), focusing on Binding Corporate Rules (BCRs) for multinational data transfers. These include reviews of BCRs for Controller (BCR-C) and Processor (BCR-P) frameworks submitted by tech giants Illumina and CSG, as well as engineering firm Arcadis. Additionally, the board will greenlight certification criteria for the “C.E.C.L.” mechanism, a tool for standardizing data protection compliance across borders.
Discussions will pivot toward the Omnibus on day two, with a dedicated session on the proposal’s “simplification of the digital acquis, including proposed amendments to the GDPR.” A follow-up item calls for the EDPB’s “contribution to the scheduled Omnibus package regarding possible further changes to the GDPR,” signaling potential refinements or pushback from the privacy watchdog. This comes amid ongoing harmonization efforts, including a recent joint statement with the Commission on touchpoints between the Digital Markets Act (DMA) and GDPR, endorsed in October.
Other highlights include implementing the “Helsinki Statement” for better EDPB operations—updating best practices for plenary meetings, guidance drafting, and public consultations—and recommendations on legal bases for mandating user accounts on e-commerce sites. Organizational matters, such as electing a new Deputy Chair, will also feature prominently, alongside updates on joint guidelines for the AI Act’s interplay with data protection law.
Stakeholders are watching closely. Privacy advocates praise the Omnibus for targeted relief but caution against overreach that could erode user rights, while industry groups like tech associations hail it as a “first step” toward a more agile EU rulebook. The EDPB’s input could shape the package’s trajectory through the European Parliament and Council, where debates on balancing innovation and protection are expected to intensify.
As the meeting unfolds, it arrives at a inflection point for Europe’s digital future: just days after the Commission’s launch, the EDPB’s deliberations could either accelerate or recalibrate the Omnibus’s GDPR reforms. Outcomes are anticipated in the coming weeks, with the board’s opinions carrying significant weight in cross-border enforcement.
