In February 2026, the European Data Protection Board published its work programme for 2026–2027. The headline: making GDPR compliance easier. Five ready-to-use templates for organisations. Guidance on children’s data, AI, consent-or-pay models. A coordinated enforcement push on transparency obligations.
Read in isolation, it looks like a regulator building better tools. But read alongside the European Commission’s Digital Omnibus directive — published a year earlier, now moving through Parliament — and the picture changes. The Commission is not just simplifying compliance. It is proposing to remove obligations that the EDPB’s tools are designed to address.
This article examines both documents, what they change, where they contradict, and what the practical effect is for anyone whose personal data is processed in the European Union.
What the EDPB Work Programme Promises
The EDPB’s 2026–2027 programme is the second implementation cycle of its four-pillar strategy adopted in 2024. The most visible deliverables are five standardised compliance templates:
- Legitimate interest assessment — a structured form for the balancing test required under Article 6(1)(f)
- Records of processing activities — the documentation obligation under Article 30
- Privacy notice and policy — the information requirements under Articles 13 and 14
- Data breach notification — the 72-hour reporting obligation under Article 33
- Data protection impact assessment (DPIA) — the risk assessment required under Article 35
These templates are intended to reduce the cost and complexity of GDPR compliance, particularly for small and medium-sized enterprises that lack in-house legal teams. The programme also includes new guidance on anonymisation, pseudonymisation, children’s data, consent-or-pay models (the “pay or OK” cookie walls now common on news websites), and the processing of personal data for scientific research.
On enforcement, the EDPB plans a coordinated action across EU data protection authorities in 2026, focused on transparency — specifically whether organisations are meeting their obligations under Articles 12, 13, and 14 to clearly inform individuals about how their data is used.
Separately, the EDPB has announced joint guidelines on the interplay between the GDPR and the AI Act, and between the GDPR and the Digital Markets Act. It has also launched a market study into data brokers, with methodology and preliminary findings published in March 2026. For a practical overview of the operators identified in that study, see the EU data broker opt-out directory and our analysis of professional data broker removal in Europe.
On its own terms, the programme is substantive. But it assumes that the rules it is building tools for will remain intact.
What the Digital Omnibus Proposes to Change
The European Commission’s Omnibus I simplification package, published on 26 February 2025, proposes direct amendments to the GDPR as part of a broader competitiveness agenda. The stated aim is to reduce regulatory burden on European businesses. Several of its provisions directly affect individual data protection rights.
Legitimate Interest: From Balancing Test to Pre-Approved List
Under the current GDPR, any organisation relying on “legitimate interest” as its legal basis for processing personal data must conduct a balancing test — a documented assessment weighing the organisation’s interest against the rights and freedoms of the individual. This is not a formality. It is the mechanism that prevents a company from claiming, for example, that its commercial interest in profiling customers outweighs those customers’ right to privacy.
What “legitimate interest” means in practice: When a company processes your data, it needs a legal reason. The GDPR provides six. Consent is one. Legitimate interest is another — but it comes with a condition: the company must demonstrate that its interest does not override your fundamental rights. That assessment is the balancing test.
The Digital Omnibus proposes adding a new provision to Article 6(1)(f): a pre-approved list of legitimate interests that would no longer require this case-by-case assessment. The list includes:
- Direct marketing, including by third parties
- Fraud prevention and network security
- Data transfers within a corporate group for internal administration
- Reporting possible criminal acts or threats to public security
The inclusion of direct marketing is the most consequential change. Under the current framework, a company that wants to use your personal data for marketing purposes generally needs either your consent or must pass the balancing test and document why its interest outweighs yours. Under the proposed change, direct marketing would be a recognised legitimate interest by default. The company processes; you object — if you notice, if you know how, and if you act.
Raised Thresholds, Narrowed Obligations
The Omnibus also proposes raising the employee threshold for mandatory record-keeping from 250 to 500 employees. Organisations below that threshold would no longer need to maintain records of processing activities unless the processing involves high-risk data. Requirements for appointing a Data Protection Officer would be narrowed. Exemptions for processing personal data for scientific research would be broadened.
Each change individually is modest. Together, they reduce the surface area of GDPR compliance — and the number of organisations required to maintain the documentation that allows regulators and individuals to verify how data is being used.
The Structural Shift: Opt-In Toward Opt-Out
The cumulative effect of the Digital Omnibus proposals is a shift in where the burden of privacy protection sits.
Under the current GDPR architecture, the default is opt-in. An organisation must establish a lawful basis before processing personal data. It must document that basis. It must inform the individual. The burden of justification is on the organisation.
Under the proposed framework, for the listed legitimate interests, the default becomes opt-out. The organisation processes by default under a pre-approved legal basis. The individual retains the right to object under Article 21 — but must discover the processing is happening, understand they have a right to object, and actively exercise that right.
What “opt-in” and “opt-out” mean: In an opt-in system, nothing happens to your data until you say yes. In an opt-out system, everything happens to your data until you say stop. The difference is who has to act first — and the evidence consistently shows that most people never change the default.
This distinction matters because it determines the practical level of privacy protection regardless of what the law says on paper. A right to object that exists in legislation but is rarely exercised by individuals does not produce the same outcome as a requirement for prior consent.
What the Critics Say
The response from data protection authorities, civil society organisations, and consumer advocates has been broadly aligned.
The EDPB itself expressed serious concerns about the legitimate interest expansion, stating that a pre-approved list undermines the balancing test that is fundamental to GDPR’s architecture. EDPB Chair Anu Talus stated the proposals risk “lowering the level of data protection for individuals in the EU.” The Board also flagged a potential constitutional issue: the GDPR implements Articles 7 and 8 of the EU Charter of Fundamental Rights, which guarantee respect for private life and protection of personal data. Weakening GDPR protections could face challenge before the Court of Justice.
NOYB, the Vienna-based digital rights organisation led by Max Schrems, described the legitimate interest expansion as “GDPR deregulation dressed up as simplification.” European Digital Rights (EDRi) called the Omnibus a “Trojan horse” — arguing that SME-friendly language delivers changes primarily benefiting large platforms and advertising technology companies, which process data at the greatest scale. The European Consumer Organisation (BEUC) called the changes “a step backwards for consumer protection in Europe.”
The Dutch digital rights organisation Bits of Freedom specifically highlighted the direct marketing provision as problematic for Dutch consumers, given the Netherlands’ traditionally strong data protection culture.
The Omnibus is now in the ordinary legislative procedure. Given the level of opposition, significant amendments are expected during trilogue negotiations between the Parliament, Council, and Commission. The direct marketing legitimate interest provision is expected to be the most contested element.
The Channel Parallel: UK and EU Moving in the Same Direction
The United Kingdom, no longer bound by the GDPR since Brexit, has been pursuing its own data protection reform. The Data Protection and Digital Information Act (DPDI), which received Royal Assent in 2024, makes several changes to the UK’s data protection framework that parallel the EU Digital Omnibus — in some cases going further.
What “adequacy” means: After Brexit, the EU granted the UK an “adequacy decision” — a finding that UK data protection law provides an essentially equivalent level of protection to the GDPR. This allows personal data to flow freely from the EU to the UK without additional safeguards. If the UK weakens its protections too far, the European Commission can revoke that decision, which would disrupt data transfers for every organisation operating across both jurisdictions. The current adequacy decision is due for review in 2025.
| Area | Current GDPR | EU Digital Omnibus (proposed) | UK DPDI Act |
|---|---|---|---|
| Legitimate interest | Case-by-case balancing test | Pre-approved list (no balancing for listed interests) | Recognised legitimate interests list; reduced balancing obligations |
| Direct marketing | Consent generally required | Legitimate interest (opt-out) | Soft opt-in expanded; legitimate interest for marketing |
| DPO requirement | Mandatory for specified controllers | Narrowed scope | Replaced with “senior responsible individual” — less independence required |
| Record-keeping | Mandatory above 250 employees | Threshold raised to 500 | Relaxed for low-risk processing |
| Subject access requests | 30-day response, free of charge | Largely unchanged | Cost and refusal thresholds lowered |
| Research exemption | Narrow, safeguarded | Broadened | Broadened; reduced consent requirements |
| Automated decision-making | Right to human review (Art. 22) | Under review | Weakened; narrower definition of “solely automated” |
The pattern is consistent: both jurisdictions are expanding the circumstances under which personal data can be processed without consent, raising the thresholds at which compliance obligations apply, and shifting more responsibility to individuals to actively manage their own privacy.
Whether this represents convergence toward a shared model or independent responses to similar commercial pressures, the practical effect for individuals on both sides of the Channel is the same: more data processed by default, more effort required to object.
What the EDPB Work Programme Does Not Address
The EDPB’s 2026–2027 programme does not engage with the Digital Omnibus proposals. The work programme focuses on building compliance tools for the current GDPR framework — the legitimate interest assessment template, for example, is designed for the existing balancing test. If the Omnibus passes with the pre-approved list intact, that template becomes partially redundant for the listed interests.
The EDPB has responded to the Omnibus separately through its formal opinion process. But the work programme and the legislative reform operate on different tracks, and the work programme does not account for a scenario in which the rules it is building tools for are changed.
This creates an unusual situation: the regulator is investing in infrastructure for a framework that the legislature may be in the process of dismantling parts of.
What This Means in Practice
For individuals, the combined effect of these developments depends on which version of the Digital Omnibus survives the legislative process. Under the current proposals:
- Direct marketing data processing would no longer require your consent in many cases. You would need to find and exercise your right to object — per company, per processing activity.
- Fewer organisations would be required to maintain the records that allow you (or a regulator) to verify what data they hold and why.
- Fewer organisations would be required to appoint a Data Protection Officer — the person you contact when exercising your rights.
- Research exemptions would be broader, meaning more of your data could be processed for purposes labelled as research without specific consent.
- Data brokers operating under the expanded legitimate interest basis would face a lower legal threshold for processing and sharing personal data.
For organisations, the EDPB work programme provides useful compliance infrastructure regardless of legislative changes. The templates, the AI Act interplay guidance, and the children’s data guidelines address real implementation gaps. But the strategic question is whether the compliance bar is being raised and standardised (the EDPB’s direction) or lowered and simplified (the Commission’s direction) — because you cannot do both simultaneously.
The EDPB’s data broker market study, published in March 2026, will be worth watching. If it finds systematic privacy harms in how brokers operate under the current legitimate interest framework, that creates a factual basis for opposing the Omnibus expansion — or, at minimum, for excluding data brokerage from the pre-approved list.
The Broader Pattern
The GDPR was designed around a principle: organisations that want to process personal data bear the burden of justifying that processing. The Digital Omnibus, in its current form, moves a meaningful share of that burden to individuals. The EDPB work programme does not change this trajectory — it operates within it.
Whether the final legislative text preserves the shift or amends it depends on the trilogue process now underway. What is already clear is that the direction of travel — in both the EU and the UK — is toward a framework where individuals must be more active, more informed, and more persistent to maintain the same level of privacy protection that the original GDPR was designed to provide by default.
If your organisation processes personal data in the EU, a Corporate Audit identifies where these regulatory shifts change your exposure.